From nobody Fri Jun 12 18:57:14 2026 Received: from out162-62-58-216.mail.qq.com (out162-62-58-216.mail.qq.com [162.62.58.216]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 715C227E1A1 for ; Wed, 13 May 2026 04:30:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=162.62.58.216 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778646660; cv=none; b=AscHvRCrEwUFq6nWAwuzaKNq3kzLfwmx+HFFj5xdJnvE+JfdCYUhXHBzJYskN9xu5i/7FY7X2txVrwQqqCQvKf6BYS3tfQVN2Xh9d3/znSjHe+LrG1h8jqhIfTHLuwTupD6Iy7ehwv2J1o+AL72L3uWZYhgi50Pp8VcmxhWxoH4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778646660; c=relaxed/simple; bh=hGeukhOSkTUc2bwyYi7wsiRcJpTbOyoWVmmjjVVPwEE=; h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References: MIME-Version; b=RUX/mcJFMi4cTo6MTfDkG2EYCLi4jmcX3OmgfyWKdW7eLQVFsD2b6UzxoNCUt9aOJ/4XVGKxD+9YRePRt5+jgLg6rugRdXojDa0q5lDUF18UKw9nuLNctpZB1hxBkQkiS4B4B2Tk++REA9CvnV2RRni93PmNxu2Of1hAzhn2eAQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=Xxnyp9ij; arc=none smtp.client-ip=162.62.58.216 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="Xxnyp9ij" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1778646652; bh=jao3C9hjnud6Ug5HguXODDDvFR08PIGevezNPa49qMg=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=Xxnyp9ij9Ztj79AxPuhgiJ4zwbKjjjOGYFr2/BCKqY6rEPC+6L8RBMILNSdF4/xlv RvnJoxD9lKQPPz/wHDOmkPoJfBexAS+dOFvZ+x5CYPVsMuOAyipZSnTLdLNg5Bh491 f29+X0DPIgGUgUW35O0SXMenAY1a04fk+PNaBhbE= Received: from lxu-ped-host.. ([111.198.231.89]) by newxmesmtplogicsvrsza53-0.qq.com (NewEsmtp) with SMTP id 7B1342F7; Wed, 13 May 2026 12:30:49 +0800 X-QQ-mid: xmsmtpt1778646649t9igv4z1w Message-ID: X-QQ-XMAILINFO: M1rD3f8svNzn6BNGvTIE8xYgjYv2a6B6Ukpbwek5tx+ybjccufiLPgSV4yRA4l 5mZYRWxZf4hOhRWVy7eHNc+zF8zlj/0so11zcr6zcoEWFQS7iqBeCnQdcwfnTlkNBnje1Pf8xi9z 7joExwa0j9+iR914R75JuQeUhob1RAOB9qRlcFXvIO9cuNvbUAyVorLRTVxO5+ahjY9sn0/MZEbc b9z6a7g5c8LZV1b0hgM0piSMNvnwNjEdukMW6OlBbT2lGmYjgTvq1B7uiXeoE3CMkP7MzhC9a0Uv /6u7YtAGKFzuEGJ4kUM+Sm/bM2JLGX5GkdodCh9KMZ2acPdQUdeMgnp2l6bDD4fY+08dpEnCoLtx TpbDpbblaoVtak2CyBD0c3CEGystXCJ1TphYrJ6EfKlNIIcA059OmUt+zJcPlTlTuMpeU4sNymSF G0a6aM+dF91iQTvFrVPve848KYGR+afI/OFmMUP4mc9DJsLdUnHLBMkShuPryDsnsEREs+eqOdM0 86tvi8hB2mGEobBvY9lrGZO62qNhOGQGcT1iUtPW7bPWzUw+VdE+tjZmPEPjU3L4Ge1yyneS6Psu xCgdegV1ZOMaJ+e9nbXmeBHCJbTQKwL1c0HO6nxOlcfh62Gphugykil14lrY6N4OAp5jHy5/p7zO zQXtSymIuW96gv5O0wDcVmXpTVtgH1ZNMcYIHnzFvJePNkIB7OgpmFT+GM0U6IAAgmwCSWUTEgzL ILBygtjW3QlIQZ3j+BpOLZr+Slo5dd9C3XIeRpjP832RE+Rk0UVpFkf6vJ2YSYbnpxjYfRo25dYW nti3/CLYW4vXhvGV16fVGs+MK+MO/3WSmxwdD3FO4p5i9qW192AAoNiUBgGp9vFnaErszF9Lusj5 1f/ZVOsgFuY4xMCy3PdpJ83lmRDlp5cz9/2o9HhAvp9rih+HFuX2e9hDQ0F10lBz5cCCYQrr80nd rbc3VV5QzbLZA5yo32kTJQSyMsPGsbO9dBam/A45miA8MheMWM8v5Fp/jJk2HQEZQ8bPFsENl5C9 aiLAdPkcsNrQCyAU+e X-QQ-XMRINFO: OD9hHCdaPRBwH5bRRRw8tsiH4UAatJqXfg== From: Edward Adam Davis To: syzbot+d7c9eed171647e421013@syzkaller.appspotmail.com Cc: airlied@gmail.com, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, mripard@kernel.org, simona@ffwll.ch, syzkaller-bugs@googlegroups.com, tzimmermann@suse.de, David.Francis@amd.com Subject: [PATCH] drm: Replace old pointer to new idr Date: Wed, 13 May 2026 12:30:50 +0800 X-OQ-MSGID: <20260513043049.363250-2-eadavis@qq.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <6a0385f1.a00a0220.3890a0.0002.GAE@google.com> References: <6a0385f1.a00a0220.3890a0.0002.GAE@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Commit 5e28b7b94408 introduced a logical error by failing to replace the newly generated IDR pointer to old id's pointer at the correct location within the "change handle" logic; this resulted in the issue reported by syzbot [1]. Specifically, the new IDR object pointer is intended to replace the original id's pointer during the normal execution flow. Additionally, an unnecessary conditional check for the ret exit path has been removed. [1] !RB_EMPTY_ROOT(&prime_fpriv->dmabufs) WARNING: drivers/gpu/drm/drm_prime.c:224 at drm_prime_destroy_file_private+= 0x48/0x60 drivers/gpu/drm/drm_prime.c:224, CPU#0: syz.0.17/5833 Call Trace: drm_file_free.part.0+0x7e6/0xcc0 drivers/gpu/drm/drm_file.c:269 drm_file_free drivers/gpu/drm/drm_file.c:237 [inline] drm_close_helper.isra.0+0x186/0x200 drivers/gpu/drm/drm_file.c:290 drm_release+0x1ab/0x360 drivers/gpu/drm/drm_file.c:438 Fixes: 5e28b7b94408 ("drm: Set old handle to NULL before prime swap in chan= ge_handle") Reported-by: syzbot+d7c9eed171647e421013@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dd7c9eed171647e421013 Tested-by: syzbot+d7c9eed171647e421013@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis --- drivers/gpu/drm/drm_gem.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index 51a887cc7fd7..8afab57fc055 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -1067,17 +1067,12 @@ int drm_gem_change_handle_ioctl(struct drm_device *= dev, void *data, =20 spin_unlock(&file_priv->table_lock); =20 - if (ret < 0) - goto out_unlock; - if (obj->dma_buf) { ret =3D drm_prime_add_buf_handle(&file_priv->prime, obj->dma_buf, handle); if (ret < 0) { spin_lock(&file_priv->table_lock); idr_remove(&file_priv->object_idr, handle); - idrobj =3D idr_replace(&file_priv->object_idr, obj, handle); - WARN_ON(idrobj !=3D NULL); spin_unlock(&file_priv->table_lock); goto out_unlock; } @@ -1089,7 +1084,9 @@ int drm_gem_change_handle_ioctl(struct drm_device *de= v, void *data, =20 spin_lock(&file_priv->table_lock); idr_remove(&file_priv->object_idr, args->handle); + idrobj =3D idr_replace(&file_priv->object_idr, obj, handle); spin_unlock(&file_priv->table_lock); + WARN_ON(idrobj !=3D NULL); =20 out_unlock: mutex_unlock(&file_priv->prime.lock); --=20 2.43.0