Re: [syzbot] [dri?] memory leak in drm_mode_atomic_ioctl

Next message: Krzysztof Kozlowski: "Re: [PATCH 3/8] dt-bindings: pinctrl: renesas,r9a09g077-pinctrl: Document GPIO IRQ"
Previous message: Greg Kroah-Hartman: "Re: [PATCH 09/10] drivers/auxdisplay: add a KFuzzTest for parse_xy()"
In reply to: syzbot: "[syzbot] [dri?] memory leak in drm_mode_atomic_ioctl"
Next in thread: syzbot: "Re: [syzbot] [dri?] memory leak in drm_mode_atomic_ioctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: shaurya

Date: Thu Dec 04 2025 - 10:57:55 EST

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
From 54d892b20a412a204d890e4a1d0e3632ab7ec787 Mon Sep 17 00:00:00 2001
From: Shaurya Rane <ssrane_b23@xxxxxxxxxxxxx>
Date: Thu, 4 Dec 2025 21:10:48 +0530
Subject: [PATCH] drm/atomic: fix memory leak in prepare_signaling() error path

When prepare_signaling() creates a vblank event for an out-fence but
fails before attaching the fence (e.g., krealloc or drm_crtc_create_fence
fails), complete_signaling() only frees events with fence or file_priv
set, leaking the partially initialized event.

Add an else branch to kfree events that have neither fence nor file_priv.

Reported-by: syzbot+3fc9eecaf97147282c87@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Shaurya Rane <ssrane_b23@xxxxxxxxxxxxx>
---
drivers/gpu/drm/drm_atomic_uapi.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/gpu/drm/drm_atomic_uapi.c b/drivers/gpu/drm/drm_atomic_uapi.c
index 85dbdaa4a2e2..d3f23b640d34 100644
--- a/drivers/gpu/drm/drm_atomic_uapi.c
+++ b/drivers/gpu/drm/drm_atomic_uapi.c
@@ -1348,6 +1348,9 @@ static void complete_signaling(struct drm_device *dev,
if (event && (event->base.fence || event->base.file_priv)) {
drm_event_cancel_free(dev, &event->base);
crtc_state->event = NULL;
+ } else if (event) {
+ kfree(event);
+ crtc_state->event = NULL;
}
}

--
2.34.1