1. Patchew
  2. linux
  3. View series

[PATCH v1] drm/virtio: Fix driver removal with disabled KMS

Dmitry Osipenko posted 1 patch 3 days, 20 hours ago 
drivers/gpu/drm/virtio/virtgpu_drv.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
[PATCH v1] drm/virtio: Fix driver removal with disabled KMS
Posted by Dmitry Osipenko 3 days, 20 hours ago 
DRM atomic and modesetting aren't initialized if virtio-gpu driver built
with disabled KMS, leading to access of uninitialized data on driver
removal/unbinding and crashing kernel. Fix it by skipping shutting down
atomic core with unavailable KMS.

Fixes: 72122c69d717 ("drm/virtio: Add option to disable KMS support")
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
---
 drivers/gpu/drm/virtio/virtgpu_drv.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.c b/drivers/gpu/drm/virtio/virtgpu_drv.c
index f0fb784c0f6f..2aaa7cb08085 100644
--- a/drivers/gpu/drm/virtio/virtgpu_drv.c
+++ b/drivers/gpu/drm/virtio/virtgpu_drv.c
@@ -138,7 +138,10 @@ static void virtio_gpu_remove(struct virtio_device *vdev)
 
 	virtio_gpu_release_vqs(dev);
 	drm_dev_unplug(dev);
-	drm_atomic_helper_shutdown(dev);
+
+	if (drm_core_check_feature(dev, DRIVER_ATOMIC))
+		drm_atomic_helper_shutdown(dev);
+
 	virtio_gpu_deinit(dev);
 	drm_dev_put(dev);
 }
-- 
2.54.0
Re: [PATCH v1] drm/virtio: Fix driver removal with disabled KMS
Posted by Ryosuke Yasuoka 1 day, 4 hours ago 
Hi Dmitry

On 04/06/2026 15:27, Dmitry Osipenko wrote:
> DRM atomic and modesetting aren't initialized if virtio-gpu driver built
> with disabled KMS, leading to access of uninitialized data on driver
> removal/unbinding and crashing kernel. Fix it by skipping shutting down
> atomic core with unavailable KMS.
> 
> Fixes: 72122c69d717 ("drm/virtio: Add option to disable KMS support")
> Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
> ---
>  drivers/gpu/drm/virtio/virtgpu_drv.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.c b/drivers/gpu/drm/virtio/virtgpu_drv.c
> index f0fb784c0f6f..2aaa7cb08085 100644
> --- a/drivers/gpu/drm/virtio/virtgpu_drv.c
> +++ b/drivers/gpu/drm/virtio/virtgpu_drv.c
> @@ -138,7 +138,10 @@ static void virtio_gpu_remove(struct virtio_device *vdev)
>  
>  	virtio_gpu_release_vqs(dev);
>  	drm_dev_unplug(dev);
> -	drm_atomic_helper_shutdown(dev);
> +
> +	if (drm_core_check_feature(dev, DRIVER_ATOMIC))
> +		drm_atomic_helper_shutdown(dev);
> +
>  	virtio_gpu_deinit(dev);
>  	drm_dev_put(dev);
>  }

The patch looks good to me at a glance. I haven't done a full, deep code
review yet, but I've tested it on my lab and everything works as
expected.

Tested-by: Ryosuke Yasuoka <ryasuoka@redhat.com>

test info
base-commit: ce73a5db44e3d5f9c0c061f0868ae209b59605f1 (drm-misc)

Removing the virtio-gpu device by the following command, and the following
panic message can be observed.

# echo 1 > /sys/devices/pci0000\:00/0000\:00\:01.0/remove

[  330.048794] ------------[ cut here ]------------
[  330.050023] WARNING: drivers/gpu/drm/drm_modeset_lock.c:319 at drm_modeset_lock+0x118/0x120, CPU#5: bash/22216
[  330.052581] Modules linked in: rfkill nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables sunrpc qrtr vfat snd_hda_codec_generic fat intel_rapl_msr intel_rapl_common snd_hda_intel snd_intel_dspcfg snd_hda_codec kvm_amd iTCO_wdt intel_pmc_bxt snd_hwdep kvm snd_hda_core snd_pcm i2c_i801 irqbypass i2c_smbus snd_timer snd lpc_ich soundcore virtio_balloon virtio_net net_failover failover joydev dm_multipath loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci zram lz4hc_compress vsock lz4_compress virtio_scsi virtio_gpu virtio_dma_buf serio_raw scsi_dh_rdac scsi_dh_emc scsi_dh_alua i2c_dev qemu_fw_cfg virtiofs fuse
[  330.067477] CPU: 5 UID: 0 PID: 22216 Comm: bash Not tainted 7.1.0-rc5 #9 PREEMPT(lazy)
[  330.069058] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20251119-3.fc43 11/19/2025
[  330.070880] RIP: 0010:drm_modeset_lock+0x118/0x120
[  330.071858] Code: e8 ad e3 48 ff 85 c0 75 c7 b8 f0 ff ff ff eb c2 0f 0b e9 22 ff ff ff e8 06 82 5e 00 4c 8b 04 24 48 8b 4c 24 08 e9 40 ff ff ff <0f> 0b e9 4e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
[  330.075466] RSP: 0018:ffffd2f38ea6baf8 EFLAGS: 00010286
[  330.076522] RAX: 0000000000000000 RBX: ffffd2f38ea6bb78 RCX: ffffd2f38ea6bb78
[  330.077939] RDX: ffff8ea806fd8000 RSI: ffffd2f38ea6bb78 RDI: ffff8ea8016ce190
[  330.079362] RBP: ffffd2f38ea6bb78 R08: ffff8ea8016ce170 R09: 000000000fe6d5f1
[  330.080785] R10: fffff93844235700 R11: ffff8ea80004f800 R12: 0000000000000000
[  330.082410] R13: ffff8ea8016ce000 R14: 0000000000000090 R15: ffff8ea8017180d0
[  330.083787] FS:  00007f202225f780(0000) GS:ffff8ea9ecea0000(0000) knlGS:0000000000000000
[  330.085395] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  330.086553] CR2: 00005567379b41a0 CR3: 00000001a100e000 CR4: 0000000000750ef0
[  330.087980] PKRU: 55555554
[  330.088556] Call Trace:
[  330.089041]  <TASK>
[  330.089480]  ? rcutree_enqueue.isra.0+0x1e/0xe0
[  330.090365]  drm_modeset_lock_all_ctx+0x29/0x3f0
[  330.091274]  ? mnt_get_count+0x4d/0xa0
[  330.091988]  ? __destroy_inode+0x8a/0x180
[  330.092799]  drm_atomic_helper_shutdown+0x7b/0x120
[  330.093779]  virtio_gpu_remove+0x57/0x70 [virtio_gpu]
[  330.094784]  virtio_dev_remove+0x3f/0x90
[  330.095595]  device_release_driver_internal+0x19e/0x200
[  330.096626]  bus_remove_device+0xe4/0x1c0
[  330.097425]  ? srso_alias_return_thunk+0x5/0xfbef5
[  330.098390]  ? device_remove_attrs+0xa1/0x100
[  330.099224]  device_del+0x160/0x3d0
[  330.099937]  ? srso_alias_return_thunk+0x5/0xfbef5
[  330.100881]  ? pci_bus_read_config_dword+0x4c/0x80
[  330.101842]  device_unregister+0x17/0x70
[  330.102629]  unregister_virtio_device+0x15/0x30
[  330.103555]  virtio_pci_remove+0x3f/0x80
[  330.104340]  pci_device_remove+0x4a/0xc0
[  330.105094]  device_release_driver_internal+0x19e/0x200
[  330.106142]  pci_stop_bus_device+0x63/0x80
[  330.106995]  pci_stop_and_remove_bus_device_locked+0x1a/0x30
[  330.108113]  remove_store+0x83/0xa0
[  330.108830]  kernfs_fop_write_iter+0x147/0x200
[  330.109773]  vfs_write+0x25d/0x480
[  330.110483]  ksys_write+0x73/0xf0
[  330.111140]  do_syscall_64+0xe2/0x560
[  330.112093]  ? srso_alias_return_thunk+0x5/0xfbef5
[  330.113066]  ? irqentry_exit+0x40/0x6c0
[  330.113858]  ? srso_alias_return_thunk+0x5/0xfbef5
[  330.114800]  ? do_syscall_64+0x99/0x560
[  330.115551]  ? exc_page_fault+0x82/0x1d0
[  330.116318]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[  330.117286] RIP: 0033:0x7f20222d0bbe
[  330.117969] Code: 4d 89 d8 e8 34 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa
[  330.121352] RSP: 002b:00007ffdb43331f0 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[  330.122797] RAX: ffffffffffffffda RBX: 00007f202244c5c0 RCX: 00007f20222d0bbe
[  330.124122] RDX: 0000000000000002 RSI: 00005567379b41a0 RDI: 0000000000000001
[  330.125459] RBP: 00007ffdb4333200 R08: 0000000000000000 R09: 0000000000000000
[  330.126839] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000002
[  330.128205] R13: 0000000000000002 R14: 00005567379b41a0 R15: 00005567379c3370
[  330.129605]  </TASK>
[  330.130073] ---[ end trace 0000000000000000 ]---
[  330.130987] BUG: kernel NULL pointer dereference, address: 0000000000000018
[  330.131963] #PF: supervisor write access in kernel mode
[  330.131963] #PF: error_code(0x0002) - not-present page
[  330.131963] PGD 0 P4D 0
[  330.131963] Oops: Oops: 0002 [#1] SMP NOPTI
[  330.131963] CPU: 5 UID: 0 PID: 22216 Comm: bash Tainted: G        W           7.1.0-rc5 #9 PREEMPT(lazy)
[  330.131963] Tainted: [W]=WARN
[  330.131963] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20251119-3.fc43 11/19/2025
[  330.131963] RIP: 0010:ww_mutex_lock+0x38/0x110
[  330.131963] Code: 89 f4 55 53 48 89 fb 48 83 ec 20 65 48 8b 2d 57 93 21 02 48 89 6c 24 18 31 ed 2e 2e 2e 31 c0 65 48 8b 15 53 93 21 02 48 89 e8 <f0> 48 0f b1 13 75 53 4d 85 e4 74 2a 48 8d 6c 24 08 41 83 44 24 10
[  330.131963] RSP: 0018:ffffd2f38ea6bae0 EFLAGS: 00010246
[  330.131963] RAX: 0000000000000000 RBX: 0000000000000018 RCX: ffffd2f38ea6bb78
[  330.131963] RDX: ffff8ea806fd8000 RSI: ffffd2f38ea6bb78 RDI: 0000000000000018
[  330.131963] RBP: 0000000000000000 R08: ffff8ea8016ce170 R09: 000000000fe6d5f1
[  330.131963] R10: fffff93844235700 R11: ffff8ea80004f800 R12: ffffd2f38ea6bb78
[  330.131963] R13: ffff8ea8016ce000 R14: 0000000000000000 R15: 0000000000000018
[  330.131963] FS:  00007f202225f780(0000) GS:ffff8ea9ecea0000(0000) knlGS:0000000000000000
[  330.131963] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  330.131963] CR2: 0000000000000018 CR3: 00000001a100e000 CR4: 0000000000750ef0
[  330.131963] PKRU: 55555554
[  330.131963] Call Trace:
[  330.131963]  <TASK>
[  330.131963]  ? srso_alias_return_thunk+0x5/0xfbef5
[  330.131963]  ? drm_modeset_lock+0x92/0x120
[  330.131963]  drm_modeset_lock_all_ctx+0x8e/0x3f0
[  330.131963]  ? __destroy_inode+0x8a/0x180
[  330.131963]  drm_atomic_helper_shutdown+0x7b/0x120
[  330.131963]  virtio_gpu_remove+0x57/0x70 [virtio_gpu]
[  330.131963]  virtio_dev_remove+0x3f/0x90
[  330.131963]  device_release_driver_internal+0x19e/0x200
[  330.131963]  bus_remove_device+0xe4/0x1c0
[  330.131963]  ? srso_alias_return_thunk+0x5/0xfbef5
[  330.131963]  ? device_remove_attrs+0xa1/0x100
[  330.131963]  device_del+0x160/0x3d0
[  330.131963]  ? srso_alias_return_thunk+0x5/0xfbef5
[  330.131963]  ? pci_bus_read_config_dword+0x4c/0x80
[  330.131963]  device_unregister+0x17/0x70
[  330.131963]  unregister_virtio_device+0x15/0x30
[  330.131963]  virtio_pci_remove+0x3f/0x80
[  330.131963]  pci_device_remove+0x4a/0xc0
[  330.131963]  device_release_driver_internal+0x19e/0x200
[  330.131963]  pci_stop_bus_device+0x63/0x80
[  330.131963]  pci_stop_and_remove_bus_device_locked+0x1a/0x30
[  330.131963]  remove_store+0x83/0xa0
[  330.131963]  kernfs_fop_write_iter+0x147/0x200
[  330.131963]  vfs_write+0x25d/0x480
[  330.131963]  ksys_write+0x73/0xf0
[  330.131963]  do_syscall_64+0xe2/0x560
[  330.131963]  ? srso_alias_return_thunk+0x5/0xfbef5
[  330.131963]  ? irqentry_exit+0x40/0x6c0
[  330.131963]  ? srso_alias_return_thunk+0x5/0xfbef5
[  330.131963]  ? do_syscall_64+0x99/0x560
[  330.131963]  ? exc_page_fault+0x82/0x1d0
[  330.131963]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[  330.131963] RIP: 0033:0x7f20222d0bbe
[  330.131963] Code: 4d 89 d8 e8 34 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa
[  330.131963] RSP: 002b:00007ffdb43331f0 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[  330.131963] RAX: ffffffffffffffda RBX: 00007f202244c5c0 RCX: 00007f20222d0bbe
[  330.131963] RDX: 0000000000000002 RSI: 00005567379b41a0 RDI: 0000000000000001
[  330.131963] RBP: 00007ffdb4333200 R08: 0000000000000000 R09: 0000000000000000
[  330.131963] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000002
[  330.131963] R13: 0000000000000002 R14: 00005567379b41a0 R15: 00005567379c3370
[  330.131963]  </TASK>
[  330.131963] Modules linked in: rfkill nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables sunrpc qrtr vfat snd_hda_codec_generic fat intel_rapl_msr intel_rapl_common snd_hda_intel snd_intel_dspcfg snd_hda_codec kvm_amd iTCO_wdt intel_pmc_bxt snd_hwdep kvm snd_hda_core snd_pcm i2c_i801 irqbypass i2c_smbus snd_timer snd lpc_ich soundcore virtio_balloon virtio_net net_failover failover joydev dm_multipath loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci zram lz4hc_compress vsock lz4_compress virtio_scsi virtio_gpu virtio_dma_buf serio_raw scsi_dh_rdac scsi_dh_emc scsi_dh_alua i2c_dev qemu_fw_cfg virtiofs fuse
[  330.131963] CR2: 0000000000000018
[  330.131963] ---[ end trace 0000000000000000 ]---
[  330.131963] RIP: 0010:ww_mutex_lock+0x38/0x110
[  330.131963] Code: 89 f4 55 53 48 89 fb 48 83 ec 20 65 48 8b 2d 57 93 21 02 48 89 6c 24 18 31 ed 2e 2e 2e 31 c0 65 48 8b 15 53 93 21 02 48 89 e8 <f0> 48 0f b1 13 75 53 4d 85 e4 74 2a 48 8d 6c 24 08 41 83 44 24 10
[  330.131963] RSP: 0018:ffffd2f38ea6bae0 EFLAGS: 00010246
[  330.131963] RAX: 0000000000000000 RBX: 0000000000000018 RCX: ffffd2f38ea6bb78
[  330.131963] RDX: ffff8ea806fd8000 RSI: ffffd2f38ea6bb78 RDI: 0000000000000018
[  330.131963] RBP: 0000000000000000 R08: ffff8ea8016ce170 R09: 000000000fe6d5f1
[  330.131963] R10: fffff93844235700 R11: ffff8ea80004f800 R12: ffffd2f38ea6bb78
[  330.131963] R13: ffff8ea8016ce000 R14: 0000000000000000 R15: 0000000000000018
[  330.225288] FS:  00007f202225f780(0000) GS:ffff8ea9ecea0000(0000) knlGS:0000000000000000
[  330.225288] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  330.225288] CR2: 0000000000000018 CR3: 00000001a100e000 CR4: 0000000000750ef0
[  330.225288] PKRU: 55555554
[  330.225288] note: bash[22216] exited with irqs disabled

Best regards,
Ryosuke

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.