From nobody Wed Jun 17 04:17:31 2026 Received: from zg8tmja5ljk3lje4ms43mwaa.icoremail.net (zg8tmja5ljk3lje4ms43mwaa.icoremail.net [209.97.181.73]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4D49434F483 for ; Wed, 22 Apr 2026 11:43:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.97.181.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776858205; cv=none; b=k98O93zWiwhjHN1Arbg0eivEIzQp8H6l58xYKcx8NpQoNqLpyOfLiuoBa+W7aI8ThZfY3svSNgaHGsYIiyosHKgGvVzcgikF80Pg2JFexYqNW5CIekMvwBGXNap+T5BYZbnuRcgvK+ELnOCGIgNimgrmmtGjGoKj1WRlXrbeyoo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776858205; c=relaxed/simple; bh=JU3LNG1oRdINjXzRzaEuCNmZjbYtC5NKp9hjNt/ZNy0=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=dd03j7PtFDjgzeofX7ww8giWF+78NP/5oMXvYOFye3jQ6ycB80DmvU2uCwz7Qsaee9ea9owQTHGOKM5533t2OzaA1ZiVl2uLM595Xq3z2TP9JlATN8ohEHOcLwHmM/Xz8Kc0leriv/FWgWQ4nKqk3kcm9NLlCYImR6cLtD5ux/c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=stu.xidian.edu.cn; spf=pass smtp.mailfrom=stu.xidian.edu.cn; dkim=fail (0-bit key) header.d=stu.xidian.edu.cn header.i=@stu.xidian.edu.cn header.b=FP7PRTFG reason="key not found in DNS"; arc=none smtp.client-ip=209.97.181.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=stu.xidian.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=stu.xidian.edu.cn Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="key not found in DNS" (0-bit key) header.d=stu.xidian.edu.cn header.i=@stu.xidian.edu.cn header.b="FP7PRTFG" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stu.xidian.edu.cn; s=dkim; h=Received:From:To:Cc:Subject:Date: Message-Id:MIME-Version:Content-Transfer-Encoding; bh=bs8cOReV4x BhsudMq+nW1/Z7HhbUXe1v86waSXS2ciQ=; b=FP7PRTFGl9x2uPtjglxOBkKNEF Edfmk4or8CMe9PxB9Kx+KkdE3/mKO5WY+e2lcUfeuPgcTTMbZtVXdwU/duDFNnJG 0oMYAznqszY1Yp6XkLpWEpTiIhiginyeyuyO+j7GTG+BDOzcPzkT2sFQ0S4Cdv87 46OOQDv2OIFvTQpLM= Received: from wmy.localdomain (unknown [113.200.174.100]) by hzbj-edu-front-2.icoremail.net (Coremail) with SMTP id BLQMCkDGrr44tOhpMC2zAQ--.55226S2; Wed, 22 Apr 2026 19:42:59 +0800 (CST) From: Mingyu Wang <25181214217@stu.xidian.edu.cn> To: maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, airlied@gmail.com, simona@ffwll.ch Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Mingyu Wang <25181214217@stu.xidian.edu.cn> Subject: [PATCH] drm/gem: fix warning in idr_alloc due to unvalidated user handle Date: Wed, 22 Apr 2026 19:42:47 +0800 Message-Id: <20260422114247.486581-1-25181214217@stu.xidian.edu.cn> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: BLQMCkDGrr44tOhpMC2zAQ--.55226S2 X-Coremail-Antispam: 1UD129KBjvJXoWxJF18Xw4rCw15Zw4fKF4DArb_yoW8JFyxp3 9rtFyjyrW5KayaqFy7Zan7JFyfCa12gay8Ga1rA3yYvw1UtFyxKrn0kw4qgrWUJrWUXF4a yFyDJryq9F1xCF7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUU9014x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26r1j6r1xM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4j 6F4UM28EF7xvwVC2z280aVAFwI0_Gr1j6F4UJwA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gr 1j6F4UJwAac4AC62xK8xCEY4vEwIxC4wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40E FcxC0VAKzVAqx4xG6I80ewAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr 0_Gr1lOx8S6xCaFVCjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8v x2IErcIFxwCY1x0262kKe7AKxVWUAVWUtwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7x kEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E 67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCw CI42IY6xIIjxv20xvEc7CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1x MIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIda VFxhVjvjDU0xZFpf9x0JUvg4fUUUUU= X-CM-SenderInfo: qsvrmiqsrujiux6v33wo0lvxldqovvfxof0/1tbiAQULEWnnlNlc8AACsz Content-Type: text/plain; charset="utf-8" During fuzzing, a warning was triggered in idr_alloc() when handling the DRM_IOCTL_GEM_CHANGE_HANDLE (or similar) ioctl. The function drm_gem_change_handle_ioctl() currently only checks if args->new_handle is strictly greater than INT_MAX. However, it fails to check for negative values. If a userpace application passes a negative handle, it bypasses the upper-bound check and is passed directly to idr_alloc() as the 'start' parameter, triggering the WARN_ON_ONCE(start < 0) inside idr_alloc(). Fix this by explicitly validating that the user-provided handle is strictly positive and within the valid IDR range. Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> --- drivers/gpu/drm/drm_gem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index d6424267260b..3d84d4f1c3e0 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -1026,7 +1026,7 @@ int drm_gem_change_handle_ioctl(struct drm_device *de= v, void *data, return -EOPNOTSUPP; =20 /* idr_alloc() limitation. */ - if (args->new_handle > INT_MAX) + if (args->new_handle <=3D 0 || args->new_handle > INT_MAX) return -EINVAL; handle =3D args->new_handle; =20 --=20 2.34.1