lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <40d309e5.ba84.19ba7a719d3.Coremail.wangzhi_xd@stu.xidian.edu.cn>
Date: Sat, 10 Jan 2026 19:25:04 +0800 (GMT+08:00)
From: 王志 <wangzhi_xd@....xidian.edu.cn>
To: "Maarten Lankhorst" <maarten.lankhorst@...ux.intel.com>,
	"Maxime Ripard" <mripard@...nel.org>,
	"Thomas Zimmermann" <tzimmermann@...e.de>
Cc: dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org
Subject: [BUG] WARNING in drm_gem_object_handle_put_unlocked during
 drm_release on Linux 6.18

Dear Maintainers,
When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash was triggered.
HEAD commit:7d0a66e4bb9081d75c82ec4957c50034cb0ea449
git tree: upstream
Output:https://github.com/manual0/crash/blob/main/report1.txt
Kernel config: https://github.com/manual0/crash/blob/main/config.txt
C reproducer:https://github.com/manual0/crash/blob/main/repro1.c

drm_gem_object_handle_put_unlocked within drivers/gpu/drm/drm_gem.c which was identified during fuzzing on a Linux 6.18 kernel. This warning indicates a reference counting inconsistency when releasing a GEM object handle during the process exit path.The issue consistently occurs during the resource cleanup sequence where drm_release calls drm_file_free and subsequently drm_gem_release, which then iterates through GEM handles via idr_for_each. We noticed that syzbot has previously reported a similar warning in drm_gem_object_handle_put_unlocked under extid ef3256a360c02207a4cb, but our finding is distinct because the syzbot report is triggered during the creation path via drm_mode_create_dumb_ioctl whereas our trace proves the issue persists in the cleanup path even on the newer 6.18.0 upstream tree. We have searched for existing patches but found none that address this specific release-side inconsistency. This bug was reproduced in a specialized environment using a custom-modeled device added to QEMU to simulate specific hardware-driver interactions. To assist in your analysis, we have provided our QEMU device modeling file in the appendix as the bug may not be triggerable on standard emulated hardware. 

If you fix this issue, please add the following tag to the commit:
Reported-by: Zhi Wang <wangzhi@....xidian.edu.cn>, Bin Yu<byu@...ian.edu.cn>, MingYu Wang<w15303746062@....com>, WenJian Lu<19861702678@....com>, KeFeng Gao<2401553064@...com>, thank you!

WARNING: CPU: 1 PID: 108806 at drivers/gpu/drm/drm_gem.c:300 drm_gem_object_handle_put_unlocked+0x30e/0x3e0
Modules linked in:
CPU: 1 UID: 0 PID: 108806 Comm: syz.1.31978 Not tainted 6.18.0 #1 PREEMPT(full) 
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:drm_gem_object_handle_put_unlocked+0x30e/0x3e0
Code: ed 74 61 e8 74 a8 84 fc 4c 89 e7 e8 2c 9e 94 00 48 c7 c1 60 09 ea 8b 4c 89 ea 48 c7 c7 40 05 ea 8b 48 89 c6 e8 e3 3b 44 fc 90 <0f> 0b 90 90 5b 5d 41 5c 41 5d 41 5e 41 5f e9 3f a8 84 fc 4c 89 ff
RSP: 0018:ffffc90002d27b80 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88811ac0fbe0 RCX: ffffffff8179ed09
RDX: ffff888124a2ba00 RSI: ffffffff8179ed16 RDI: 0000000000000001
RBP: ffff888107df1000 R08: 0000000000000001 R09: ffffed1026bc4841
R10: 0000000000000001 R11: 0000000000139fc0 R12: ffff8881001ec0c8
R13: ffff88801c71bd60 R14: 0000000000000000 R15: ffff888107df1004
FS:  000055557ced1500(0000) GS:ffff8881a2601000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe5646ff00 CR3: 000000012fba2000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 drm_gem_object_release_handle+0xc7/0x200
 idr_for_each+0x119/0x230 home/wmy/Fuzzer/third_tool/linux-6.18/lib/idr.c:208
 drm_gem_release+0x29/0x40
 drm_file_free.part.0+0x724/0xcf0
 drm_close_helper.isra.0+0x183/0x1f0
 drm_release+0x1ab/0x360
 __fput+0x402/0xb50 home/wmy/Fuzzer/third_tool/linux-6.18/fs/file_table.c:468
 task_work_run+0x16b/0x260 home/wmy/Fuzzer/third_tool/linux-6.18/kernel/task_work.c:227
 exit_to_user_mode_loop+0xf9/0x130
 do_syscall_64+0x424/0xfa0 home/wmy/Fuzzer/third_tool/linux-6.18/arch/x86/entry/syscall_32.c:308
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5f9d3b059d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffeb85fc6d8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007f5f9d627da0 RCX: 00007f5f9d3b059d
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007ffeb85fc778 R08: 0000001b3292016a R09: 0000000000000000
R10: 0000001b32d20000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 00007f5f9d62609c R14: 00007f5f9d627da0 R15: 00007ffeb85fc7a0
 </TASK>

Thanks,
Zhi Wang

View attachment "bochs_drm_pci.c" of type "text/plain" (12167 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ