[syzbot] [dri?] [media?] WARNING in dma_resv_add_fence

[syzbot] [dri?] [media?] WARNING in dma_resv_add_fence

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    fcee7d82f27d Merge tag 'net-7.1-rc3' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1107ddba580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=59da38148f3a3d24
dashboard link: https://syzkaller.appspot.com/bug?extid=72bd3dd3a5d5f39a0271
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13dfca73980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1599bb26580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-fcee7d82.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a5dee9aef2ac/vmlinux-fcee7d82.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7b1a8dd09a15/bzImage-fcee7d82.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+72bd3dd3a5d5f39a0271@syzkaller.appspotmail.com

R13: 00007f7755215fac R14: 00007f7755215fa0 R15: 00007f7755215fa0
 </TASK>
------------[ cut here ]------------
debug_locks && !(lock_is_held(&(&(obj)->lock.base)->dep_map) != 0)
WARNING: drivers/dma-buf/dma-resv.c:296 at dma_resv_add_fence+0x71e/0x840 drivers/dma-buf/dma-resv.c:296, CPU#2: syz.0.17/5919
Modules linked in:
CPU: 2 UID: 0 PID: 5919 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:dma_resv_add_fence+0x71e/0x840 drivers/dma-buf/dma-resv.c:296
Code: 44 24 08 be ff ff ff ff 48 8d 78 60 e8 db 3b 33 05 31 ff 89 c3 89 c6 e8 e0 58 b1 fb 85 db 0f 85 26 fa ff ff e8 23 5e b1 fb 90 <0f> 0b 90 e9 18 fa ff ff e8 15 5e b1 fb be 03 00 00 00 4c 89 e7 e8
RSP: 0018:ffffc9000448f168 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff865734f0
RDX: ffff8880261ea500 RSI: ffffffff865734fd RDI: ffff8880261ea500
RBP: ffff88802d439f70 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88802d439f00
R13: ffff88802d439f00 R14: 1ffff92000891e39 R15: ffff88802853e800
FS:  00005555690ac500(0000) GS:ffff8880d6572000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32a63fff CR3: 000000003fb78000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 virtio_gpu_array_add_fence+0xcd/0x140 drivers/gpu/drm/virtio/virtgpu_gem.c:257
 virtio_gpu_queue_ctrl_sgs drivers/gpu/drm/virtio/virtgpu_vq.c:410 [inline]
 virtio_gpu_queue_fenced_ctrl_buffer+0x578/0xfb0 drivers/gpu/drm/virtio/virtgpu_vq.c:500
 virtio_gpu_cursor_plane_update+0x411/0xbc0 drivers/gpu/drm/virtio/virtgpu_plane.c:463
 drm_atomic_helper_commit_planes+0x497/0xf10 drivers/gpu/drm/drm_atomic_helper.c:3038
 drm_atomic_helper_commit_tail+0x7f/0x130 drivers/gpu/drm/drm_atomic_helper.c:1989
 commit_tail+0x338/0x430 drivers/gpu/drm/drm_atomic_helper.c:2074
 drm_atomic_helper_commit+0x303/0x380 drivers/gpu/drm/drm_atomic_helper.c:2312
 drm_atomic_commit+0x230/0x300 drivers/gpu/drm/drm_atomic.c:1789
 drm_atomic_helper_update_plane+0x314/0x400 drivers/gpu/drm/drm_atomic_helper.c:3438
 __setplane_atomic+0x22d/0x350 drivers/gpu/drm/drm_plane.c:1101
 drm_mode_cursor_universal+0x5e9/0xe20 drivers/gpu/drm/drm_plane.c:1256
 drm_mode_cursor_common+0x308/0x970 drivers/gpu/drm/drm_plane.c:1315
 drm_mode_cursor_ioctl+0xd4/0x110 drivers/gpu/drm/drm_plane.c:1365
 drm_ioctl_kernel+0x1f3/0x3e0 drivers/gpu/drm/drm_ioctl.c:804
 drm_ioctl+0x5e6/0xc60 drivers/gpu/drm/drm_ioctl.c:901
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl fs/ioctl.c:583 [inline]
 __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x10b/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7754f9cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd0c03a0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f7755215fa0 RCX: 00007f7754f9cdd9
RDX: 0000200000000100 RSI: 00000000c01c64a3 RDI: 0000000000000003
RBP: 00007ffd0c03a120 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 00007f7755215fac R14: 00007f7755215fa0 R15: 00007f7755215fa0
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [dri?] [media?] WARNING in dma_resv_add_fence

[Hillf Danton]

> Date: Thu, 07 May 2026 16:35:21 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    fcee7d82f27d Merge tag 'net-7.1-rc3' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1107ddba580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=59da38148f3a3d24
> dashboard link: https://syzkaller.appspot.com/bug?extid=72bd3dd3a5d5f39a0271
> compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13dfca73980000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1599bb26580000

#syz test

--- x/drivers/gpu/drm/virtio/virtgpu_gem.c
+++ y/drivers/gpu/drm/virtio/virtgpu_gem.c
@@ -252,10 +252,21 @@ void virtio_gpu_array_add_fence(struct v
 				struct dma_fence *fence)
 {
 	int i;
+	int ret;
+
+	if (objs->nents == 1) {
+		ret = dma_resv_lock_interruptible(objs->objs[0]->resv, NULL);
+	} else {
+		ret = drm_gem_lock_reservations(objs->objs, objs->nents, &objs->ticket);
+	}
+	if (ret)
+		return;
 
 	for (i = 0; i < objs->nents; i++)
 		dma_resv_add_fence(objs->objs[i]->resv, fence,
 				   DMA_RESV_USAGE_WRITE);
+
+	virtio_gpu_array_unlock_resv(objs);
 }
 
 void virtio_gpu_array_put_free(struct virtio_gpu_object_array *objs)
--

Re: [syzbot] [dri?] [media?] WARNING in dma_resv_add_fence

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
lost connection to test machine



Tested on:

commit:         fcee7d82 Merge tag 'net-7.1-rc3' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=145040ec580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=59da38148f3a3d24
dashboard link: https://syzkaller.appspot.com/bug?extid=72bd3dd3a5d5f39a0271
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12956636580000

Forwarded: [PATCH] drm/virtio: check virtio_gpu_array_lock_resv() return in cursor update

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] drm/virtio: check virtio_gpu_array_lock_resv() return in cursor update
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


virtio_gpu_cursor_plane_update() calls virtio_gpu_array_lock_resv()
but ignores its return value. The function can fail in two ways:

  - dma_resv_lock_interruptible() returns -ERESTARTSYS when a signal
    is delivered while waiting for the reservation lock.
  - dma_resv_reserve_fences() returns -ENOMEM if it fails to allocate
    a fence slot; in this case lock_resv unlocks before returning.

In both cases the resv lock is not held on return. The cursor path
proceeds to queue a fenced transfer command. The queue path then
walks the object array and calls dma_resv_add_fence() on the cursor
BO's reservation. dma_resv_add_fence() requires the resv lock to be
held; with lockdep enabled the missing lock trips
dma_resv_assert_held():

  WARNING: drivers/dma-buf/dma-resv.c:296 at dma_resv_add_fence+0x71e/0x840
  Call Trace:
   virtio_gpu_array_add_fence+0xcd/0x140
   virtio_gpu_queue_ctrl_sgs
   virtio_gpu_queue_fenced_ctrl_buffer+0x578/0xfb0
   virtio_gpu_cursor_plane_update+0x411/0xbc0
   drm_atomic_helper_commit_planes+0x497/0xf10
   ...
   drm_mode_cursor_ioctl+0xd4/0x110
   drm_ioctl+0x5e6/0xc60
   __x64_sys_ioctl+0x18e/0x210

Beyond the WARN, mutating the dma_resv fence list without the lock
races with concurrent readers/writers and can corrupt the list.

Check the return value of virtio_gpu_array_lock_resv(). On failure,
drop the references taken by virtio_gpu_array_add_obj() with
virtio_gpu_array_put_free() (which does not unlock, matching the
not-locked state) and return without queueing the command. A
skipped cursor frame is harmless; the WARN and the underlying race
are not.

The bug was reported by syzbot, triggered via fault injection
(fail_nth) on the DRM_IOCTL_MODE_CURSOR path, which forces the
-ENOMEM branch in dma_resv_reserve_fences().

Reported-by: syzbot+72bd3dd3a5d5f39a0271@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=72bd3dd3a5d5f39a0271
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/gpu/drm/virtio/virtgpu_plane.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/virtio/virtgpu_plane.c b/drivers/gpu/drm/virtio/virtgpu_plane.c
index a126d1b25f46..ca379b08b9ec 100644
--- a/drivers/gpu/drm/virtio/virtgpu_plane.c
+++ b/drivers/gpu/drm/virtio/virtgpu_plane.c
@@ -459,7 +459,10 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane,
 		if (!objs)
 			return;
 		virtio_gpu_array_add_obj(objs, vgfb->base.obj[0]);
-		virtio_gpu_array_lock_resv(objs);
+		if (virtio_gpu_array_lock_resv(objs)) {
+			virtio_gpu_array_put_free(objs);
+			return;
+		}
 		virtio_gpu_cmd_transfer_to_host_2d
 			(vgdev, 0,
 			 plane->state->crtc_w,
-- 
2.43.0