Re: [PATCH v2] drm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()

[Tvrtko Ursulin]

On 26/01/2026 09:02, Christian König wrote:

On 1/23/26 15:15, Tvrtko Ursulin wrote:

Since GEM bo handles are u32 in the uapi and the internal implementation
uses idr_alloc() which uses int ranges, passing a new handle larger than
INT_MAX trivially triggers a kernel warning:

idr_alloc():
...
        if (WARN_ON_ONCE(start < 0))
                return -EINVAL;
...

Fix it by rejecting new handles above INT_MAX and at the same time make
the end limit calculation more obvious by moving into int domain.

Signed-off-by: Tvrtko Ursulin <tvrtko.ursu...@igalia.com>
Reported-by: Zhi Wang <wang...@stu.xidian.edu.cn>
Fixes: 53096728b891 ("drm: Add DRM prime interface to reassign GEM handle")
Cc: David Francis <david.fran...@amd.com>
Cc: Felix Kuehling <felix.kuehl...@amd.com>
Cc: Christian König <christian.koe...@amd.com>
Cc: <sta...@vger.kernel.org> # v6.18+

Reviewed-by: Christian König <christian.koe...@amd.com>

Pushed to drm-misc-fixes, thank you!

Regards,

Tvrtko

---
v2:
  * Rename local variable, re-position comment, drop the else block. (Christian)
  * Use local at more places.
---
  drivers/gpu/drm/drm_gem.c | 18 ++++++++++++------
  1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
index 7ff6b7bbeb73..ffa7852c8f6c 100644
--- a/drivers/gpu/drm/drm_gem.c
+++ b/drivers/gpu/drm/drm_gem.c
@@ -1001,16 +1001,21 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, 
void *data,
  {
        struct drm_gem_change_handle *args = data;
        struct drm_gem_object *obj;
-       int ret;
+       int handle, ret;

if (!drm_core_check_feature(dev, DRIVER_GEM))

                return -EOPNOTSUPP;

+ /* idr_alloc() limitation. */

+       if (args->new_handle > INT_MAX)
+               return -EINVAL;
+       handle = args->new_handle;
+
        obj = drm_gem_object_lookup(file_priv, args->handle);
        if (!obj)
                return -ENOENT;

- if (args->handle == args->new_handle) {

+       if (args->handle == handle) {
                ret = 0;
                goto out;
        }
@@ -1018,18 +1023,19 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, 
void *data,
        mutex_lock(&file_priv->prime.lock);

spin_lock(&file_priv->table_lock);

-       ret = idr_alloc(&file_priv->object_idr, obj,
-               args->new_handle, args->new_handle + 1, GFP_NOWAIT);
+       ret = idr_alloc(&file_priv->object_idr, obj, handle, handle + 1,
+                       GFP_NOWAIT);
        spin_unlock(&file_priv->table_lock);

if (ret < 0)

                goto out_unlock;

if (obj->dma_buf) {

-               ret = drm_prime_add_buf_handle(&file_priv->prime, obj->dma_buf, 
args->new_handle);
+               ret = drm_prime_add_buf_handle(&file_priv->prime, obj->dma_buf,
+                                              handle);
                if (ret < 0) {
                        spin_lock(&file_priv->table_lock);
-                       idr_remove(&file_priv->object_idr, args->new_handle);
+                       idr_remove(&file_priv->object_idr, handle);
                        spin_unlock(&file_priv->table_lock);
                        goto out_unlock;
                }