From nobody Thu Apr 2 12:36:48 2026 Received: from sonic317-34.consmr.mail.ne1.yahoo.com (sonic317-34.consmr.mail.ne1.yahoo.com [66.163.184.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E96BA256C84 for ; Sun, 29 Mar 2026 08:15:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.184.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774772104; cv=none; b=feSVBtdQsU7lcO+G4UPTV37/jbfWFl9AoSxxlgcEzON8AUSizTUqaTNP1ufY1UYlLkESSAi0kIlOn9HLAvOiiU0UgyYdPLH4uQxWucvLN9OMs7IYB5mf9zcRVfUQ2BxG95TqqFyv0Le2iukXuGzKdGVZjMm0fAQErfn091njuHg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774772104; c=relaxed/simple; bh=YScehe1vJIcsKixSOZ63sCbEVIMnAUiEXY8jtT16Lto=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:References; b=nH7h0BYFsLxUrp0I1h3nzeU6wQDetbdJIw0OZDw34PrTAGEl7W93YuGIBPPo2BRT5HEMYA64EvvrvVR7UWks0dBAaUY9AvquDMCeNUktTE/QpjgLy3NancwxgEtGYJuwZsqaV0/CyymW3+dsq/xw06rJ5yXgpxxuYdRPs4IoTEo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=yahoo.com; spf=pass smtp.mailfrom=yahoo.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=SjpgvdFw; arc=none smtp.client-ip=66.163.184.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=yahoo.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=yahoo.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="SjpgvdFw" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1774772102; bh=V7Fe5j5YmQNWtMWv+HiettIuHXaF9B12nKExBxT8Hk4=; h=From:To:Cc:Subject:Date:References:From:Subject:Reply-To; b=SjpgvdFwxXnMD3JKjkA8GXytS83t36lxcdWkhTsmtQ95kDyrCkmlgGU9qIm3zar2W6Kf5LehxA+8uN9rnpD6YtJREwwGJFRor0j5OwY8ZYewBIzZKGeMm7yO92/YJg0An5wxq8mEX4uv9dplzWJgv1/sxc19PMPqzNB3H/2+VwALlRjmeqqb6c3tHWA4WQGqwqXUe17ab59VTEqnReh++1K4YHJJH+oTx4k6zFUY22MTyaR3/2jyNwK+1gXI1WYa95qA3QBnsL82YYad/hhF2hbUStXtcU0s/lfbjSp6SDiYRcRmiGZSmHOmpGXDp08Kxil3INqpl9Crt0C92M66lQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1774772102; bh=nzwm5KnHVWsagwr4llTau5lsYo8+GLnYy6zo5zrQKbf=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=YfDQHuyU+gBC1rBmq2XbdPbfvFBEiAYlhwcGn5ym1WXm0hDZ5S4Q1APxrvQXv8xgI+x7EEtskoGjk4GrvOa2PYufSEMmJ3MjQsJgS3wYatCGZPXYfCS1yHJrVQQNdSnZc9OWmcEpcpWc6WS+jcYIgRSqAULUlz7llBPD2veuqyWrNw9UDevW8AXR7crVqmxYZ4v8eWS6FzsHnRos3BUkk6FGHL5MoWG2K/pMXgWYTBtJDoN9HU1a+glNcifh5zdtLdXMeAUMntqI/YsqRfLhT1sQ4fBGqvko7ABt7PUCqXYXOzjdKZu4r2K9HYiBAme56xR2Eo4vlUIssMhEVw5mwQ== X-YMail-OSG: wiG56L0VM1lXOrMO7zYN_3EBKtFe6gaNfbn4VxGauCW_4zaeyWLtTSFI_K4VXlU EVq8lBrotN1UgbHOZtnlDPQtCZnzwdeQq5fctod.kzCbXw1him0Zzw_LJHlmbyidWFdxuGh2lpbm GEqj6M2ivlm91NkusoqEyoxIVifZWYrpMMVkQMkYLnLfPVlFyDCVFTKYzGWflhEcCwMaJE30RdDe l2YwVBDRT7LL6V0K40EdXRM8FhDV3s4HydYtec4LFR6sTPGfLB70hayBvC2DcPlZBUh.BlkEfqhg tZVQ4eL6MXghcWc3Q3d2xo7Z.uokBG0LmIxtTbbuQSdSgdu950Brs__nd6be_YohY_aQOal_KLgH d2n8AemC3GRr0_40zbQ2oU6wypwy.wTxX583wUV_XeCUe3DoQvtrmQVAthC.sNFoag_BGDcaSrLx Gzvtbf0qiVPQzHDzlHGRRRobYP0DR5h7SlCiqfHUNUhiEAXT1zV5pb4FsQZoO_39LKKRQyRnzXuS acsF6FLJDCI8YYLgMcFnetc7EK8Z4EbYSzdiet9uiao0rq5Qg6d.eei.sqvsy1klaJZfaQp_86cm 1LM7Yxg8PSpm3mm.mE3awxBGpUUmF9Rm8fUsBPd.cDWxZhjN5HnFYRJOYafM7GS8qWPqF8CwQorL 11_O3z15NbcRyKFEFkM4vHWjVqqmTvnPCVRZBFTlWM5sYT13hrIs6BaKDnJ9glSyTfxvvDCOx.p_ k80eS7_8X2QeTOyokKXtxBvgv7RJNwxLtDmXCzL3nKklnqq6JyRK8AUkGoT5OAB5nRlaX2OZIqJu pEKB8hoHCvvnh.XkkqDNNjdVL3T8yoYsAxWgvibjD69SqGyMh95pKKKWUmYLV2uYvb8OZiGYh38x fEns0XbT.gVObyxX8fTZ1Ut0660FdBmndzuKt9k.bKGucvKw_yqKpcC.juPY4DOsM85jQhQMUsIK giY2PsvUjpSSbXnhhu6HGEbeZ_rCfg6GEY5q2pm4d1o_7YVNCh7OmDef.WeyGfhyqrYKoZEuTeAW pWzPx2F3kTH.5Ocuis1tl9qSccArVf2U6AftT4.px8d2pGfQ.ZPZfJyyxj3E2aIT.e.9ibPnowRe YQ5rWY32ReBbmrVRkhR29oB5pAWHBH9_1eKaNukLYfxSokHfU9IvTeUgl99JZ04K.tR3axRf_V2Q nSqtdBlqEqIV9UHZWIGXpKJuzrF2XKKsLUqU1GR_6LhaTAlpbmGkEQBV9b9ydBdXzwy2Bcf98M9. BUKFznTlvaTTpokaDDvKqPCsAds3HPYeSYe043X40DEpY93YafL3svwtg648ZnSKBakeRsau9Lj2 ZrU6N0.reRDtIIYpnclmXLKSuhY75ineJD5rSme.L_LkOiCDWYnY_63.JBSEtmKyxZ9O455osAjM 4rgtRgrIsmBOe7m77troeCD_2IIUuwx7AIQn0fb8D6rXqwAbHAYtaMMFzggWU0Gsst0yJDjAxWIi A8iECGs5bTmfQkGIScICpPEYicR0o1ed5.cUappYW9m8hIqNmIKXEK0LdKam1nb.mOSU7MBqp6Ux GnXFtuTaU0vpNCW_4z2rdVj65QDEC6MxeqBIUnCum2WEk6He1RWRc4h.oB4kio19n4YyBwxj3h4I 0zABzRNZkNm_VNZhfXbFiJjEUJj5h8giBRJ49ExhfbQQS9GcBJnUoxHRsUF_eubvdqNHUCMRuZpq KielRewyByp7LO2vzenPi893zm.aBkyO6dUBkFH_BmoX2svPw7rGc_3XoHCrM8aYp4GLwJ7TfSql ATgdC5xqahwiLJE9McDL.ZqwFmu64ugmrrLuldui3IzoGt2F1sNo1dypHKoS3bWw4MTQtgByiruv lgeFG.NJJ3IpUku1mAHGo3w.RHs9lIXFNpBxxWi7ZkzfYvXn4y.doqz5YO4DaUnbDohsOzO.vm1D eV24BnIw7FqC8qBxzCL61lfSujwEqpKLMFCIs1tG0cMh1VLvQ12Tg.8FO5enJxfD19PGZmw6.rgW Huwpb5tOMUqUMmlh0mBQTo_Bzmm3LlF6rdbKMovPRUseU70lcCNN1DblylyCFzcUYJ3ByqUTKP19 emvDcICj68Be9HMLGZuYfAVo_bG.y8p3ixPbSol5zVWmpItFelmqPTnBcdOseO7V6oFz.vx.nsPg SgFKlzBX2kliio.pOEnUQfYbil4WKUoeqtl_XDQQyAIBVEPkj0ti86l3XqXRwHG.4PJMFI.H5ju7 2mKzfWo0LhvOpCnkxQck9WyS8mjbGZ4PxNt73vuSeeDPwnakpkrAF9GTytqbn7714YtFZrU4MjeP QPc8E2g9KzgVvp0tSRNcxQwQgUcnQp4.Bvsom X-Sonic-MF: X-Sonic-ID: f9e14122-7cc6-405d-9192-7017615a970f Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.ne1.yahoo.com with HTTP; Sun, 29 Mar 2026 08:15:02 +0000 Received: by hermes--production-sg3-6959968fbd-gj7s8 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 704786d9823fd8a8253f68d6c834048e; Sun, 29 Mar 2026 07:34:27 +0000 (UTC) From: Abhishek Kumar To: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Cc: maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, airlied@gmail.com, simona@ffwll.ch, syzbot+3fc9eecaf97147282c87@syzkaller.appspotmail.com, stable@vger.kernel.org, Abhishek Kumar Subject: [PATCH] drm/atomic: fix vblank event leak in complete_signaling() Date: Sun, 29 Mar 2026 13:04:23 +0530 Message-ID: <20260329073423.8390-1-abhishek_sts8@yahoo.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable References: <20260329073423.8390-1-abhishek_sts8.ref@yahoo.com> Content-Type: text/plain; charset="utf-8" When prepare_signaling() creates a vblank event via create_vblank_event() but hits an error before the event is fully initialized (i.e. before drm_event_reserve_init() sets file_priv or a fence is assigned to event->base.fence), the subsequent call to complete_signaling() fails to free the event because its cleanup condition requires at least one of those fields to be set: if (event && (event->base.fence || event->base.file_priv)) This happens when only fence_ptr triggers event creation but a subsequent allocation failure occurs before the fence is assigned to the event. The 128-byte event object is then orphaned and reported by kmemleak. Fix this by adding an else-if branch that frees events which have no completion callback set. Events allocated by drm_atomic_helper_setup_commit() always have completion set, so checking for its absence safely identifies events that were allocated by prepare_signaling() but never fully set up. Reported-by: syzbot+3fc9eecaf97147282c87@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D3fc9eecaf97147282c87 Fixes: 92c715fca907 ("drm/atomic: Fix double free in drm_atomic_state_defau= lt_clear") Cc: stable@vger.kernel.org Signed-off-by: Abhishek Kumar --- drivers/gpu/drm/drm_atomic_uapi.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/gpu/drm/drm_atomic_uapi.c b/drivers/gpu/drm/drm_atomic= _uapi.c index 87de41fb4459..52a6b8436437 100644 --- a/drivers/gpu/drm/drm_atomic_uapi.c +++ b/drivers/gpu/drm/drm_atomic_uapi.c @@ -1523,6 +1523,17 @@ static void complete_signaling(struct drm_device *de= v, if (event && (event->base.fence || event->base.file_priv)) { drm_event_cancel_free(dev, &event->base); crtc_state->event =3D NULL; + } else if (event && !event->base.completion) { + /* + * The event was allocated by prepare_signaling() + * but an error path was hit before the event got + * fully set up (fence or file_priv assigned). + * Events from drm_atomic_helper_setup_commit() + * always have completion set, so checking for its + * absence safely distinguishes our events. + */ + kfree(event); + crtc_state->event =3D NULL; } } =20 --=20 2.43.0