From 05602d53a410a41c5149af13fd816dbfaa2ae360 Mon Sep 17 00:00:00 2001
From: jsg <jsg@openbsd.org>
Date: Wed, 10 Jun 2026 00:00:03 +0000
Subject: [PATCH] drm/gem: fix race between change_handle and handle_delete

From Zhenghang Xiao
0dfa42cfe4dbe114533480503934f43e33c1e83d in linux-6.18.y/6.18.35
7164d78559b0ff29931a366a840a9e5dd53d4b7c in mainline linux
---
 sys/dev/pci/drm/drm_gem.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sys/dev/pci/drm/drm_gem.c b/sys/dev/pci/drm/drm_gem.c
index d81baecd18c..49d832d5294 100644
--- a/sys/dev/pci/drm/drm_gem.c
+++ b/sys/dev/pci/drm/drm_gem.c
@@ -1207,6 +1207,7 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data,
 	       goto out_unlock;
        }
 
+	idr_replace(&file_priv->object_idr, NULL, args->handle);
 	spin_unlock(&file_priv->table_lock);
 
 	if (obj->dma_buf) {
@@ -1215,6 +1216,7 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data,
 		if (ret < 0) {
 			spin_lock(&file_priv->table_lock);
 			idr_remove(&file_priv->object_idr, handle);
+			idr_replace(&file_priv->object_idr, obj, args->handle);
 			spin_unlock(&file_priv->table_lock);
 			goto out_unlock;
 		}