From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 711BE384CFB for ; Tue, 12 May 2026 08:59:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778576385; cv=none; b=oacY1sALUgy17AwIkQPV9LYqtyrTp+DOCqJjvd2PM692Uq3w//OBLrxsujwiby+jJd86VDXVjl99AOCglmPSy/nnt3l/XMFEfDWlXvFYEpU7+22lMNG1MSxJ5eVIfaDemYyEZ2/6Gp9UEtbeYq2T+QOmHOf81Q/GxS1ke4y6MWA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778576385; c=relaxed/simple; bh=4Ns0rcqJLws3CedY6H5JU+m8wsp4D7xwSnXKuCiXQjw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=PpN4P+R1kf65A1L/7B/vEHOTJJzIb/2p3mTlBLGPcnwzlY327/YCHPJDPix/7koiufsrX7KepCoHDJZc0JJjEVH/D2u6FqcPFz5vB5fwW9DP1z2BEaPgaNQv4+xXEuuTJAt6fHtOwxWeIkir/Od8tHTlW2MOiDfittB/gxrp5Q0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=byLuxiws; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=W5vFoAeb; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="byLuxiws"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="W5vFoAeb" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1778576376; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=E8x/nB6+eHD5O3AzeJFXB6I/hH3gbVO1zz0k4nECC2U=; b=byLuxiws1j8OxKXMJgguhGJZqoAg/DHOcrl8mYmqR2oO5QTTa/+qLmWEk9RfwrrS7j4SZZ TijOy6DbtQc8jNt/GjraCsrxMb16O+KZ2JJPSKCi7mQpdoBpXArXf1uvlEjyV1PMiAKxrK 7Ck072Wk17u3QRny3J5mtS/DcqVdf0s= Received: from mail-pg1-f198.google.com (mail-pg1-f198.google.com [209.85.215.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-184-_3P2SpScNDC7O0eiCQJ6vA-1; Tue, 12 May 2026 04:59:35 -0400 X-MC-Unique: _3P2SpScNDC7O0eiCQJ6vA-1 X-Mimecast-MFC-AGG-ID: _3P2SpScNDC7O0eiCQJ6vA_1778576374 Received: by mail-pg1-f198.google.com with SMTP id 41be03b00d2f7-c8291230235so2146582a12.2 for ; Tue, 12 May 2026 01:59:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1778576374; x=1779181174; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=E8x/nB6+eHD5O3AzeJFXB6I/hH3gbVO1zz0k4nECC2U=; b=W5vFoAebn8suMgeAxcKwTmWMqrg6BpVKM4o7uPVXguax6RNC6LZeKlIXN0ne2UtBK6 e1H6omqkks+5624GHGqTz2mCa2khuNRXJY1cJIzBgA4k3jP4u2WYZOHWTbYG97R0/3Dl jcVPLR4yFZC0/Ev32RAn1p/Vi4+r+2XiWbTI0phRzhzZt8hAGvPnt/x3YEeUOAVGAok1 9e/znz/wFaMjRkZ+HEfykDpwY1kJAxkjsCMx5FuiW8zK4ciAkAJw+XiLIspPZYuplBKr /iuqmiZqUjPLZfodeZ14kcWt1N5Z/hrRsD92GQi9uZdBBqD6pathWmxpqoUx9wgvowZn utcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778576374; x=1779181174; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=E8x/nB6+eHD5O3AzeJFXB6I/hH3gbVO1zz0k4nECC2U=; b=lNlXV9HLfVZfRUkgPdSukFLMA/0vkXw+cPV005YgU7fdnxmJMMeoH4cQkOdQE2RPkF pKOhY/HVkOi6r5qMU1OfXRWhiQnHZuR83cIYRkd3puW9fCsGITJR39MlmxSXgbZ6UREn b0LBYCZrPw3YFvEtUnfnajM1pGiDwVuCQPK+CoFbBZMjZTaMd0JAN7Zow9rLOzEg/LIt cgsnvH6tWO0+fAF8c991n2UE9mCAzQtrtITAGj9dgEYD2sXfUwmKkMlbycJgnlnm2cGN YBesJZmYLinaY2SRRBGYrgECE7OUWra0mq0h/z5q1Vfa7EAMkxEi7ubZNGO7HcCngvPr OwQA== X-Forwarded-Encrypted: i=1; AFNElJ+esassBaANay7j9WGOoy7aa1bt8fVz/ODjG5Rt1t/X48QythxXmp7Dva0gguzcHfDIh6Ids8abZTpQk7Y=@vger.kernel.org X-Gm-Message-State: AOJu0YwaHj5P1XKfEcS5AFPN5N3R3++wHVP8wqsQcf3hu5uGS6QPWmK3 yu1pqJ0E0ggoe2PwN5FHHaGIJPKqZZ1VStIs0cXASDKu3d+zaJdDNO5Aqoku3ce77xyu6CetJEH T8jYKVSzPAOSOIp7LqNtYMpcYWCZJm3dK6Qw50/RYHh4nQpaUGpDMuPypCRj87//Uwg== X-Gm-Gg: Acq92OGqiZoQOKhRHG8R53IcOQ5+mzCrVbiKW1KaT5HkFfp0Fk1e4Ds6tFTFi4bDMeq Qilvy1grYGYyTyX/meGU3Ohg48HE5CsHFdhkKWWtDRdlVOdPjQQB3kb6lJ9LaNBNXHv9EwFz7ys FWOwJY53RpDRutoBQFrZv+UB4wLK93x3yL6Llij4sc+FUNo+OZJFMMjODfvTkn7xZM8RcDevq51 zfAPz9/HYi7zoZ3+/LwiP8Qkuz4zEddf5C288U9QOMeZbTpuONBVRwPl63jX055zDf6YaXsYRkV FQ3fhuGv+BeGugiLo+Rft6VNmioTDNmzHlJIArPb9mtf+7x1zypNJJa7Qumfvp8TYHLpkQUumZM EAAuhchc8txRS5u5vH1KpZ2icB9b/jSq1PK9fKjtoY49dhEoCMCAaDbgcYnA= X-Received: by 2002:a05:6a00:2446:b0:835:405a:7e69 with SMTP id d2e1a72fcca58-83eebb5e9e1mr2301788b3a.16.1778576374223; Tue, 12 May 2026 01:59:34 -0700 (PDT) X-Received: by 2002:a05:6a00:2446:b0:835:405a:7e69 with SMTP id d2e1a72fcca58-83eebb5e9e1mr2301758b3a.16.1778576373655; Tue, 12 May 2026 01:59:33 -0700 (PDT) Received: from ryasuoka-thinkpadx1carbongen9.tokyo.csb ([126.143.164.49]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-83967dbd995sm21336715b3a.43.2026.05.12.01.59.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 01:59:32 -0700 (PDT) From: Ryosuke Yasuoka Date: Tue, 12 May 2026 04:59:02 -0400 Subject: [PATCH] drm/virtio: add timeout to virtqueue wait to avoid hung task Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20260512-virtio-gpu_wait_event-v1-1-207eb4c1a69a@redhat.com> X-B4-Tracking: v=1; b=H4sIAAAAAAAC/x3MQQqAIBBA0avErBNM0KKrRITZWLNRUbMgunvS8 i3+fyBhJEwwNg9ELJTIu4qubcAc2u3IaKsGwYXishOsUMzk2R7O5dKUFyzoMkNuNjuoXq69gdq GiJbu/zvN7/sBdmCa/2cAAAA= X-Change-ID: 20260512-virtio-gpu_wait_event-e0cdf8675b7c To: David Airlie , Gerd Hoffmann , Dmitry Osipenko , Gurchetan Singh , Chia-I Wu , Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , Simona Vetter Cc: dri-devel@lists.freedesktop.org, virtualization@lists.linux.dev, linux-kernel@vger.kernel.org, syzbot+d6dd6f86d3aaf7eebe7406e45c1c6e549453f224@syzkaller.appspotmail.com, syzbot+908bd910da5dd79b88de4cf7baf376cc873a922e@syzkaller.appspotmail.com, Ryosuke Yasuoka X-Mailer: b4 0.14.3 virtio_gpu_queue_ctrl_sgs() and virtio_gpu_queue_cursor() use wait_event() without timeout when waiting for virtqueue space. If the host device stops processing commands, these waits block indefinitely. Since callers may hold DRM locks, this can make the entire system unresponsive. Replace wait_event() with wait_event_timeout() using a 5-second timeout, consistent with the existing timeout pattern in the driver. On timeout, clean up and return -ENODEV, following the same error path as drm_dev_enter() failure. Reported-by: syzbot+d6dd6f86d3aaf7eebe7406e45c1c6e549453f224@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?id=d6dd6f86d3aaf7eebe7406e45c1c6e549453f224 Reported-by: syzbot+908bd910da5dd79b88de4cf7baf376cc873a922e@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?id=908bd910da5dd79b88de4cf7baf376cc873a922e Signed-off-by: Ryosuke Yasuoka --- drivers/gpu/drm/virtio/virtgpu_vq.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c index 67865810a2e7..05e816a0ae0b 100644 --- a/drivers/gpu/drm/virtio/virtgpu_vq.c +++ b/drivers/gpu/drm/virtio/virtgpu_vq.c @@ -396,7 +396,16 @@ static int virtio_gpu_queue_ctrl_sgs(struct virtio_gpu_device *vgdev, if (vq->num_free < elemcnt) { spin_unlock(&vgdev->ctrlq.qlock); virtio_gpu_notify(vgdev); - wait_event(vgdev->ctrlq.ack_queue, vq->num_free >= elemcnt); + if (!wait_event_timeout(vgdev->ctrlq.ack_queue, + vq->num_free >= elemcnt, + 5 * HZ)) { + /* The device did not respond */ + if (fence && vbuf->objs) + virtio_gpu_array_unlock_resv(vbuf->objs); + free_vbuf(vgdev, vbuf); + drm_dev_exit(idx); + return -ENODEV; + } goto again; } @@ -566,7 +575,14 @@ static void virtio_gpu_queue_cursor(struct virtio_gpu_device *vgdev, ret = virtqueue_add_sgs(vq, sgs, outcnt, 0, vbuf, GFP_ATOMIC); if (ret == -ENOSPC) { spin_unlock(&vgdev->cursorq.qlock); - wait_event(vgdev->cursorq.ack_queue, vq->num_free >= outcnt); + if (!wait_event_timeout(vgdev->cursorq.ack_queue, + vq->num_free >= outcnt, + 5 * HZ)) { + /* The device did not respond */ + free_vbuf(vgdev, vbuf); + drm_dev_exit(idx); + return; + } spin_lock(&vgdev->cursorq.qlock); goto retry; } else { --- base-commit: 5d6919055dec134de3c40167a490f33c74c12581 change-id: 20260512-virtio-gpu_wait_event-e0cdf8675b7c Best regards, -- Ryosuke Yasuoka