superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers/gpu/drm
History
Edward Adam Davis dc366607c4 drm: Replace old pointer to new idr 
Commit 5e28b7b944 introduced a logical error by failing to replace the
newly generated IDR pointer to old id's pointer at the correct location
within the "change handle" logic; this resulted in the issue reported by
syzbot [1].

Specifically, the new IDR object pointer is intended to replace the original
id's pointer during the normal execution flow.

Additionally, an unnecessary conditional check for the ret exit path has
been removed.

[1]
!RB_EMPTY_ROOT(&prime_fpriv->dmabufs)
WARNING: drivers/gpu/drm/drm_prime.c:224 at drm_prime_destroy_file_private+0x48/0x60 drivers/gpu/drm/drm_prime.c:224, CPU#0: syz.0.17/5833
Call Trace:
 drm_file_free.part.0+0x7e6/0xcc0 drivers/gpu/drm/drm_file.c:269
 drm_file_free drivers/gpu/drm/drm_file.c:237 [inline]
 drm_close_helper.isra.0+0x186/0x200 drivers/gpu/drm/drm_file.c:290
 drm_release+0x1ab/0x360 drivers/gpu/drm/drm_file.c:438

Fixes: 5e28b7b944 ("drm: Set old handle to NULL before prime swap in change_handle")
Reported-by: syzbot+d7c9eed171647e421013@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d7c9eed171647e421013
Cc: stable@vger.kernel.org
Tested-by: syzbot+d7c9eed171647e421013@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patch.msgid.link/tencent_C267296443AAA4567771176886DFF364A305@qq.com
 		2026-05-16 09:32:43 +10:00
..
adp
amd drm/amdgpu/gfx_v12_0: set gfx.rs64_enable from PFP header on GFX12 2026-05-11 17:54:44 -04:00
arm drm/komeda: Add support for Arm China Linlon-D6 2026-03-24 16:08:54 +00:00
armada
aspeed
ast drm/ast: dp501: Fix initialization of SCU2C 2026-03-30 10:38:11 +02:00
atmel-hlcdc
bridge drm/bridge: imx8qxp-pxl2dpi: avoid ERR_PTR with device_node cleanup 2026-05-12 10:13:19 +08:00
ci Merge tag 'drm-msm-next-2026-04-02' of https://gitlab.freedesktop.org/drm/msm into drm-next 2026-04-03 18:57:00 +10:00
clients
display drm/display: hdmi: Use drm_output_color_format instead of hdmi_colorspace 2026-03-24 13:54:35 +01:00
etnaviv drm/etnaviv: Fix armed job not being pushed to the DRM scheduler 2026-05-05 11:40:16 +02:00
exynos drm/exynos: remove bridge when component_add fails 2026-05-05 16:50:42 +02:00
fsl-dcu
gma500 drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init 2026-05-13 20:15:17 +02:00
gud Merge drm/drm-fixes into drm-misc-next-fixes 2026-03-30 10:05:36 +02:00
hisilicon
hyperv
i915 drm/i915/dp: Fix VSC dynamic range signaling for RGB formats 2026-05-12 08:05:24 +01:00
imagination drm/imagination: Fix segfault when updating ftrace mask 2026-04-27 14:22:52 +01:00
imx drm/imx: ipuv3-plane: support underlay plane 2026-03-13 16:27:06 +01:00
ingenic drm/atomic: Remove state argument to drm_atomic_private_obj_init 2026-03-20 10:03:11 +01:00
kmb
lima
logicvc
loongson drm/loongson: Use managed KMS polling 2026-05-15 08:50:54 +02:00
mcde
mediatek Linux 7.0-rc6 2026-03-31 07:51:02 +10:00
meson Merge tag 'drm-msm-next-2026-04-02' of https://gitlab.freedesktop.org/drm/msm into drm-next 2026-04-03 18:57:00 +10:00
mgag200
msm Merge tag 'drm-msm-next-2026-04-02' of https://gitlab.freedesktop.org/drm/msm into drm-next 2026-04-03 18:57:00 +10:00
mxsfb
nouveau Revert "drm/nouveau/gsp: add support for GA100" 2026-05-01 01:08:00 +02:00
nova rust: gem: Introduce DriverObject::Args 2026-03-26 02:08:04 +01:00
omapdrm drm/atomic: Remove state argument to drm_atomic_private_obj_init 2026-03-20 10:03:11 +01:00
panel drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds 2026-05-05 14:43:36 +02:00
panfrost drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() 2026-05-07 14:52:55 +01:00
panthor drm fixes for 7.1-rc1 2026-04-24 11:44:52 -07:00
pl111
qxl drm/qxl: Fix missing KMS poll cleanup 2026-05-04 14:54:44 +02:00
radeon drm/radeon: add missing revision check for CI 2026-05-05 10:15:49 -04:00
renesas drm: rcar-du: Fix crash when no CMM is available 2026-04-23 15:53:46 +03:00
rockchip drm/rockchip: analogix: Convert to drm_output_color_format 2026-03-24 13:54:34 +01:00
scheduler Linux 7.0-rc3 2026-03-11 11:18:31 +01:00
sitronix Merge drm/drm-fixes into drm-misc-next-fixes 2026-03-30 10:05:36 +02:00
solomon
sprd
sti drm/sti: remove bridge when sti_hda component_add fails 2026-05-04 22:52:39 +02:00
stm drm/bridge: stm_lvds: Do not fail atomic_check on disabled connector 2026-04-13 12:52:33 +02:00
sun4i drm/display: hdmi: Use drm_output_color_format instead of hdmi_colorspace 2026-03-24 13:54:35 +01:00
sysfb drm/sysfb: ofdrm: fix PCI device reference leaks 2026-04-27 11:30:49 +02:00
tegra drm for v7.1-rc1 2026-04-15 08:45:00 -07:00
tests drm/display: hdmi: Use drm_output_color_format instead of hdmi_colorspace 2026-03-24 13:54:35 +01:00
tidss
tilcdc drm/tilcdc: Fix type mismatch 2026-03-17 17:50:49 +01:00
tiny drm/bochs: Drop manual put on probe error path 2026-05-07 10:51:18 +02:00
ttm drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure 2026-05-14 15:32:29 +02:00
tve200
tyr drm for v7.1-rc1 2026-04-15 08:45:00 -07:00
udl drm/udl: Increase GET_URB_TIMEOUT 2026-04-28 10:50:41 +02:00
v3d drm fixes for 7.1-rc1 2026-04-24 11:44:52 -07:00
vboxvideo
vc4 drm for v7.1-rc1 2026-04-15 08:45:00 -07:00
verisilicon drm: verisilicon: make vs_dc_platform_driver static 2026-03-25 15:21:23 +01:00
vgem
virtio
vkms drm/vkms: Support setting custom background color 2026-03-18 09:59:57 +00:00
vmwgfx Linux 7.0-rc6 2026-03-31 07:51:02 +10:00
xe drm/xe: Drop unused ggtt_balloon field 2026-05-13 11:19:21 -04:00
xen
xlnx
Kconfig DRM Rust changes for v7.1-rc1 2026-04-01 07:32:05 +10:00
Kconfig.debug drm: fix dead default for DRM_TTM_KUNIT_TEST 2026-03-24 16:19:04 +01:00
Makefile Merge drm/drm-next into drm-xe-next 2026-03-12 07:23:23 -07:00
drm_atomic.c drm/atomic: Remove state argument to drm_atomic_private_obj_init 2026-03-20 10:03:11 +01:00
drm_atomic_helper.c drm fixes for 7.1-rc1 2026-04-24 11:44:52 -07:00
drm_atomic_state_helper.c drm: Add CRTC background color property 2026-03-18 09:59:57 +00:00
drm_atomic_uapi.c drm: Add CRTC background color property 2026-03-18 09:59:57 +00:00
drm_auth.c
drm_blend.c drm: Add CRTC background color property 2026-03-18 09:59:57 +00:00
drm_bridge.c Linux 7.0-rc7 2026-04-07 12:36:31 +02:00
drm_bridge_helper.c
drm_buddy.c
drm_cache.c
drm_client.c
drm_client_event.c
drm_client_modeset.c
drm_client_sysrq.c
drm_color_mgmt.c drm/color-mgmt: Typo s/R332/RGB332/ 2026-04-27 11:36:05 +02:00
drm_colorop.c drm/colorop: Preserve bypass value in duplicate_state() 2026-03-16 08:33:05 +05:30
drm_connector.c drm/display: hdmi: Use drm_output_color_format instead of hdmi_colorspace 2026-03-24 13:54:35 +01:00
drm_crtc.c drm/simple-kms: Deprecate simple-kms helpers 2026-03-25 15:05:22 +01:00
drm_crtc_helper.c
drm_crtc_helper_internal.h
drm_crtc_internal.h
drm_damage_helper.c
drm_debugfs.c
drm_debugfs_crc.c
drm_displayid.c
drm_displayid_internal.h
drm_draw.c
drm_draw_internal.h
drm_drv.c drm-misc-next for v7.1: 2026-03-27 12:45:54 +10:00
drm_dumb_buffers.c
drm_edid.c drm/edid: Parse AMD Vendor-Specific Data Block 2026-04-03 13:45:49 -04:00
drm_edid_load.c
drm_eld.c
drm_encoder.c
drm_exec.c
drm_fb_dma_helper.c
drm_fb_helper.c drm/fb-helper: Fix clipping when damage area spans a single scanline 2026-05-04 14:55:40 +02:00
drm_fbdev_dma.c
drm_fbdev_shmem.c
drm_fbdev_ttm.c
drm_file.c Revert "drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug" 2026-03-26 14:09:26 +01:00
drm_flip_work.c
drm_format_helper.c
drm_format_internal.h
drm_fourcc.c
drm_framebuffer.c
drm_gem.c drm: Replace old pointer to new idr 2026-05-16 09:32:43 +10:00
drm_gem_atomic_helper.c drm/simple-kms: Deprecate simple-kms helpers 2026-03-25 15:05:22 +01:00
drm_gem_dma_helper.c drm/gem-dma: set VM_DONTDUMP for mmap 2026-03-26 14:35:18 +08:00
drm_gem_framebuffer_helper.c drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() 2026-04-27 11:27:22 +02:00
drm_gem_shmem_helper.c drm/shmem_helper: Make sure PMD entries get the writeable upgrade 2026-04-03 10:11:04 +02:00
drm_gem_ttm_helper.c
drm_gem_vram_helper.c drm/vram: remove DRM_VRAM_MM_FILE_OPERATIONS from docs 2026-04-09 09:34:28 +02:00
drm_gpusvm.c drm/pagemap: Add helper to access zone_device_data 2026-03-13 18:12:07 -07:00
drm_gpuvm.c
drm_internal.h
drm_ioc32.c drm/ioc32: stop speculation on the drm_compat_ioctl path 2026-04-02 08:24:55 +02:00
drm_ioctl.c
drm_kms_helper_common.c
drm_lease.c
drm_managed.c
drm_mipi_dbi.c drm/mipi-dbi: Remove simple-display helpers from mipi-dbi 2026-03-25 15:05:17 +01:00
drm_mipi_dsi.c
drm_mm.c
drm_mode_config.c Linux 7.0-rc7 2026-04-07 12:36:31 +02:00
drm_mode_object.c
drm_modes.c
drm_modeset_helper.c drm/simple-kms: Deprecate simple-kms helpers 2026-03-25 15:05:22 +01:00
drm_modeset_lock.c
drm_of.c
drm_pagemap.c drm/pagemap: Enable THP support for GPU memory migration 2026-03-13 18:12:59 -07:00
drm_pagemap_util.c drm/pagemap_util: Ensure proper cache lock management on free 2026-03-17 15:39:07 +01:00
drm_panel.c
drm_panel_backlight_quirks.c
drm_panel_orientation_quirks.c
drm_panic.c
drm_panic_qr.rs
drm_pci.c
drm_plane.c
drm_plane_helper.c
drm_prime.c drm/prime: Limit scatter list size with dedicated DMA device 2026-03-23 13:23:29 +08:00
drm_print.c
drm_privacy_screen.c
drm_privacy_screen_x86.c
drm_probe_helper.c
drm_property.c
drm_ras.c
drm_ras_genl_family.c
drm_ras_nl.c
drm_ras_nl.h
drm_rect.c
drm_self_refresh_helper.c
drm_simple_kms_helper.c drm/simple-kms: Deprecate simple-kms helpers 2026-03-25 15:05:22 +01:00
drm_suballoc.c
drm_syncobj.c drm/syncobj: Fix xa_alloc allocation flags 2026-03-25 08:05:35 +00:00
drm_sysfs.c
drm_trace.h
drm_trace_points.c
drm_vblank.c
drm_vblank_helper.c
drm_vblank_work.c
drm_vma_manager.c
drm_writeback.c