Hey,
Den 2026-05-26 kl. 21:58, skrev Andrew Morton:
> On Mon, 25 May 2026 19:49:23 -0700 syzbot <syzbot+5d32c8bd82427f9c77cc@syzkaller.appspotmail.com> wrote:
>
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: 4cbfe4502e3d Merge tag 'v7.1-rc5-ksmbd-server-fixes' of gi..
>> git tree: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux master
>> console output: https://syzkaller.appspot.com/x/log.txt?x=146c161f980000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=9475bd041c93289
>> dashboard link: https://syzkaller.appspot.com/bug?extid=5d32c8bd82427f9c77cc
>> compiler: aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
>> userspace arch: arm64
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11026336580000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14ab9796580000
>
> Thanks.
>
>> Downloadable assets:
>> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-4cbfe450.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/e825a08fb48d/vmlinux-4cbfe450.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/55037c053ec3/Image-4cbfe450.gz.xz
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+5d32c8bd82427f9c77cc@syzkaller.appspotmail.com
>>
>> ------------[ cut here ]------------
>> WARNING: mm/page_alloc.c:5202 at __alloc_frozen_pages_noprof+0x734/0x1144 mm/page_alloc.c:5202, CPU#0: syz.2.17/3592
>
> if (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp))
>
>> Modules linked in:
>> CPU: 0 UID: 0 PID: 3592 Comm: syz.2.17 Not tainted syzkaller #0 PREEMPT
>> Hardware name: linux,dummy-virt (DT)
>> pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
>> pc : __alloc_frozen_pages_noprof+0x734/0x1144 mm/page_alloc.c:5202
>> lr : alloc_pages_mpol+0x70/0x1a4 mm/mempolicy.c:2490
>> sp : ffff800085d93900
>> x29: ffff800085d93a00 x28: 000000000000000b x27: 0000000000000000
>> x26: 0000000000000000 x25: fcf0000014c00000 x24: 0000000000040dc0
>> x23: 0000000000000000 x22: 0000000000000000 x21: 000000000000000b
>> x20: ffffffffffffffff x19: 0000000000000000 x18: 0000000000000002
>> x17: 0000000000000000 x16: 0000000000000000 x15: 0000000020000200
>> x14: ffff8000828b2000 x13: ffffc1ffc0000000 x12: 0000000000000001
>> x11: 0000000000000000 x10: ffff800082b6f4e8 x9 : 0000000000000000
>> x8 : 0000000000000030 x7 : ffff800082e9b430 x6 : 0000000000000001
>> x5 : 0000000000000000 x4 : f3f00000065c90c0 x3 : 0000000000000000
>> x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff800082dfd000
>> Call trace:
>> __alloc_frozen_pages_noprof+0x734/0x1144 mm/page_alloc.c:5202 (P)
>> alloc_pages_mpol+0x70/0x1a4 mm/mempolicy.c:2490
>> alloc_frozen_pages_noprof+0x48/0xd4 mm/mempolicy.c:2561
>> ___kmalloc_large_node+0x11c/0x13c mm/slub.c:5237
>> __kmalloc_large_node_noprof mm/slub.c:5268 [inline]
>> __do_kmalloc_node mm/slub.c:5284 [inline]
>> __kmalloc_noprof+0x450/0x560 mm/slub.c:5308
>> kmalloc_noprof include/linux/slab.h:954 [inline]
>> kzalloc_noprof include/linux/slab.h:1188 [inline]
>> fill_object_idr drivers/gpu/drm/drm_lease.c:389 [inline]
>> drm_mode_create_lease_ioctl+0x184/0x93c drivers/gpu/drm/drm_lease.c:521
>> drm_ioctl_kernel+0xc0/0x130 drivers/gpu/drm/drm_ioctl.c:804
>> drm_ioctl+0x258/0x580 drivers/gpu/drm/drm_ioctl.c:901
>> vfs_ioctl fs/ioctl.c:51 [inline]
>
> Methinks drm_mode_create_lease_ioctl() wants some more arg checking.
>
> otoh, memdup_user() passes __GFP_NOWARN, so perhaps
> __alloc_frozen_pages_noprof() should be taught to honor that.
>
A lot of places assume max 32 planes, connectors and crtc's per device.
drm_plane_mask(), drm_connector_mask and drm_crtc_mask are an example.
It wouldn't be too hard to cap it to 96 (or 8 * sizeof(drm_plane_mask(NULL) + ...)
in case it changes. Anything above it will need fixing in a lot of places anyway.
Kind regards,
~Maarten Lankhorst
What about the below?
>> __do_sys_ioctl fs/ioctl.c:597 [inline]
>> __se_sys_ioctl fs/ioctl.c:583 [inline]
>> __arm64_sys_ioctl+0xac/0x104 fs/ioctl.c:583
>> __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
>> invoke_syscall+0x54/0x10c arch/arm64/kernel/syscall.c:49
>> el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:121
>> do_el0_svc+0x1c/0x34 arch/arm64/kernel/syscall.c:140
>> el0_svc+0x38/0x140 arch/arm64/kernel/entry-common.c:740
>> el0t_64_sync_handler+0xa0/0xf0 arch/arm64/kernel/entry-common.c:759
>> el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:594
>> ---[ end trace 0000000000000000 ]---
>
-- >8 --
There's no practical limit currently to the amount of objects inside the lease ioctl.
Limit it to 96 for now, the maximum of plane_mask + crtc_mask + connector_mask.
I believe this is sufficient on all platforms, and fixes the backtrace below.
------------[ cut here ]------------
WARNING: mm/page_alloc.c:5202 at __alloc_frozen_pages_noprof+0x734/0x1144 mm/page_alloc.c:5202, CPU#0: syz.2.17/3592
if (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp))
Modules linked in:
CPU: 0 UID: 0 PID: 3592 Comm: syz.2.17 Not tainted syzkaller #0 PREEMPT
Hardware name: linux,dummy-virt (DT)
pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : __alloc_frozen_pages_noprof+0x734/0x1144 mm/page_alloc.c:5202
lr : alloc_pages_mpol+0x70/0x1a4 mm/mempolicy.c:2490
sp : ffff800085d93900
x29: ffff800085d93a00 x28: 000000000000000b x27: 0000000000000000
x26: 0000000000000000 x25: fcf0000014c00000 x24: 0000000000040dc0
x23: 0000000000000000 x22: 0000000000000000 x21: 000000000000000b
x20: ffffffffffffffff x19: 0000000000000000 x18: 0000000000000002
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000020000200
x14: ffff8000828b2000 x13: ffffc1ffc0000000 x12: 0000000000000001
x11: 0000000000000000 x10: ffff800082b6f4e8 x9 : 0000000000000000
x8 : 0000000000000030 x7 : ffff800082e9b430 x6 : 0000000000000001
x5 : 0000000000000000 x4 : f3f00000065c90c0 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff800082dfd000
Call trace:
__alloc_frozen_pages_noprof+0x734/0x1144 mm/page_alloc.c:5202 (P)
alloc_pages_mpol+0x70/0x1a4 mm/mempolicy.c:2490
alloc_frozen_pages_noprof+0x48/0xd4 mm/mempolicy.c:2561
___kmalloc_large_node+0x11c/0x13c mm/slub.c:5237
__kmalloc_large_node_noprof mm/slub.c:5268 [inline]
__do_kmalloc_node mm/slub.c:5284 [inline]
__kmalloc_noprof+0x450/0x560 mm/slub.c:5308
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
fill_object_idr drivers/gpu/drm/drm_lease.c:389 [inline]
drm_mode_create_lease_ioctl+0x184/0x93c drivers/gpu/drm/drm_lease.c:521
drm_ioctl_kernel+0xc0/0x130 drivers/gpu/drm/drm_ioctl.c:804
drm_ioctl+0x258/0x580 drivers/gpu/drm/drm_ioctl.c:901
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0xac/0x104 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x54/0x10c arch/arm64/kernel/syscall.c:49
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:121
do_el0_svc+0x1c/0x34 arch/arm64/kernel/syscall.c:140
el0_svc+0x38/0x140 arch/arm64/kernel/entry-common.c:740
el0t_64_sync_handler+0xa0/0xf0 arch/arm64/kernel/entry-common.c:759
el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:594
---[ end trace 0000000000000000 ]---
Reported-by: syzbot+5d32c8bd82427f9c77cc@syzkaller.appspotmail.com
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
---
diff --git a/drivers/gpu/drm/drm_lease.c b/drivers/gpu/drm/drm_lease.c
index 5d2cf724cbd7b..9d0ccc8e0274f 100644
--- a/drivers/gpu/drm/drm_lease.c
+++ b/drivers/gpu/drm/drm_lease.c
@@ -486,6 +486,10 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
struct drm_file *lessee_priv;
int fd = -1;
uint32_t *object_ids;
+ static const size_t max_objects =
+ 8 * sizeof(drm_crtc_mask(NULL)) +
+ 8 * sizeof(drm_plane_mask(NULL)) +
+ 8 * sizeof(drm_connector_mask(NULL));
/* Can't lease without MODESET */
if (!drm_core_check_feature(dev, DRIVER_MODESET))
@@ -505,6 +509,11 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
}
object_count = cl->object_count;
+ if (object_count > max_objects) {
+ drm_dbg_lease(dev, "too many objects (%ld)\n", object_count);
+ ret = -EINVAL;
+ goto out_lessor;
+ }
/* Handle leased objects, if any */
idr_init(&leases);Hi Maarten,
kernel test robot noticed the following build warnings:
[auto build test WARNING on drm-misc/drm-misc-next]
[also build test WARNING on akpm-mm/mm-everything daeinki-drm-exynos/exynos-drm-next drm/drm-next drm-i915/for-linux-next drm-i915/for-linux-next-fixes drm-tip/drm-tip linus/master v7.1-rc5 next-20260527]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Maarten-Lankhorst/drm-lease-Limit-amount-of-maximum-objects-per-lease/20260527-180216
base: https://gitlab.freedesktop.org/drm/misc/kernel.git drm-misc-next
patch link: https://lore.kernel.org/r/b3390013-f0de-4e23-a915-23340594fb49%40linux.intel.com
patch subject: [PATCH] drm/lease: Limit amount of maximum objects per lease.
config: m68k-allyesconfig (https://download.01.org/0day-ci/archive/20260528/202605281856.LeAMyg6G-lkp@intel.com/config)
compiler: m68k-linux-gcc (GCC) 15.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260528/202605281856.LeAMyg6G-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605281856.LeAMyg6G-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from drivers/gpu/drm/drm_lease.c:13:
drivers/gpu/drm/drm_lease.c: In function 'drm_mode_create_lease_ioctl':
>> drivers/gpu/drm/drm_lease.c:513:36: warning: format '%ld' expects argument of type 'long int', but argument 5 has type 'size_t' {aka 'unsigned int'} [-Wformat=]
513 | drm_dbg_lease(dev, "too many objects (%ld)\n", object_count);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~
| |
| size_t {aka unsigned int}
include/drm/drm_print.h:563:39: note: in definition of macro 'drm_dev_dbg'
563 | __drm_dev_dbg(NULL, dev, cat, fmt, ##__VA_ARGS__)
| ^~~
drivers/gpu/drm/drm_lease.c:513:17: note: in expansion of macro 'drm_dbg_lease'
513 | drm_dbg_lease(dev, "too many objects (%ld)\n", object_count);
| ^~~~~~~~~~~~~
drivers/gpu/drm/drm_lease.c:513:57: note: format string is defined here
513 | drm_dbg_lease(dev, "too many objects (%ld)\n", object_count);
| ~~^
| |
| long int
| %d
vim +513 drivers/gpu/drm/drm_lease.c
468
469 /*
470 * The master associated with the specified file will have a lease
471 * created containing the objects specified in the ioctl structure.
472 * A file descriptor will be allocated for that and returned to the
473 * application.
474 */
475 int drm_mode_create_lease_ioctl(struct drm_device *dev,
476 void *data, struct drm_file *lessor_priv)
477 {
478 struct drm_mode_create_lease *cl = data;
479 size_t object_count;
480 int ret = 0;
481 struct idr leases;
482 struct drm_master *lessor;
483 struct drm_master *lessee = NULL;
484 struct file *lessee_file = NULL;
485 struct file *lessor_file = lessor_priv->filp;
486 struct drm_file *lessee_priv;
487 int fd = -1;
488 uint32_t *object_ids;
489 static const size_t max_objects =
490 8 * sizeof(drm_crtc_mask(NULL)) +
491 8 * sizeof(drm_plane_mask(NULL)) +
492 8 * sizeof(drm_connector_mask(NULL));
493
494 /* Can't lease without MODESET */
495 if (!drm_core_check_feature(dev, DRIVER_MODESET))
496 return -EOPNOTSUPP;
497
498 if (cl->flags && (cl->flags & ~(O_CLOEXEC | O_NONBLOCK))) {
499 drm_dbg_lease(dev, "invalid flags\n");
500 return -EINVAL;
501 }
502
503 lessor = drm_file_get_master(lessor_priv);
504 /* Do not allow sub-leases */
505 if (lessor->lessor) {
506 drm_dbg_lease(dev, "recursive leasing not allowed\n");
507 ret = -EINVAL;
508 goto out_lessor;
509 }
510
511 object_count = cl->object_count;
512 if (object_count > max_objects) {
> 513 drm_dbg_lease(dev, "too many objects (%ld)\n", object_count);
514 ret = -EINVAL;
515 goto out_lessor;
516 }
517
518 /* Handle leased objects, if any */
519 idr_init(&leases);
520 if (object_count != 0) {
521 object_ids = memdup_array_user(u64_to_user_ptr(cl->object_ids),
522 object_count, sizeof(__u32));
523 if (IS_ERR(object_ids)) {
524 ret = PTR_ERR(object_ids);
525 idr_destroy(&leases);
526 goto out_lessor;
527 }
528
529 /* fill and validate the object idr */
530 ret = fill_object_idr(dev, lessor_priv, &leases,
531 object_count, object_ids);
532 kfree(object_ids);
533 if (ret) {
534 drm_dbg_lease(dev, "lease object lookup failed: %i\n", ret);
535 idr_destroy(&leases);
536 goto out_lessor;
537 }
538 }
539
540 /* Allocate a file descriptor for the lease */
541 fd = get_unused_fd_flags(cl->flags & (O_CLOEXEC | O_NONBLOCK));
542 if (fd < 0) {
543 idr_destroy(&leases);
544 ret = fd;
545 goto out_lessor;
546 }
547
548 drm_dbg_lease(dev, "Creating lease\n");
549 /* lessee will take the ownership of leases */
550 lessee = drm_lease_create(lessor, &leases);
551
552 if (IS_ERR(lessee)) {
553 ret = PTR_ERR(lessee);
554 idr_destroy(&leases);
555 goto out_leases;
556 }
557
558 /* Clone the lessor file to create a new file for us */
559 drm_dbg_lease(dev, "Allocating lease file\n");
560 lessee_file = file_clone_open(lessor_file);
561 if (IS_ERR(lessee_file)) {
562 ret = PTR_ERR(lessee_file);
563 goto out_lessee;
564 }
565
566 lessee_priv = lessee_file->private_data;
567 /* Change the file to a master one */
568 drm_master_put(&lessee_priv->master);
569 lessee_priv->master = lessee;
570 lessee_priv->is_master = 1;
571 lessee_priv->authenticated = 1;
572
573 /* Pass fd back to userspace */
574 drm_dbg_lease(dev, "Returning fd %d id %d\n", fd, lessee->lessee_id);
575 cl->fd = fd;
576 cl->lessee_id = lessee->lessee_id;
577
578 /* Hook up the fd */
579 fd_install(fd, lessee_file);
580
581 drm_master_put(&lessor);
582 drm_dbg_lease(dev, "drm_mode_create_lease_ioctl succeeded\n");
583 return 0;
584
585 out_lessee:
586 drm_master_put(&lessee);
587
588 out_leases:
589 put_unused_fd(fd);
590
591 out_lessor:
592 drm_master_put(&lessor);
593 drm_dbg_lease(dev, "drm_mode_create_lease_ioctl failed: %d\n", ret);
594 return ret;
595 }
596
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Maarten,
kernel test robot noticed the following build warnings:
[auto build test WARNING on drm-misc/drm-misc-next]
[also build test WARNING on akpm-mm/mm-everything daeinki-drm-exynos/exynos-drm-next drm/drm-next drm-i915/for-linux-next drm-i915/for-linux-next-fixes drm-tip/drm-tip linus/master v7.1-rc5 next-20260527]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Maarten-Lankhorst/drm-lease-Limit-amount-of-maximum-objects-per-lease/20260527-180216
base: https://gitlab.freedesktop.org/drm/misc/kernel.git drm-misc-next
patch link: https://lore.kernel.org/r/b3390013-f0de-4e23-a915-23340594fb49%40linux.intel.com
patch subject: [PATCH] drm/lease: Limit amount of maximum objects per lease.
config: hexagon-allmodconfig (https://download.01.org/0day-ci/archive/20260528/202605281701.Blefmpwd-lkp@intel.com/config)
compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260528/202605281701.Blefmpwd-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605281701.Blefmpwd-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> drivers/gpu/drm/drm_lease.c:513:50: warning: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Wformat]
513 | drm_dbg_lease(dev, "too many objects (%ld)\n", object_count);
| ~~~ ^~~~~~~~~~~~
| %zu
include/drm/drm_print.h:663:54: note: expanded from macro 'drm_dbg_lease'
663 | drm_dev_dbg(__drm_to_dev(drm), DRM_UT_LEASE, fmt, ##__VA_ARGS__)
| ~~~ ^~~~~~~~~~~
include/drm/drm_print.h:563:39: note: expanded from macro 'drm_dev_dbg'
563 | __drm_dev_dbg(NULL, dev, cat, fmt, ##__VA_ARGS__)
| ~~~ ^~~~~~~~~~~
1 warning generated.
vim +513 drivers/gpu/drm/drm_lease.c
468
469 /*
470 * The master associated with the specified file will have a lease
471 * created containing the objects specified in the ioctl structure.
472 * A file descriptor will be allocated for that and returned to the
473 * application.
474 */
475 int drm_mode_create_lease_ioctl(struct drm_device *dev,
476 void *data, struct drm_file *lessor_priv)
477 {
478 struct drm_mode_create_lease *cl = data;
479 size_t object_count;
480 int ret = 0;
481 struct idr leases;
482 struct drm_master *lessor;
483 struct drm_master *lessee = NULL;
484 struct file *lessee_file = NULL;
485 struct file *lessor_file = lessor_priv->filp;
486 struct drm_file *lessee_priv;
487 int fd = -1;
488 uint32_t *object_ids;
489 static const size_t max_objects =
490 8 * sizeof(drm_crtc_mask(NULL)) +
491 8 * sizeof(drm_plane_mask(NULL)) +
492 8 * sizeof(drm_connector_mask(NULL));
493
494 /* Can't lease without MODESET */
495 if (!drm_core_check_feature(dev, DRIVER_MODESET))
496 return -EOPNOTSUPP;
497
498 if (cl->flags && (cl->flags & ~(O_CLOEXEC | O_NONBLOCK))) {
499 drm_dbg_lease(dev, "invalid flags\n");
500 return -EINVAL;
501 }
502
503 lessor = drm_file_get_master(lessor_priv);
504 /* Do not allow sub-leases */
505 if (lessor->lessor) {
506 drm_dbg_lease(dev, "recursive leasing not allowed\n");
507 ret = -EINVAL;
508 goto out_lessor;
509 }
510
511 object_count = cl->object_count;
512 if (object_count > max_objects) {
> 513 drm_dbg_lease(dev, "too many objects (%ld)\n", object_count);
514 ret = -EINVAL;
515 goto out_lessor;
516 }
517
518 /* Handle leased objects, if any */
519 idr_init(&leases);
520 if (object_count != 0) {
521 object_ids = memdup_array_user(u64_to_user_ptr(cl->object_ids),
522 object_count, sizeof(__u32));
523 if (IS_ERR(object_ids)) {
524 ret = PTR_ERR(object_ids);
525 idr_destroy(&leases);
526 goto out_lessor;
527 }
528
529 /* fill and validate the object idr */
530 ret = fill_object_idr(dev, lessor_priv, &leases,
531 object_count, object_ids);
532 kfree(object_ids);
533 if (ret) {
534 drm_dbg_lease(dev, "lease object lookup failed: %i\n", ret);
535 idr_destroy(&leases);
536 goto out_lessor;
537 }
538 }
539
540 /* Allocate a file descriptor for the lease */
541 fd = get_unused_fd_flags(cl->flags & (O_CLOEXEC | O_NONBLOCK));
542 if (fd < 0) {
543 idr_destroy(&leases);
544 ret = fd;
545 goto out_lessor;
546 }
547
548 drm_dbg_lease(dev, "Creating lease\n");
549 /* lessee will take the ownership of leases */
550 lessee = drm_lease_create(lessor, &leases);
551
552 if (IS_ERR(lessee)) {
553 ret = PTR_ERR(lessee);
554 idr_destroy(&leases);
555 goto out_leases;
556 }
557
558 /* Clone the lessor file to create a new file for us */
559 drm_dbg_lease(dev, "Allocating lease file\n");
560 lessee_file = file_clone_open(lessor_file);
561 if (IS_ERR(lessee_file)) {
562 ret = PTR_ERR(lessee_file);
563 goto out_lessee;
564 }
565
566 lessee_priv = lessee_file->private_data;
567 /* Change the file to a master one */
568 drm_master_put(&lessee_priv->master);
569 lessee_priv->master = lessee;
570 lessee_priv->is_master = 1;
571 lessee_priv->authenticated = 1;
572
573 /* Pass fd back to userspace */
574 drm_dbg_lease(dev, "Returning fd %d id %d\n", fd, lessee->lessee_id);
575 cl->fd = fd;
576 cl->lessee_id = lessee->lessee_id;
577
578 /* Hook up the fd */
579 fd_install(fd, lessee_file);
580
581 drm_master_put(&lessor);
582 drm_dbg_lease(dev, "drm_mode_create_lease_ioctl succeeded\n");
583 return 0;
584
585 out_lessee:
586 drm_master_put(&lessee);
587
588 out_leases:
589 put_unused_fd(fd);
590
591 out_lessor:
592 drm_master_put(&lessor);
593 drm_dbg_lease(dev, "drm_mode_create_lease_ioctl failed: %d\n", ret);
594 return ret;
595 }
596
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
© 2016 - 2026 Red Hat, Inc.