From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oo1-f69.google.com (mail-oo1-f69.google.com [209.85.161.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B19B63FDBEC for ; Mon, 18 May 2026 16:36:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.69 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779122206; cv=none; b=Hj3Aemf01pXWmU/LAsHappgBPiD9FTxLqX7QCXP907kjOe1msQ4axqeN/Pz6nrU3V+LY6j9GW1YUx38CDJOKJcLiFM8RSdSzSLMyy6p5octrjJiKby3K2cPUPj7xZbhlkmz60sJlwR91mg5JmsECk0JViAGsdGQh+acUoLA1CIw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779122206; c=relaxed/simple; bh=3rirEMbnbp8RTvEEVApCcGHjPhLuAkb/dWC5LVEijlI=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=QSYolghUUqaMlyqSDTy8ng1oJ9rQEuztVQ1+ndbHshQjpTd7zP/N7wPiiP35eJM+NrMmE7t4D7OqWz4+9isUwr5arkelcel0+8F+BscQhkZ8bdQddeZUsRo/NpP7DN+3qi3cWuuwSV9O0pgiMKAbObt7Ds5YJ2RfI+wPpWF9kSo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.69 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oo1-f69.google.com with SMTP id 006d021491bc7-6961bda4505so2790050eaf.3 for ; Mon, 18 May 2026 09:36:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779122203; x=1779727003; h=content-transfer-encoding:to:from:subject:message-id:in-reply-to :date:mime-version:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=s4KCCy9F/V9JMtdpiMpSz9TwNpQPSnbDpI6WYhB2Ju0=; b=gUP+TmNMOKHrlWCpMLMiRROAh9C0RVdClHOE7Qr9MpDRpvgOtpJfczuXqpPL4PymFf Tsspdi7kmhAOx+3F91hlXPtlZQSjlcr2kXZjJoltCUbFZym2wOIEb2HA0ekjfSxQGvy8 VKNx8LWriLv2DVjS7ytVTRuIYZGOk/pIuGmeK9zzJigHhoFHwRX3G1UISSz+7iZQgV50 aEo1dIXfyHkobRPNBYwvlQn2kINs3yqs82SJ9M0FWRjDqXrkE4Cf2bL+GLr1v6U71YVR XpeZKVEc0FIJGArgpZHrdoegXdlpbqjnrRuGzTmGjyMO/7AQSsXPcfaxdTv3YQ4qgexj VTFg== X-Gm-Message-State: AOJu0Yz45wwaLtTMtoEG4Nur+/qaItnhTlZ7say+4GJ7NBTVopRvKBjn cMcKjkdHWTTp3KV1a+pGqmseJC2WVm0UQZdcZ8Hwef/sXZRttYN7OOXzBv8IyTNP0klJHj6jizp gWb4/6jY+CXGg9VpNippEsN3I+68tRF+R9wrNzzEFh0J2+uG5h8A23pXqbrU= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:4c87:b0:694:9707:4e59 with SMTP id 006d021491bc7-69c953dd3b3mr9005921eaf.46.1779122203588; Mon, 18 May 2026 09:36:43 -0700 (PDT) Date: Mon, 18 May 2026 09:36:43 -0700 In-Reply-To: <675963eb.050a0220.17f54a.0038.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <6a0b401b.170a0220.39a587.0001.GAE@google.com> Subject: Forwarded: Re: [PATCH RFC] drm/lease: Fix warning on large user-controlled allocations From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: Re: [PATCH RFC] drm/lease: Fix warning on large user-controlled al= locations Author: nogikh@google.com ... and after some more fixes #syz upstream On Thu, May 14, 2026 at 12:26=E2=80=AFAM 'syzbot' via syzkaller-upstream-moderation wrote: > > In drm_mode_create_lease_ioctl(), a user-provided object_count is used > to allocate memory for object_ids and objects. When a user requests a > massive number of objects, the allocation size can exceed the maximum > contiguous physical memory limit (MAX_PAGE_ORDER). Since kzalloc_objs() > defaults to GFP_KERNEL without __GFP_NOWARN, this triggers a > WARN_ON_ONCE_GFP in the page allocator. > > To fix this, replace kzalloc_objs() with kvzalloc_objs() in > fill_object_idr() and memdup_array_user() with vmemdup_array_user() in > drm_mode_create_lease_ioctl(). This allows the allocations to gracefully > fall back to virtually contiguous memory (vmalloc) if the requested size > is too large or physical memory is fragmented, preventing the warning > and allowing large lease requests to succeed or fail gracefully with > -ENOMEM. Update the corresponding kfree() calls to kvfree() accordingly. > > Fixes: 62884cd386b876638720ef88374b31a84ca7ee5f ("drm: Add four ioctls fo= r managing drm mode object leases [v7]") > Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview > Reported-by: syzbot+03fb58296859d8dbab4d@syzkaller.appspotmail.com > Link: https://syzkaller.appspot.com/bug?extid=3D03fb58296859d8dbab4d > Link: https://syzkaller.appspot.com/ai_job?id=3Dd9152b5a-380f-4c4e-af5b-1= 890078e5d46 > To: > To: > To: > To: > To: > To: > Cc: > > --- > diff --git a/drivers/gpu/drm/drm_lease.c b/drivers/gpu/drm/drm_lease.c > index 5d2cf724c..9ccfa4712 100644 > --- a/drivers/gpu/drm/drm_lease.c > +++ b/drivers/gpu/drm/drm_lease.c > @@ -386,7 +386,7 @@ static int fill_object_idr(struct drm_device *dev, > int ret; > bool universal_planes =3D READ_ONCE(lessor_priv->universal_planes= ); > > - objects =3D kzalloc_objs(struct drm_mode_object *, object_count); > + objects =3D kvzalloc_objs(struct drm_mode_object *, object_count)= ; > if (!objects) > return -ENOMEM; > > @@ -462,7 +462,7 @@ static int fill_object_idr(struct drm_device *dev, > if (objects[o]) > drm_mode_object_put(objects[o]); > } > - kfree(objects); > + kvfree(objects); > return ret; > } > > @@ -509,8 +509,8 @@ int drm_mode_create_lease_ioctl(struct drm_device *de= v, > /* Handle leased objects, if any */ > idr_init(&leases); > if (object_count !=3D 0) { > - object_ids =3D memdup_array_user(u64_to_user_ptr(cl->obje= ct_ids), > - object_count, sizeof(__u32= )); > + object_ids =3D vmemdup_array_user(u64_to_user_ptr(cl->obj= ect_ids), > + object_count, sizeof(__u3= 2)); > if (IS_ERR(object_ids)) { > ret =3D PTR_ERR(object_ids); > idr_destroy(&leases); > @@ -520,7 +520,7 @@ int drm_mode_create_lease_ioctl(struct drm_device *de= v, > /* fill and validate the object idr */ > ret =3D fill_object_idr(dev, lessor_priv, &leases, > object_count, object_ids); > - kfree(object_ids); > + kvfree(object_ids); > if (ret) { > drm_dbg_lease(dev, "lease object lookup failed: %= i\n", ret); > idr_destroy(&leases); > > > base-commit: 5d6919055dec134de3c40167a490f33c74c12581 > -- > This is an AI-generated patch subject to moderation. > Reply with '#syz upstream' to send it to the mailing list. > Reply with '#syz reject' to reject it. > > See for more information. > > -- > You received this message because you are subscribed to the Google Groups= "syzkaller-upstream-moderation" group. > To unsubscribe from this group and stop receiving emails from it, send an= email to syzkaller-upstream-moderation+unsubscribe@googlegroups.com. > To view this discussion visit https://groups.google.com/d/msgid/syzkaller= -upstream-moderation/9cbc091e-97f8-41a3-97eb-c1f2137ccc53%40mail.kernel.org= . --=20 You received this message because you are subscribed to the Google Groups "= syzkaller-upstream-moderation" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to syzkaller-upstream-moderation+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/syzkaller-u= pstream-moderation/CANp29Y7xJRyazoWXRv%3DZdxFk%3Dgqek2LgN82Kr%3DdtDLdBnjn_V= w%40mail.gmail.com.