Re: [PATCH v4] drm/virtio: use uninterruptible resv lock for plane updates

[Dmitry Osipenko]

On 5/20/26 18:04, Dmitry Osipenko wrote:
> On 5/19/26 11:22, Deepanshu Kartikey wrote:
>> virtio_gpu_cursor_plane_update() and virtio_gpu_resource_flush() lock
>> the framebuffer BO's dma_resv via virtio_gpu_array_lock_resv() and
>> ignore its return value. The function can fail with -EINTR from
>> dma_resv_lock_interruptible() (signal during lock wait) or with
>> -ENOMEM from dma_resv_reserve_fences() (fence slot allocation),
>> leaving the resv lock not held. The queue path then walks the object
>> array and calls dma_resv_add_fence(), which requires the lock held;
>> with lockdep enabled this trips dma_resv_assert_held():
>>
>>   WARNING: drivers/dma-buf/dma-resv.c:296 at dma_resv_add_fence+0x71e/0x840
>>   Call Trace:
>>    virtio_gpu_array_add_fence
>>    virtio_gpu_queue_ctrl_sgs
>>    virtio_gpu_queue_fenced_ctrl_buffer
>>    virtio_gpu_cursor_plane_update
>>    drm_atomic_helper_commit_planes
>>    drm_atomic_helper_commit_tail
>>    commit_tail
>>    drm_atomic_helper_commit
>>    drm_atomic_commit
>>    drm_atomic_helper_update_plane
>>    __setplane_atomic
>>    drm_mode_cursor_universal
>>    drm_mode_cursor_common
>>    drm_mode_cursor_ioctl
>>    drm_ioctl
>>    __x64_sys_ioctl
>>
>> Beyond the WARN, mutating the dma_resv fence list without the lock
>> races with concurrent readers/writers and can corrupt the list.
>>
>> Both call sites run inside the .atomic_update plane callback, which
>> DRM atomic helpers do not allow to fail (by the time it runs, the
>> commit has been signed off to userspace and there is no clean
>> rollback path). Moving the lock acquisition to .prepare_fb was
>> rejected because the broader lock scope deadlocks against other BO
>> locking paths in the same atomic commit.
>>
>> Introduce virtio_gpu_lock_one_resv_uninterruptible() that uses
>> dma_resv_lock() instead of dma_resv_lock_interruptible(). This
>> eliminates the -EINTR failure mode -- the realistic syzbot trigger
>> -- without extending the lock hold across the commit. The helper
>> locks a single BO and rejects nents > 1 with -EINVAL; both fix
>> sites lock exactly one BO.
>>
>> Use it from virtio_gpu_cursor_plane_update() and
>> virtio_gpu_resource_flush(); check the return value to handle the
>> remaining -ENOMEM case from dma_resv_reserve_fences() by freeing
>> the objs and skipping the plane update for that frame. The
>> framebuffer BOs touched here are not shared with other contexts
>> and lock contention is expected to be brief, so the loss of
>> signal-interruptibility is acceptable.
>>
>> Other callers of virtio_gpu_array_lock_resv() (the ioctl paths)
>> continue to use the interruptible variant.
>>
>> The bug was reported by syzbot, triggered via fault injection
>> (fail_nth) on the DRM_IOCTL_MODE_CURSOR path, which forces the
>> -ENOMEM branch in dma_resv_reserve_fences().
>>
>> Reported-by: syzbot+72bd3dd3a5d5f39a0271@xxxxxxxxxxxxxxxxxxxxxxxxx
>> Closes: https://syzkaller.appspot.com/bug?extid=72bd3dd3a5d5f39a0271
>> Fixes: 5cfd31c5b3a3 ("drm/virtio: fix virtio_gpu_cursor_plane_update().")
>> Cc: stable@xxxxxxxxxxxxxxx
>> Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>
>> ---
>> v4: Rename the helper to virtio_gpu_lock_one_resv_uninterruptible()
>>     and reject objs->nents > 1 with -EINVAL. The v3 helper's
>>     multi-object branch used drm_gem_lock_reservations(), which is
>>     interruptible, contradicting the "uninterruptible" name; both
>>     fix sites lock a single BO so the multi-object path is dropped.
>>     (Dmitry Osipenko)
>> v3: Drop the prepare_fb/cleanup_fb approach from v2 (it deadlocked
>>     against virtio_gpu_resource_flush(), which also locks the BO in
>>     the same atomic commit). Instead add an uninterruptible variant
>>     of the resv lock helper and use it in both
>>     virtio_gpu_cursor_plane_update() and virtio_gpu_resource_flush().
>>     (Dmitry Osipenko)
>> v2: Move resv lock acquisition from .atomic_update (which must not
>>     fail) to .prepare_fb (which may), per maintainer review of v1.
>>     The v1 approach of silently skipping the cursor update on lock
>>     failure violated the atomic-commit contract with userspace.
>> ---
>>  drivers/gpu/drm/virtio/virtgpu_drv.h   |  1 +
>>  drivers/gpu/drm/virtio/virtgpu_gem.c   | 17 +++++++++++++++++
>>  drivers/gpu/drm/virtio/virtgpu_plane.c | 10 ++++++++--
>>  3 files changed, 26 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.h b/drivers/gpu/drm/virtio/virtgpu_drv.h
>> index f17660a71a3e..2f3531950aa4 100644
>> --- a/drivers/gpu/drm/virtio/virtgpu_drv.h
>> +++ b/drivers/gpu/drm/virtio/virtgpu_drv.h
>> @@ -317,6 +317,7 @@ virtio_gpu_array_from_handles(struct drm_file *drm_file, u32 *handles, u32 nents
>>  void virtio_gpu_array_add_obj(struct virtio_gpu_object_array *objs,
>>  			      struct drm_gem_object *obj);
>>  int virtio_gpu_array_lock_resv(struct virtio_gpu_object_array *objs);
>> +int virtio_gpu_lock_one_resv_uninterruptible(struct virtio_gpu_object_array *objs);
>>  void virtio_gpu_array_unlock_resv(struct virtio_gpu_object_array *objs);
>>  void virtio_gpu_array_add_fence(struct virtio_gpu_object_array *objs,
>>  				struct dma_fence *fence);
>> diff --git a/drivers/gpu/drm/virtio/virtgpu_gem.c b/drivers/gpu/drm/virtio/virtgpu_gem.c
>> index f22dc5c21cd4..435d37d36034 100644
>> --- a/drivers/gpu/drm/virtio/virtgpu_gem.c
>> +++ b/drivers/gpu/drm/virtio/virtgpu_gem.c
>> @@ -238,6 +238,23 @@ int virtio_gpu_array_lock_resv(struct virtio_gpu_object_array *objs)
>>  	return ret;
>>  }
>>  
>> +int virtio_gpu_lock_one_resv_uninterruptible(struct virtio_gpu_object_array *objs)
>> +{
>> +	int ret;
>> +
>> +	if (objs->nents != 1)
>> +		return -EINVAL;
>> +
>> +	dma_resv_lock(objs->objs[0]->resv, NULL);
>> +
>> +	ret = dma_resv_reserve_fences(objs->objs[0]->resv, 1);
>> +	if (ret) {
>> +		virtio_gpu_array_unlock_resv(objs);
>> +		return ret;
>> +	}
>> +	return 0;
>> +}
>> +
>>  void virtio_gpu_array_unlock_resv(struct virtio_gpu_object_array *objs)
>>  {
>>  	if (objs->nents == 1) {
>> diff --git a/drivers/gpu/drm/virtio/virtgpu_plane.c b/drivers/gpu/drm/virtio/virtgpu_plane.c
>> index a126d1b25f46..652352424744 100644
>> --- a/drivers/gpu/drm/virtio/virtgpu_plane.c
>> +++ b/drivers/gpu/drm/virtio/virtgpu_plane.c
>> @@ -215,7 +215,10 @@ static void virtio_gpu_resource_flush(struct drm_plane *plane,
>>  		if (!objs)
>>  			return;
>>  		virtio_gpu_array_add_obj(objs, vgfb->base.obj[0]);
>> -		virtio_gpu_array_lock_resv(objs);
>> +		if (virtio_gpu_lock_one_resv_uninterruptible(objs)) {
>> +			virtio_gpu_array_put_free(objs);
>> +			return;
>> +		}
>>  		virtio_gpu_cmd_resource_flush(vgdev, bo->hw_res_handle, x, y,
>>  					      width, height, objs,
>>  					      vgplane_st->fence);
>> @@ -459,7 +462,10 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane,
>>  		if (!objs)
>>  			return;
>>  		virtio_gpu_array_add_obj(objs, vgfb->base.obj[0]);
>> -		virtio_gpu_array_lock_resv(objs);
>> +		if (virtio_gpu_lock_one_resv_uninterruptible(objs)) {
>> +			virtio_gpu_array_put_free(objs);
>> +			return;
>> +		}
>>  		virtio_gpu_cmd_transfer_to_host_2d
>>  			(vgdev, 0,
>>  			 plane->state->crtc_w,
> 
> Applied to misc-next, thanks

Realized patche should go to -fixes, applied to misc-fixes too

-- 
Best regards,
Dmitry