From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from r3-21.sinamail.sina.com.cn (r3-21.sinamail.sina.com.cn [202.108.3.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 628E3326D45 for ; Thu, 16 Apr 2026 08:22:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.108.3.21 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776327761; cv=none; b=WZ+ho8PklzoyxWW5thQ02xgSB1gjhxVacT1NkRvvr5ZLMBI6j5uPDWy5T1DvIbVRg9WzXSSA55WVkvMRqwuWckyby3jzrQqoFxjM5wd8rdK4A56+7kocfO3NKMEuCieqavjMw2hMPPVv9R3YZSUcmk1oJXNbs2SVJ20cV7o1tgs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776327761; c=relaxed/simple; bh=aAmETMTeZSrTs1ZyjgPuIM4BhifbQphTyAuFBv5xhr4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=b8oGI16B/LtEuVRV/7G/54gd83Nmav9PZ+jzg0JoKpKSfPfsmse+DfHRSYL8THDGtgX3sKdOVgBFlrBn4XmSnpAwh3LuDf6kwNaUTdvZr5If3/VcSOJSt2vL0hmZIvbl28orvkEBDp2qkvNbL4OgQBHTl3B/NupBP8kAyDxF8r8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sina.com; spf=pass smtp.mailfrom=sina.com; dkim=pass (1024-bit key) header.d=sina.com header.i=@sina.com header.b=GNV7zF9h; arc=none smtp.client-ip=202.108.3.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sina.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=sina.com header.i=@sina.com header.b="GNV7zF9h" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sina.com; s=201208; t=1776327757; bh=so0SbUHTQiRU9b/rFH2B2t+xpoGnBSPoLmtideUr8eQ=; h=From:Subject:Date:Message-ID; b=GNV7zF9hDzb07yLlgIumYyDWRx/h+tVwbWoSJoRT134eJhrDbj94DyhN/8yC55IZQ s2E1PVDwftkK9QN18JOg2lG6e3Y+NB4ZInVgJtkzPXTxobd09q33uLdTxcIchGfefS 5h4w6Xia80qW1TNLsTdlJdMTOn/eaXVLsk80xO98= X-SMAIL-HELO: localhost.localdomain Received: from unknown (HELO localhost.localdomain)([114.249.62.144]) by sina.com (10.54.253.33) with ESMTP id 69E09BB8000005EA; Thu, 16 Apr 2026 16:20:10 +0800 (CST) X-Sender: hdanton@sina.com X-Auth-ID: hdanton@sina.com Authentication-Results: sina.com; spf=none smtp.mailfrom=hdanton@sina.com; dkim=none header.i=none; dmarc=none action=none header.from=hdanton@sina.com X-SMAIL-MID: 3953366685014 X-SMAIL-UIID: 4A1F97C71EEE49ECB1C891263CA3EE7D-20260416-162010-1 From: Hillf Danton To: syzbot Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [dri?] KASAN: slab-use-after-free Read in drm_gem_object_release_handle Date: Thu, 16 Apr 2026 16:19:58 +0800 Message-ID: <20260416082000.1950-1-hdanton@sina.com> In-Reply-To: <69dd24f4.a00a0220.468cb.004a.GAE@google.com> References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit > Date: Mon, 13 Apr 2026 10:16:36 -0700 [thread overview] > Hello, > > syzbot found the following issue on: > > HEAD commit: f5459048c38a Merge tag 'i2c-for-7.0-final' of git://git.ke.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=1028d106580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=6754c86e8d9e4c91 > dashboard link: https://syzkaller.appspot.com/bug?extid=b2e951687503f32f74ce > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1428d106580000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17509036580000 #syz test --- x/drivers/gpu/drm/drm_gem.c +++ y/drivers/gpu/drm/drm_gem.c @@ -401,22 +401,20 @@ drm_gem_handle_delete(struct drm_file *f { struct drm_gem_object *obj; + mutex_lock(&filp->prime.lock); spin_lock(&filp->table_lock); /* Check if we currently have a reference on the object */ - obj = idr_replace(&filp->object_idr, NULL, handle); + obj = idr_find(&filp->object_idr, handle); + idr_remove(&filp->object_idr, handle); spin_unlock(&filp->table_lock); + mutex_unlock(&filp->prime.lock); + if (IS_ERR_OR_NULL(obj)) return -EINVAL; - /* Release driver's reference and decrement refcount. */ drm_gem_object_release_handle(handle, obj, filp); - /* And finally make the handle available for future allocations. */ - spin_lock(&filp->table_lock); - idr_remove(&filp->object_idr, handle); - spin_unlock(&filp->table_lock); - return 0; } EXPORT_SYMBOL(drm_gem_handle_delete); @@ -1012,17 +1010,20 @@ int drm_gem_change_handle_ioctl(struct d return -EINVAL; handle = args->new_handle; + mutex_lock(&file_priv->prime.lock); + obj = drm_gem_object_lookup(file_priv, args->handle); - if (!obj) + if (!obj) { + mutex_unlock(&file_priv->prime.lock); return -ENOENT; + } if (args->handle == handle) { + mutex_unlock(&file_priv->prime.lock); ret = 0; goto out; } - mutex_lock(&file_priv->prime.lock); - spin_lock(&file_priv->table_lock); ret = idr_alloc(&file_priv->object_idr, obj, handle, handle + 1, GFP_NOWAIT); @@ -1085,8 +1086,22 @@ drm_gem_open(struct drm_device *dev, str void drm_gem_release(struct drm_device *dev, struct drm_file *file_private) { - idr_for_each(&file_private->object_idr, - &drm_gem_object_release_handle, file_private); + struct drm_gem_object *obj; + int id; + + for (;;) { + id = 0; + mutex_lock(&file_private->prime.lock); + spin_lock(&file_private->table_lock); + obj = idr_get_next(&file_private->object_idr, &id); + if (obj) + idr_remove(&file_private->object_idr, id); + spin_unlock(&file_private->table_lock); + mutex_unlock(&file_private->prime.lock); + if (!obj) + break; + drm_gem_object_release_handle(id, obj, file_private); + } idr_destroy(&file_private->object_idr); } --