lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID:
 <KL1PR03MB8800F1479B619EDAA37B6605A184A@KL1PR03MB8800.apcprd03.prod.outlook.com>
Date: Wed, 7 Jan 2026 05:27:21 +0000
From: "WangzXD0325@...look.com" <WangzXD0325@...look.com>
To: Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>
CC: "dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: [BUG] WARNING in drm_prime_destroy_file_private() leading to
 panic_on_warn (6.18.0)

Hello,
I am reporting a WARN_ON() triggered in drm_prime_destroy_file_private(),
which leads to a kernel panic when panic_on_warn is enabled. The issue
was observed during syzkaller-style fuzz testing.

=== Summary ===
The kernel triggers a WARNING at:
drivers/gpu/drm/drm_prime.c:223
drm_prime_destroy_file_private()
during DRM file cleanup. With panic_on_warn enabled, this results in a
kernel panic.
The warning is hit while closing a DRM file descriptor from userspace.

=== Environment ===
Kernel: 6.18.0 (locally built)
Config: PREEMPT(full), panic_on_warn=1
Arch: x86_64
Hardware: QEMU Standard PC (i440FX + PIIX)
Workload: syz-executor (fuzzing)

=== Triggering context ===
The warning is triggered in process context during file release:
drm_file_free
drm_close_helper
drm_release
__fput
task_work_run
exit_to_user_mode_loop
The userspace process is a syzkaller executor (syz.0.6460).

=== Warning details ===
The kernel reports:
WARNING: CPU: 3 PID: 28430 at drivers/gpu/drm/drm_prime.c:223
drm_prime_destroy_file_private+0x43/0x60
RIP points directly at drm_prime_destroy_file_private():
RIP: 0010:drm_prime_destroy_file_private+0x43/0x60
The warning is followed by a panic due to panic_on_warn being set.

=== Call trace ===
drm_prime_destroy_file_private
drm_file_free.part.0
drm_close_helper
drm_release
__fput
task_work_run
exit_to_user_mode_loop
do_syscall_64
entry_SYSCALL_64_after_hwframe

=== Observations ===
The warning appears to be triggered during cleanup of DRM PRIME-related
file-private data.
This suggests an unexpected state during teardown, such as:
double destruction,
missing initialization, or
inconsistent lifetime handling of PRIME file-private structures.
The issue is triggered reliably enough for syzkaller to detect it, but
no minimal standalone reproducer is currently available.

=== Reproducer ===
No standalone reproducer is available.
The issue was observed during syzkaller-style fuzzing.

=== Expected behavior ===
Closing a DRM file descriptor should not trigger WARN_ON(), even if the
userspace usage pattern is malformed.

=== Actual behavior ===
A WARN_ON() is triggered in drm_prime_destroy_file_private(), and the
kernel panics when panic_on_warn is enabled.

=== Notes ===
If additional logs, full kernel configuration, or further traces would
be helpful, I am happy to provide them.
Thanks for your time.

Reported-by:
Zhi Wang

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ