On 10/01/2026 14:16, 王志 wrote:
Dear Maintainers,
When using our customized Syzkaller to fuzz the latest Linux kernel, the
following crash was triggered.
HEAD commit:7d0a66e4bb9081d75c82ec4957c50034cb0ea449
git tree: upstream
Output:https://github.com/manual0/crash/blob/main/report3.txt
Kernel config: https://github.com/manual0/crash/blob/main/config.txt
C reproducer:https://github.com/manual0/crash/blob/main/repro3.c
Syz reproducer:https://github.com/manual0/crash/blob/main/repro3.syz
The kernel triggered a WARNING at lib/idr.c:84 in idr_alloc. This warning is
typically triggered when the idr_alloc() function is called with a negative
start value or an invalid range that violates the IDR expectations.
The call trace indicates that the issue originates from
drm_gem_change_handle_ioctl within the DRM subsystem. This function is
attempting to allocate or change a GEM handle, and it seems to pass an invalid
parameter to the IDR allocator. This could be due to a lack of proper bounds
checking on user-supplied values in the DRM_IOCTL_GEM_FLINK or similar
handle-related IOCTLs.
If you fix this issue, please add the following tag to the commit:
I have sent a tentative fix for this, and it is a solid bug report, only
two things which you could improve:
Reported-by: Zhi Wang <[email protected]>, Bin Yu<[email protected]>, MingYu
Wang<[email protected]>, WenJian Lu<[email protected]>, KeFeng Gao<[email protected]>
1)
I don't think this is a compliant Reported-by: tag. If you want multiple
emails you need multiple tags. I couldn't be bothered and only picked
the first reporter.
2)
It would be useful if your scripts would use git blame to find the
offending commit and copy the relevant people in the report. That would
give it more change someone actually acts on it.
Regards,
Tvrtko
RBP: 00007fb87fd4f010 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fb881586038 R14: 00007fb881585fa0 R15: 00007fb87fd2f000
</TASK>
------------[ cut here ]------------
WARNING: CPU: 2 PID: 13371 at lib/idr.c:84 idr_alloc+0x123/0x140
home/linux-6.18/lib/idr.c:84
Modules linked in: bochs drm_shmem_helper drm_kms_helper drm ata_generic
virtio_pci virtio_pci_legacy_dev i2c_piix4 drm_panel_orientation_quirks
pata_acpi virtio_pci_modern_dev i2c_smbus
CPU: 2 UID: 0 PID: 13371 Comm: syz.4.4127 Not tainted 6.18.0 #9
PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:idr_alloc+0x123/0x140 home/linux-6.18/lib/idr.c:84
Code: 8b 44 24 58 65 48 2b 05 83 50 c2 03 75 27 48 83 c4 60 44 89 e0 5b 5d 41 5c 41
5d 41 5e 41 5f e9 c3 a9 0b 00 e8 be 6a ba fb 90 <0f> 0b 90 41 bc ea ff ff ff eb
b2 e8 4d 0f 09 00 66 66 2e 0f 1f 84
RSP: 0018:ffff88811860fb60 EFLAGS: 00010216
RAX: 0000000000000091 RBX: 0000000080000001 RCX: ffffc90006008000
RDX: 0000000000080000 RSI: ffffffff85bbbfa2 RDI: 0000000000000005
RBP: 1ffff110230c1f6c R08: 0000000000002800 R09: ffffed10230c1f71
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000080000000
R13: ffff888104d29088 R14: ffff88810589f000 R15: 0000000000002800
FS: 00007f9ee04cf640(0000) GS:ffff88819133f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9ee1a459c0 CR3: 000000010626e000 CR4: 00000000000006f0
Call Trace:
<TASK>
drm_gem_change_handle_ioctl+0x2bf/0x4f0
home/linux-6.18/drivers/gpu/drm/drm_gem.c:988 [drm]
drm_ioctl_kernel+0x1f2/0x3e0 home/linux-6.18/drivers/gpu/drm/drm_ioctl.c:797
[drm]
drm_ioctl+0x580/0xb70 home/linux-6.18/drivers/gpu/drm/drm_ioctl.c:894 [drm]
vfs_ioctl home/linux-6.18/fs/ioctl.c:51 [inline]
__do_sys_ioctl home/linux-6.18/fs/ioctl.c:597 [inline]
__se_sys_ioctl home/linux-6.18/fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x194/0x210 home/linux-6.18/fs/ioctl.c:583
do_syscall_x64 home/linux-6.18/arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc6/0x390 home/linux-6.18/arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9ee1a9059d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6
48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48
c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9ee04cef98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f9ee1d05fa0 RCX: 00007f9ee1a9059d
RDX: 0000200000000380 RSI: 00000000c02064d2 RDI: 0000000000000003
RBP: 00007f9ee1b2e078 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9ee1d06038 R14: 00007f9ee1d05fa0 R15: 00007f9ee04af000
</TASK>
irq event stamp: 1565
hardirqs last enabled at (1575): [<ffffffff8155bd39>]
__up_console_sem+0x89/0xa0 home/linux-6.18/kernel/printk/printk.c:345
hardirqs last disabled at (1584): [<ffffffff8155bd1e>]
__up_console_sem+0x6e/0xa0 home/linux-6.18/kernel/printk/printk.c:343
softirqs last enabled at (1376): [<ffffffff813d2e09>] softirq_handle_end
home/linux-6.18/kernel/softirq.c:468 [inline]
softirqs last enabled at (1376): [<ffffffff813d2e09>]
handle_softirqs+0x509/0x760 home/linux-6.18/kernel/softirq.c:650
softirqs last disabled at (1371): [<ffffffff813d3140>] __do_softirq
home/linux-6.18/kernel/softirq.c:656 [inline]
softirqs last disabled at (1371): [<ffffffff813d3140>] invoke_softirq
home/linux-6.18/kernel/softirq.c:496 [inline]
softirqs last disabled at (1371): [<ffffffff813d3140>]
__irq_exit_rcu+0xd0/0x100 home/linux-6.18/kernel/softirq.c:723
---[ end trace 0000000000000000 ]---
Thanks,
Zhi Wang
