From: syzbot <syzbot+c9f3062e1f1e68af836a@syzkaller.appspotmail.com>
To: airlied@gmail.com, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com,
mripard@kernel.org, simona@ffwll.ch,
syzkaller-bugs@googlegroups.com, tzimmermann@suse.de
Subject: Re: [syzbot] [dri?] WARNING in drm_crtc_wait_one_vblank
Date: Mon, 23 Feb 2026 14:25:30 -0800 [thread overview]
Message-ID: <699cd3da.a00a0220.121a60.00f1.GAE@google.com> (raw)
In-Reply-To: <694c864d.050a0220.35954c.002e.GAE@google.com>
syzbot has found a reproducer for the following issue on:
HEAD commit: 6de23f81a5e0 Linux 7.0-rc1
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1240455a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d91443204e48b7a1
dashboard link: https://syzkaller.appspot.com/bug?extid=c9f3062e1f1e68af836a
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14ffc152580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=147dd9e6580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8c986068e2b3/disk-6de23f81.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/15bbf2602cdc/vmlinux-6de23f81.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5e9cae7959ff/bzImage-6de23f81.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c9f3062e1f1e68af836a@syzkaller.appspotmail.com
------------[ cut here ]------------
faux_driver vkms: [drm] vblank wait timed out on crtc 0
WARNING: drivers/gpu/drm/drm_vblank.c:1320 at drm_crtc_wait_one_vblank+0x357/0x500 drivers/gpu/drm/drm_vblank.c:1320, CPU#0: kworker/0:4/5856
Modules linked in:
CPU: 0 UID: 0 PID: 5856 Comm: kworker/0:4 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: events drm_fb_helper_damage_work
RIP: 0010:drm_crtc_wait_one_vblank+0x4b6/0x500 drivers/gpu/drm/drm_vblank.c:1320
Code: e8 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 4c 89 ef e8 8a d9 d4 fc 4d 8b 7d 00 48 89 df 4c 89 e6 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 48 8b 3c 24 44 89 f6 e8 e9 f4 ff ff b8 92 ff ff ff
RSP: 0018:ffffc90004b878e0 EFLAGS: 00010246
RAX: 1ffff11004a21800 RBX: ffffffff8f7504f0 RCX: 0000000000000000
RDX: ffffffff8bbf2ce0 RSI: ffffffff8bc0ebe0 RDI: ffffffff8f7504f0
RBP: ffffc90004b879c8 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1ed44b7 R12: ffffffff8bc0ebe0
R13: ffff88802510c000 R14: 0000000000000000 R15: ffffffff8bbf2ce0
FS: 0000000000000000(0000) GS:ffff888126343000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3c5d8c9d40 CR3: 00000000247e0000 CR4: 00000000003526f0
Call Trace:
<TASK>
drm_client_modeset_wait_for_vblank+0xc5/0xf0 drivers/gpu/drm/drm_client_modeset.c:1330
drm_fb_helper_fb_dirty drivers/gpu/drm/drm_fb_helper.c:236 [inline]
drm_fb_helper_damage_work+0x131/0x6f0 drivers/gpu/drm/drm_fb_helper.c:274
process_one_work kernel/workqueue.c:3275 [inline]
process_scheduled_works+0xb02/0x1830 kernel/workqueue.c:3358
worker_thread+0xa50/0xfc0 kernel/workqueue.c:3439
kthread+0x388/0x470 kernel/kthread.c:467
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
----------------
Code disassembly (best guess):
0: e8 03 48 b9 00 call 0xb94808
5: 00 00 add %al,(%rax)
7: 00 00 add %al,(%rax)
9: fc cld
a: ff lcall (bad)
b: df 80 3c 08 00 74 filds 0x7400083c(%rax)
11: 08 4c 89 ef or %cl,-0x11(%rcx,%rcx,4)
15: e8 8a d9 d4 fc call 0xfcd4d9a4
1a: 4d 8b 7d 00 mov 0x0(%r13),%r15
1e: 48 89 df mov %rbx,%rdi
21: 4c 89 e6 mov %r12,%rsi
24: 4c 89 fa mov %r15,%rdx
27: 44 89 f1 mov %r14d,%ecx
* 2a: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2f: 48 8b 3c 24 mov (%rsp),%rdi
33: 44 89 f6 mov %r14d,%esi
36: e8 e9 f4 ff ff call 0xfffff524
3b: b8 92 ff ff ff mov $0xffffff92,%eax
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
prev parent reply other threads:[~2026-02-23 22:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-25 0:33 [syzbot] [dri?] WARNING in drm_crtc_wait_one_vblank syzbot
2026-02-23 22:25 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=699cd3da.a00a0220.121a60.00f1.GAE@google.com \
--to=syzbot+c9f3062e1f1e68af836a@syzkaller.appspotmail.com \
--cc=airlied@gmail.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=simona@ffwll.ch \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.