Hello, I am reporting a WARN_ON() triggered in drm_prime_destroy_file_private(), which leads to a kernel panic when panic_on_warn is enabled. The issue was observed during syzkaller-style fuzz testing.
=== Summary === The kernel triggers a WARNING at: drivers/gpu/drm/drm_prime.c:223 drm_prime_destroy_file_private() during DRM file cleanup. With panic_on_warn enabled, this results in a kernel panic. The warning is hit while closing a DRM file descriptor from userspace. === Environment === Kernel: 6.18.0 (locally built) Config: PREEMPT(full), panic_on_warn=1 Arch: x86_64 Hardware: QEMU Standard PC (i440FX + PIIX) Workload: syz-executor (fuzzing) === Triggering context === The warning is triggered in process context during file release: drm_file_free drm_close_helper drm_release __fput task_work_run exit_to_user_mode_loop The userspace process is a syzkaller executor (syz.0.6460). === Warning details === The kernel reports: WARNING: CPU: 3 PID: 28430 at drivers/gpu/drm/drm_prime.c:223 drm_prime_destroy_file_private+0x43/0x60 RIP points directly at drm_prime_destroy_file_private(): RIP: 0010:drm_prime_destroy_file_private+0x43/0x60 The warning is followed by a panic due to panic_on_warn being set. === Call trace === drm_prime_destroy_file_private drm_file_free.part.0 drm_close_helper drm_release __fput task_work_run exit_to_user_mode_loop do_syscall_64 entry_SYSCALL_64_after_hwframe === Observations === The warning appears to be triggered during cleanup of DRM PRIME-related file-private data. This suggests an unexpected state during teardown, such as: double destruction, missing initialization, or inconsistent lifetime handling of PRIME file-private structures. The issue is triggered reliably enough for syzkaller to detect it, but no minimal standalone reproducer is currently available. === Reproducer === No standalone reproducer is available. The issue was observed during syzkaller-style fuzzing. === Expected behavior === Closing a DRM file descriptor should not trigger WARN_ON(), even if the userspace usage pattern is malformed. === Actual behavior === A WARN_ON() is triggered in drm_prime_destroy_file_private(), and the kernel panics when panic_on_warn is enabled. === Notes === If additional logs, full kernel configuration, or further traces would be helpful, I am happy to provide them. Thanks for your time. Reported-by: Zhi Wang
