Re: [syzbot] [dri?] KASAN: slab-use-after-free Read in drm_gem_object_release_handle
From: Hillf Danton
Date: Tue Apr 14 2026 - 01:02:49 EST
> Date: Mon, 13 Apr 2026 10:16:36 -0700 [thread overview]
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: f5459048c38a Merge tag 'i2c-for-7.0-final' of git://git.ke..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1028d106580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6754c86e8d9e4c91
> dashboard link: https://syzkaller.appspot.com/bug?extid=b2e951687503f32f74ce
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1428d106580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17509036580000
#syz test
--- x/drivers/gpu/drm/drm_gem.c
+++ y/drivers/gpu/drm/drm_gem.c
@@ -387,6 +387,23 @@ drm_gem_object_release_handle(int id, vo
return 0;
}
+static int
+drm_gem_object_release_idr_handle(int id, void *ptr, void *data)
+{
+ struct drm_file *filp = data;
+ struct drm_gem_object *obj, *tmp = ptr;
+
+ spin_lock(&filp->table_lock);
+ obj = idr_replace(&filp->object_idr, NULL, id);
+ spin_unlock(&filp->table_lock);
+ if (IS_ERR_OR_NULL(obj))
+ return 0;
+ if (obj != tmp)
+ return 0;
+ drm_gem_object_release_handle(id, obj, filp);
+ return 0;
+}
+
/**
* drm_gem_handle_delete - deletes the given file-private handle
* @filp: drm file-private structure to use for the handle look up
@@ -1086,7 +1103,7 @@ void
drm_gem_release(struct drm_device *dev, struct drm_file *file_private)
{
idr_for_each(&file_private->object_idr,
- &drm_gem_object_release_handle, file_private);
+ &drm_gem_object_release_idr_handle, file_private);
idr_destroy(&file_private->object_idr);
}
--