On 11/25/25 11:28, Jan Sokolowski wrote:
> drm_file's object_idr uses 1 as base value, which can cause id
> mismatch when trying to use DRM_IOCTL_GEM_CHANGE_HANDLE
> to change id from 1 to 0.
>
> Disallow 0 as new handle in that ioctl.
>
> Fixes: 53096728b891 ("drm: Add DRM prime interface to reassign GEM handle")
> Signed-off-by: Jan Sokolowski <[email protected]>
> Cc: David Francis <[email protected]>
> Cc: Maarten Lankhorst <[email protected]>
> Cc: Maxime Ripard <[email protected]>
> Cc: Thomas Zimmermann <[email protected]>
> Cc: David Airlie <[email protected]>
> Cc: Simona Vetter <[email protected]>
> Cc: "Christian König" <[email protected]>
> Cc: Felix Kuehling <[email protected]>
> Cc: Lucas De Marchi <[email protected]>
> ---
> drivers/gpu/drm/drm_gem.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> index 68168d58a7c8..2a49a8e396fa 100644
> --- a/drivers/gpu/drm/drm_gem.c
> +++ b/drivers/gpu/drm/drm_gem.c
> @@ -975,6 +975,10 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev,
> void *data,
> if (args->handle == args->new_handle)
> return 0;
>
> + /* As the idr base is 1, trying to set handle 0 will create id mismatch
> */
> + if (args->new_handle == 0)
> + return 0;
That would need to return -EINVAl or some other error code.
But I'm wondering why that is necessary at all? Doesn't idr_alloc() return an
error when you try to allocate handle 0?
Regards,
Christian.
> +
> mutex_lock(&file_priv->prime.lock);
>
> spin_lock(&file_priv->table_lock);
