lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <f0209960-7b71-4cf0-8531-b67d63cec68a@ursulin.net>
Date: Fri, 23 Jan 2026 09:58:09 +0000
From: Tvrtko Ursulin <tursulin@...ulin.net>
To: 王志 <wangzhi_xd@....xidian.edu.cn>,
 Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
 Thomas Zimmermann <tzimmermann@...e.de>
Cc: linux-kernel@...r.kernel.org, dri-devel@...ts.freedesktop.org
Subject: Re: [BUG] WARNING in idr_alloc during drm_gem_change_handle_ioctl


On 10/01/2026 14:16, 王志 wrote:
> Dear Maintainers,
> When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash was triggered.
> HEAD commit:7d0a66e4bb9081d75c82ec4957c50034cb0ea449
> git tree: upstream
> Output:https://github.com/manual0/crash/blob/main/report3.txt
> Kernel config: https://github.com/manual0/crash/blob/main/config.txt
> C reproducer:https://github.com/manual0/crash/blob/main/repro3.c
> Syz reproducer:https://github.com/manual0/crash/blob/main/repro3.syz
> 
> The kernel triggered a WARNING at lib/idr.c:84 in idr_alloc. This warning is typically triggered when the idr_alloc() function is called with a negative start value or an invalid range that violates the IDR expectations.
> 
> The call trace indicates that the issue originates from drm_gem_change_handle_ioctl within the DRM subsystem. This function is attempting to allocate or change a GEM handle, and it seems to pass an invalid parameter to the IDR allocator. This could be due to a lack of proper bounds checking on user-supplied values in the DRM_IOCTL_GEM_FLINK or similar handle-related IOCTLs.
> 
> If you fix this issue, please add the following tag to the commit:

I have sent a tentative fix for this, and it is a solid bug report, only 
two things which you could improve:

> Reported-by: Zhi Wang <wangzhi@....xidian.edu.cn>, Bin Yu<byu@...ian.edu.cn>, MingYu Wang<w15303746062@....com>, WenJian Lu<19861702678@....com>, KeFeng Gao<2401553064@...com>

1)

I don't think this is a compliant Reported-by: tag. If you want multiple 
emails you need multiple tags. I couldn't be bothered and only picked 
the first reporter.

2)

It would be useful if your scripts would use git blame to find the 
offending commit and copy the relevant people in the report. That would 
give it more change someone actually acts on it.

Regards,

Tvrtko

> 
> RBP: 00007fb87fd4f010 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
> R13: 00007fb881586038 R14: 00007fb881585fa0 R15: 00007fb87fd2f000
>   </TASK>
> ------------[ cut here ]------------
> WARNING: CPU: 2 PID: 13371 at lib/idr.c:84 idr_alloc+0x123/0x140 home/linux-6.18/lib/idr.c:84
> Modules linked in: bochs drm_shmem_helper drm_kms_helper drm ata_generic virtio_pci virtio_pci_legacy_dev i2c_piix4 drm_panel_orientation_quirks pata_acpi virtio_pci_modern_dev i2c_smbus
> CPU: 2 UID: 0 PID: 13371 Comm: syz.4.4127 Not tainted 6.18.0 #9 PREEMPT(voluntary)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
> RIP: 0010:idr_alloc+0x123/0x140 home/linux-6.18/lib/idr.c:84
> Code: 8b 44 24 58 65 48 2b 05 83 50 c2 03 75 27 48 83 c4 60 44 89 e0 5b 5d 41 5c 41 5d 41 5e 41 5f e9 c3 a9 0b 00 e8 be 6a ba fb 90 <0f> 0b 90 41 bc ea ff ff ff eb b2 e8 4d 0f 09 00 66 66 2e 0f 1f 84
> RSP: 0018:ffff88811860fb60 EFLAGS: 00010216
> RAX: 0000000000000091 RBX: 0000000080000001 RCX: ffffc90006008000
> RDX: 0000000000080000 RSI: ffffffff85bbbfa2 RDI: 0000000000000005
> RBP: 1ffff110230c1f6c R08: 0000000000002800 R09: ffffed10230c1f71
> R10: 0000000080000000 R11: 0000000000000000 R12: 0000000080000000
> R13: ffff888104d29088 R14: ffff88810589f000 R15: 0000000000002800
> FS:  00007f9ee04cf640(0000) GS:ffff88819133f000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f9ee1a459c0 CR3: 000000010626e000 CR4: 00000000000006f0
> Call Trace:
>   <TASK>
>   drm_gem_change_handle_ioctl+0x2bf/0x4f0 home/linux-6.18/drivers/gpu/drm/drm_gem.c:988 [drm]
>   drm_ioctl_kernel+0x1f2/0x3e0 home/linux-6.18/drivers/gpu/drm/drm_ioctl.c:797 [drm]
>   drm_ioctl+0x580/0xb70 home/linux-6.18/drivers/gpu/drm/drm_ioctl.c:894 [drm]
>   vfs_ioctl home/linux-6.18/fs/ioctl.c:51 [inline]
>   __do_sys_ioctl home/linux-6.18/fs/ioctl.c:597 [inline]
>   __se_sys_ioctl home/linux-6.18/fs/ioctl.c:583 [inline]
>   __x64_sys_ioctl+0x194/0x210 home/linux-6.18/fs/ioctl.c:583
>   do_syscall_x64 home/linux-6.18/arch/x86/entry/syscall_64.c:63 [inline]
>   do_syscall_64+0xc6/0x390 home/linux-6.18/arch/x86/entry/syscall_64.c:94
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f9ee1a9059d
> Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f9ee04cef98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007f9ee1d05fa0 RCX: 00007f9ee1a9059d
> RDX: 0000200000000380 RSI: 00000000c02064d2 RDI: 0000000000000003
> RBP: 00007f9ee1b2e078 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007f9ee1d06038 R14: 00007f9ee1d05fa0 R15: 00007f9ee04af000
>   </TASK>
> irq event stamp: 1565
> hardirqs last  enabled at (1575): [<ffffffff8155bd39>] __up_console_sem+0x89/0xa0 home/linux-6.18/kernel/printk/printk.c:345
> hardirqs last disabled at (1584): [<ffffffff8155bd1e>] __up_console_sem+0x6e/0xa0 home/linux-6.18/kernel/printk/printk.c:343
> softirqs last  enabled at (1376): [<ffffffff813d2e09>] softirq_handle_end home/linux-6.18/kernel/softirq.c:468 [inline]
> softirqs last  enabled at (1376): [<ffffffff813d2e09>] handle_softirqs+0x509/0x760 home/linux-6.18/kernel/softirq.c:650
> softirqs last disabled at (1371): [<ffffffff813d3140>] __do_softirq home/linux-6.18/kernel/softirq.c:656 [inline]
> softirqs last disabled at (1371): [<ffffffff813d3140>] invoke_softirq home/linux-6.18/kernel/softirq.c:496 [inline]
> softirqs last disabled at (1371): [<ffffffff813d3140>] __irq_exit_rcu+0xd0/0x100 home/linux-6.18/kernel/softirq.c:723
> ---[ end trace 0000000000000000 ]---
> 
> Thanks,
> Zhi Wang

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ