CVE-2026-52966

In the Linux kernel, the following vulnerability has been resolved:

drm: Replace old pointer to new idr

Commit 5e28b7b94408 introduced a logical error by failing to replace the newly generated IDR pointer to old id's pointer at the correct location within the "change handle" logic; this resulted in the issue reported by syzbot [1].

Specifically, the new IDR object pointer is intended to replace the original id's pointer during the normal execution flow.

Additionally, an unnecessary conditional check for the ret exit path has been removed.

[1] !RB EMPTY ROOT(&prime fpriv->dmabufs) WARNING: drivers/gpu/drm/drm prime.c:224 at drm prime destroy file private+0x48/0x60 drivers/gpu/drm/drm prime.c:224, CPU#0: syz.0.17/5833 Call Trace: drm file free.part.0+0x7e6/0xcc0 drivers/gpu/drm/drm file.c:269 drm file free drivers/gpu/drm/drm file.c:237 [inline] drm close helper.isra.0+0x186/0x200 drivers/gpu/drm/drm file.c:290 drm release+0x1ab/0x360 drivers/gpu/drm/drm file.c:438