i915: don't use a vma that didn't match the context VM

In eb_lookup_vma(), the code checks that the context vm matches before incrementing the i915 vma usage count, but for the non-matching case it didn't clear the non-matching vma pointer, so it would then mistakenly be returned, causing potential UaF and refcount issues. Reported-by: Yassine Mounir <sosohero200@gmail.com> Suggested-by: Ville Syrjälä <ville.syrjala@linux.intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Linus Torvalds <torvalds@linux-foundation.org> 2026-04-05 12:42:25 -0700
committer: Linus Torvalds <torvalds@linux-foundation.org> 2026-04-05 12:42:25 -0700
commit: 5401b9adebc9e5f68df58226f51493ef0e6ceb4d (patch)
tree: a743fde152e65e85bb255b2662d83295af74c2d1 /drivers/gpu/drm/i915
parent: eb3765aa711ff93664cd5ffcf0c2df02da2d9c26 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
index e7918f896a26..942f4eed817f 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
@@ -898,6 +898,8 @@ static struct i915_vma *eb_lookup_vma(struct i915_execbuffer *eb, u32 handle)
 		vma = radix_tree_lookup(&eb->gem_context->handles_vma, handle);
 		if (likely(vma && vma->vm == vm))
 			vma = i915_vma_tryget(vma);
+		else
+			vma = NULL;
 		rcu_read_unlock();
 		if (likely(vma))
 			return vma;
author	Linus Torvalds <torvalds@linux-foundation.org>	2026-04-05 12:42:25 -0700
committer	Linus Torvalds <torvalds@linux-foundation.org>	2026-04-05 12:42:25 -0700
commit	5401b9adebc9e5f68df58226f51493ef0e6ceb4d (patch)
tree	a743fde152e65e85bb255b2662d83295af74c2d1 /drivers/gpu/drm/i915
parent	eb3765aa711ff93664cd5ffcf0c2df02da2d9c26 (diff)