Re: [PATCH] drm/gem: fix warning in idr_alloc due to unvalidated user handle

From: 王明煜

Date: Thu Jun 04 2026 - 23:07:08 EST

Hi maintainers,

Just a gentle ping on this patch. It fixes a WARN triggered during fuzzing when negative user handles are passed.

Please let me know if it needs any revisions or if there is anything else I can do to help move it forward.

Thanks,
Mingyu


> -----原始邮件-----
> 发件人: "Mingyu Wang" <25181214217@xxxxxxxxxxxxxxxxx>
> 发送时间:2026-04-22 19:42:47 (星期三)
> 收件人: maarten.lankhorst@xxxxxxxxxxxxxxx, mripard@xxxxxxxxxx, tzimmermann@xxxxxxx, airlied@xxxxxxxxx, simona@xxxxxxxx
> 抄送: dri-devel@xxxxxxxxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, "Mingyu Wang" <25181214217@xxxxxxxxxxxxxxxxx>
> 主题: [PATCH] drm/gem: fix warning in idr_alloc due to unvalidated user handle
>
> During fuzzing, a warning was triggered in idr_alloc() when handling
> the DRM_IOCTL_GEM_CHANGE_HANDLE (or similar) ioctl.
>
> The function drm_gem_change_handle_ioctl() currently only checks if
> args->new_handle is strictly greater than INT_MAX. However, it fails
> to check for negative values. If a userpace application passes a
> negative handle, it bypasses the upper-bound check and is passed
> directly to idr_alloc() as the 'start' parameter, triggering the
> WARN_ON_ONCE(start < 0) inside idr_alloc().
>
> Fix this by explicitly validating that the user-provided handle is
> strictly positive and within the valid IDR range.
>
> Signed-off-by: Mingyu Wang <25181214217@xxxxxxxxxxxxxxxxx>
> ---
> drivers/gpu/drm/drm_gem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> index d6424267260b..3d84d4f1c3e0 100644
> --- a/drivers/gpu/drm/drm_gem.c
> +++ b/drivers/gpu/drm/drm_gem.c
> @@ -1026,7 +1026,7 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data,
> return -EOPNOTSUPP;
>
> /* idr_alloc() limitation. */
> - if (args->new_handle > INT_MAX)
> + if (args->new_handle <= 0 || args->new_handle > INT_MAX)
> return -EINVAL;
> handle = args->new_handle;
>
> --
> 2.34.1