From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9FB06CD4F54 for ; Thu, 21 May 2026 02:19:50 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 128F010F1A4; Thu, 21 May 2026 02:19:49 +0000 (UTC) Received: from mail-ot1-f69.google.com (mail-ot1-f69.google.com [209.85.210.69]) by gabe.freedesktop.org (Postfix) with ESMTPS id 0606710F1A4 for ; Thu, 21 May 2026 02:19:48 +0000 (UTC) Received: by mail-ot1-f69.google.com with SMTP id 46e09a7af769-7e3dbd97fe3so11004036a34.1 for ; Wed, 20 May 2026 19:19:47 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779329987; x=1779934787; h=cc:to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=CzDENP6IjMuE+dFgbF5yX5xWJgBQqW+B+xC/YsKt82Y=; b=gpIBDbo7J4ZnY18VbeCtZpr+/XQaxPjVv1zFYBO+1VbnPBSw88oX/pMoQJs9GGx65m O8IW0FYQa2RNXzxs6l+5HIVAbLNpp/VIMcI8p8/SYh+4m/ITwP1zNuLdhgnioHbbLJvP zPQ65wopHWKpc/IF5OsMYIMBEFSeWeBVv3uJO+bXeYdIYlqmn63J61OPPWi2mMOGCer0 4y+DToXh7ztznU1GstlzyXw9GpXbmnSM9KnX7WHFdQBbg1RbvLg05EoBV3l/1lS+5FiP zLgdiaShDTPWNQfnkDIuwwCwaJeEzVOD94PYRSYIO4NK1DA+Ll+Gb4110WfF3wWhK4Jm h65Q== X-Forwarded-Encrypted: i=1; AFNElJ/J5jvq/Mvqoyt5SRrtRJo33F1IJwDRQNxU40Q99osPwOyRFaqa+g83FUJItSNp/weNRGZ/PC0c3hE=@lists.freedesktop.org X-Gm-Message-State: AOJu0YydZLWxg5Jht71PnQKSDU/iP+95AaA7YNrYfN1dRmG3+JjpHKal L2kKpvjvso9OV+5aJWOHjN5A4fC1DnNG0acnJVD0beGu02+1Ura9JapyVl4qqqFBYeWVVkaZd4q UYWsaD10GpS7wDMHX0foVPOnhJ2Fl8dn1Sj2k+c7C4WSq7RvLCp3AhQTmCM4= MIME-Version: 1.0 X-Received: by 2002:a05:6820:151f:b0:69b:56e5:cd6b with SMTP id 006d021491bc7-69d6ee0c9cbmr457677eaf.11.1779329987249; Wed, 20 May 2026 19:19:47 -0700 (PDT) Date: Wed, 20 May 2026 19:19:47 -0700 In-Reply-To: <20260521-virtio-gpu_wait_event-v2-1-5796b3a71d03@redhat.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <6a0e6bc3.170a0220.303405.4ce1.GAE@google.com> Subject: Re: [PATCH v2] drm/virtio: abort virtqueue wait on device removal to avoid hung task From: syzbot To: ryasuoka@redhat.com Cc: airlied@redhat.com, dmitry.osipenko@collabora.com, dri-devel@lists.freedesktop.org, gurchetansingh@chromium.org, kraxel@redhat.com, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, mripard@kernel.org, olvaffe@gmail.com, ryasuoka@redhat.com, simona@ffwll.ch, tzimmermann@suse.de, virtualization@lists.linux.dev Content-Type: text/plain; charset="UTF-8" X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" > virtio_gpu_queue_ctrl_sgs() and virtio_gpu_queue_cursor() use > wait_event() without any abort condition when waiting for virtqueue > space. If the host device stops processing commands, these waits block > indefinitely inside a drm_dev_enter/exit() critical section. Since > drm_dev_unplug(), which is called in device removal and system shutdown > call path, blocks on synchronize_srcu() until all critical sections > complete, device removal and system shutdown also hang. > > Add a vqs_released flag to virtio_gpu_device and include it in the > wait_event() condition. Set the flag and wake up both queues in a new > virtio_gpu_release_vqs() helper, called before drm_dev_unplug() in both > virtio_gpu_remove() and virtio_gpu_shutdown(). When the flag is set, the > wait returns immediately and the command is aborted, following the same > cleanup path as drm_dev_enter() failure. > > Reported-by: syzbot+d6dd6f86d3aaf7eebe7406e45c1c6e549453f224@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?id=d6dd6f86d3aaf7eebe7406e45c1c6e549453f224 > Reported-by: syzbot+908bd910da5dd79b88de4cf7baf376cc873a922e@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?id=908bd910da5dd79b88de4cf7baf376cc873a922e > Signed-off-by: Ryosuke Yasuoka > --- > Changes in v2: > - Update the commit message. > - Replace wait_event_timeout() with wait_event() using a compound > condition that includes a new vqs_released flag. > - Add virtio_gpu_release_vqs() helper to set the flag and wake up > both queues, called before drm_dev_unplug() in remove and shutdown > paths. > - Remove the hardcoded 5-second timeout. Recovery is now driven by > the driver flag instead of an arbitrary timeout value. > --- > drivers/gpu/drm/virtio/virtgpu_drv.c | 15 +++++++++++++++ > drivers/gpu/drm/virtio/virtgpu_drv.h | 1 + > drivers/gpu/drm/virtio/virtgpu_vq.c | 23 +++++++++++++++++++++-- > 3 files changed, 37 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.c b/drivers/gpu/drm/virtio/virtgpu_drv.c > index a5ce96fb8a1d..e4fe5e0780f9 100644 > --- a/drivers/gpu/drm/virtio/virtgpu_drv.c > +++ b/drivers/gpu/drm/virtio/virtgpu_drv.c > @@ -119,10 +119,24 @@ static int virtio_gpu_probe(struct virtio_device *vdev) > return ret; > } > > +/* > + * Release pending virtqueue waits so the drm_dev_enter/exit() critical > + * sections complete before drm_dev_unplug() blocks on synchronize_srcu(). > + */ > +static void virtio_gpu_release_vqs(struct drm_device *dev) > +{ > + struct virtio_gpu_device *vgdev = dev->dev_private; > + > + vgdev->vqs_released = true; > + wake_up_all(&vgdev->ctrlq.ack_queue); > + wake_up_all(&vgdev->cursorq.ack_queue); > +} > + > static void virtio_gpu_remove(struct virtio_device *vdev) > { > struct drm_device *dev = vdev->priv; > > + virtio_gpu_release_vqs(dev); > drm_dev_unplug(dev); > drm_atomic_helper_shutdown(dev); > virtio_gpu_deinit(dev); > @@ -133,6 +147,7 @@ static void virtio_gpu_shutdown(struct virtio_device *vdev) > { > struct drm_device *dev = vdev->priv; > > + virtio_gpu_release_vqs(dev); > /* stop talking to the device */ > drm_dev_unplug(dev); > } > diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.h b/drivers/gpu/drm/virtio/virtgpu_drv.h > index f17660a71a3e..0bd69a40857e 100644 > --- a/drivers/gpu/drm/virtio/virtgpu_drv.h > +++ b/drivers/gpu/drm/virtio/virtgpu_drv.h > @@ -235,6 +235,7 @@ struct virtio_gpu_device { > > struct virtio_gpu_queue ctrlq; > struct virtio_gpu_queue cursorq; > + bool vqs_released; > struct kmem_cache *vbufs; > > atomic_t pending_commands; > diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c > index 67865810a2e7..8057a9b7356d 100644 > --- a/drivers/gpu/drm/virtio/virtgpu_vq.c > +++ b/drivers/gpu/drm/virtio/virtgpu_vq.c > @@ -396,7 +396,19 @@ static int virtio_gpu_queue_ctrl_sgs(struct virtio_gpu_device *vgdev, > if (vq->num_free < elemcnt) { > spin_unlock(&vgdev->ctrlq.qlock); > virtio_gpu_notify(vgdev); > - wait_event(vgdev->ctrlq.ack_queue, vq->num_free >= elemcnt); > + wait_event(vgdev->ctrlq.ack_queue, > + vq->num_free >= elemcnt || vgdev->vqs_released); > + /* > + * Set by virtio_gpu_release_vqs() to unblock > + * synchronize_srcu() wait in drm_dev_unplug(). > + */ > + if (vgdev->vqs_released) { > + if (fence && vbuf->objs) > + virtio_gpu_array_unlock_resv(vbuf->objs); > + free_vbuf(vgdev, vbuf); > + drm_dev_exit(idx); > + return -ENODEV; > + } > goto again; > } > > @@ -566,7 +578,14 @@ static void virtio_gpu_queue_cursor(struct virtio_gpu_device *vgdev, > ret = virtqueue_add_sgs(vq, sgs, outcnt, 0, vbuf, GFP_ATOMIC); > if (ret == -ENOSPC) { > spin_unlock(&vgdev->cursorq.qlock); > - wait_event(vgdev->cursorq.ack_queue, vq->num_free >= outcnt); > + wait_event(vgdev->cursorq.ack_queue, > + vq->num_free >= outcnt || vgdev->vqs_released); > + /* See comment in virtio_gpu_queue_ctrl_sgs(). */ > + if (vgdev->vqs_released) { > + free_vbuf(vgdev, vbuf); > + drm_dev_exit(idx); > + return; > + } > spin_lock(&vgdev->cursorq.qlock); > goto retry; > } else { > > --- > base-commit: 5200f5f493f79f14bbdc349e402a40dfb32f23c8 > change-id: 20260518-virtio-gpu_wait_event-5aa060754f12 > > Best regards, > -- > Ryosuke Yasuoka > I see the command but can't find the corresponding bug. The email is sent to syzbot+HASH@syzkaller.appspotmail.com address but the HASH does not correspond to any known bug. Please double check the address.