From nobody Sun May 24 18:42:56 2026 Received: from m16.mail.163.com (m16.mail.163.com [117.135.210.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A18393A63ED for ; Fri, 22 May 2026 12:36:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=117.135.210.2 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779453403; cv=none; b=MVm5FK7uWBpMJeiAYihSv4baaJ25xLzoJIc7qFdZT/fOPeqfF7lRI1EkI7H3mM66YEYaEsieUgmXGoQq6D8hw/bZQAJrX/s56hElwJ4gCVZYpEJMH5hI4E0aXFfZXlAgML6UhYZcWTOvxBkz4jc9Nt/PmEPIQXyml3oh7MIxDAc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779453403; c=relaxed/simple; bh=cMOQvRAIptSgiXiynGEzXp9289ZT6kda3AB9WHAAJ9w=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=eswW6d9jFQ80op1Yd5OdJlaWJtLYZENZGSUdRbAJNYhwZ8Y2QZBGhARzlw7+b3VqK07iDzqHDlVMDlTpHA1Rv8OsiNTywcF8QAOVkxyqZlPLZlJCZk4PYw+v4zLjinrwr0c9VRJLrtfn6cijdMCywvLFH2Yr8ml/7Mh39xJg/Bs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=163.com; spf=pass smtp.mailfrom=163.com; dkim=pass (1024-bit key) header.d=163.com header.i=@163.com header.b=qPJnuCy8; arc=none smtp.client-ip=117.135.210.2 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=163.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=163.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=163.com header.i=@163.com header.b="qPJnuCy8" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:To:Subject:Date:Message-Id:MIME-Version; bh=jQ oeV8+JuevDH2pe0coXHILm+hYLBjsiMm+VXK+GF3I=; b=qPJnuCy8uzXWOPcEFK kB0VfiU5VjAHp2U+jjurYYEbnUj/cltd5i1fu+Ph26mvpCSk+D3cXdql/qy3PJGc alge+Xi7lIkcPrsKIQMRRWnVQqZnqgLe9K70RY7dbCy2TeTWTRYvgMkeVJG1tXr/ seu9+srqMeT6gPsw2kGf4n+vs= Received: from 163.com (unknown []) by gzga-smtp-mtada-g1-3 (Coremail) with SMTP id _____wAXqVuPTRBqlQ52Cw--.30867S2; Fri, 22 May 2026 20:35:36 +0800 (CST) From: w15303746062@163.com To: zack.rusin@broadcom.com Cc: bcm-kernel-feedback-list@broadcom.com, maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, airlied@gmail.com, simona@ffwll.ch, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, 25181214217@stu.xidian.edu.cn Subject: [PATCH] drm/vmwgfx: Break ABBA deadlock in vblank disable path Date: Fri, 22 May 2026 20:35:26 +0800 Message-Id: <20260522123526.567109-1-w15303746062@163.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: _____wAXqVuPTRBqlQ52Cw--.30867S2 X-Coremail-Antispam: 1Uf129KBjvJXoWxWr4DCFW5CryxCrW3Xw18Zrb_yoW5Xryrpr sFqryxtr1UXF1aganFyF4kWFn5Wws3G342yryxK3s8ZwnFkF1vqF48ZF4YvFZ8urZrA3y2 qr18tFW8ur4j9rJanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07j5R6wUUUUU= X-CM-SenderInfo: jzrvjiatxuliiws6il2tof0z/xtbDABgY+2oQTZjggAAA30 Content-Type: text/plain; charset="utf-8" From: Mingyu Wang <25181214217@stu.xidian.edu.cn> A severe deadlock occurs when disabling the CRTC while the VKMS vblank hrtimer is running. The issue is caused by a circular lock dependency (ABBA) involving the DRM core's dev->vbl_lock and the hrtimer cancellation sequence. Stack traces from NMI backtrace confirm the deadlock: CPU 0 (IRQ Context): [ <0>] hrtimer_interrupt [ <0>] vkms_vblank_simulate [ <0>] drm_crtc_handle_vblank [ <0>] _raw_spin_lock_irqsave (waiting for dev->vbl_lock) CPU 2 (Process Context): [ <2>] drm_crtc_vblank_off [ <2>] vmw_vkms_disable_vblank [ <2>] hrtimer_cancel (blocks waiting for timer callback) This results in a system lockup and RCU stall: [ 3367.370429] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks [ 3367.912523] rcu: rcu_preempt kthread starved for 10504 jiffies! The driver incorrectly calls the blocking hrtimer_cancel() while holding dev->vbl_lock inside the disable_vblank() callback. Fix this by using hrtimer_try_to_cancel() in vmw_vkms_disable_vblank(). This callback must remain non-blocking as it is called with dev->vbl_lock held by the DRM core. Subsequently, call hrtimer_cancel() in vmw_vkms_crtc_atomic_disable() *after* drm_crtc_vblank_off() has released the lock. This ensures the timer is safely and synchronously stopped without inducing a deadlock. Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> --- drivers/gpu/drm/vmwgfx/vmwgfx_vkms.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_vkms.c b/drivers/gpu/drm/vmwgfx/= vmwgfx_vkms.c index 5abd7f5ad2db..96fc856b9e06 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_vkms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_vkms.c @@ -305,7 +305,10 @@ vmw_vkms_disable_vblank(struct drm_crtc *crtc) if (!vmw->vkms_enabled) return; =20 - hrtimer_cancel(&du->vkms.timer); + /* + * Non-blocking cancel to avoid ABBA deadlock while holding vbl_lock. + */ + hrtimer_try_to_cancel(&du->vkms.timer); du->vkms.surface =3D NULL; du->vkms.period_ns =3D ktime_set(0, 0); } @@ -390,9 +393,16 @@ vmw_vkms_crtc_atomic_disable(struct drm_crtc *crtc, struct drm_atomic_state *state) { struct vmw_private *vmw =3D vmw_priv(crtc->dev); + struct vmw_display_unit *du =3D vmw_crtc_to_du(crtc); =20 - if (vmw->vkms_enabled) - drm_crtc_vblank_off(crtc); + if (vmw->vkms_enabled) { + drm_crtc_vblank_off(crtc); + /* + * Synchronously stop the timer after releasing the vbl_lock + * to ensure no further callbacks occur. + */ + hrtimer_cancel(&du->vkms.timer); + } } =20 static bool --=20 2.34.1