Bug 219007

Summary: opening and closing /dev/dri/card0 in a QEMU KVM instance will shutdown system, 6.10.0-rc6+
Product: Drivers Reporter: Colin Ian King (colin.i.king)
Component: Video(DRI - non Intel)Assignee: drivers_video-dri
Status: NEW ---    
Severity: high CC: colin.i.king, regressions
Priority: P3    
Hardware: Intel   
OS: Linux   
Kernel Version: Subsystem:
Regression: No Bisected commit-id:
Attachments: dmesg 6.10 log

Description Colin Ian King 2024-07-05 16:05:27 UTC 
The following code when run as root on a Debian sid amd64 server running in virt-manager (KVM QEMU) will shut the system down with 6.10.0-rc6.  The fork() is required to cause racing on the open/close on /dev/dri/card0

#include <fcntl.h>
#include <unistd.h>

int main(void)
{
	 pid_t pid = fork();

	 while (1) {
	 	int fd;

	 	fd = openat(AT_FDCWD, "/dev/dri/card0", O_WRONLY|O_NONBLOCK|O_SYNC);
	 	close(fd);
	 }
}

This was originally found using: while true; do sudo ./stress-ng  --dev 4 --dev-file /dev/dri/card0 -t 5; done and narrowed down to the above reproducer. (cf: https://github.com/ColinIanKing/stress-ng/issues/407 )

This does not occur on pre 6.10 kernels, so it looks like a 6.10 regression.
Comment 1 Colin Ian King 2024-07-05 16:14:11 UTC 
Note this also can reproduce when running *without* root privileged too, so this is a user space DoS attack vector.
Comment 2 The Linux kernel's regression tracker (Thorsten Leemhuis) 2024-07-09 08:36:21 UTC 
Colin, quick reminder: many bugs reported here are never forwarded to any developer. For some of the details see https://lwn.net/Articles/910740/ and the links in there. So the people you are trying to reach most likely won't even see this.

Mail is usually the best for reporting, as mentioned in https://docs.kernel.org/admin-guide/reporting-issues.html (which also tells people to avoid bugzilla in most cases)
Comment 3 The Linux kernel's regression tracker (Thorsten Leemhuis) 2024-07-09 08:37:57 UTC 
Forgot: I'll forward this report by mail, as it's a regression, so no need to do anything for you. But it's not the first bug I see from you here, so I thought a reminder might be wise.
Comment 4 The Linux kernel's regression tracker (Thorsten Leemhuis) 2024-07-09 08:41:02 UTC 
And one more comment: could you please share a dmesg from the VM so we know what drm driver is used.
Comment 5 Colin Ian King 2024-07-23 15:04:57 UTC 
Created attachment 306610 [details]
dmesg 6.10 log

Attached, dmesg log. Apologies for the delayed reply.