Hello Thomas Hellstrom, The patch ae2a104058e2: "vmwgfx: Implement fence objects" from Sep 1, 2011, leads to the following Smatch static checker warning: drivers/dma-buf/dma-fence.c:790 dma_fence_default_wait() warn: user controlled unbound timeout drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 784 int vmw_fence_obj_wait_ioctl(struct drm_device *dev, void *data, 785 struct drm_file *file_priv) 786 { 787 struct drm_vmw_fence_wait_arg *arg = 788 (struct drm_vmw_fence_wait_arg *)data; 789 unsigned long timeout; 790 struct ttm_base_object *base; 791 struct vmw_fence_obj *fence; 792 struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile; 793 int ret; 794 uint64_t wait_timeout = ((uint64_t)arg->timeout_us * HZ); timeout comes from the ioctl. 795 796 /* 797 * 64-bit division not present on 32-bit systems, so do an 798 * approximation. (Divide by 1000000). 799 */ 800 801 wait_timeout = (wait_timeout >> 20) + (wait_timeout >> 24) - 802 (wait_timeout >> 26); 803 804 if (!arg->cookie_valid) { 805 arg->cookie_valid = 1; 806 arg->kernel_cookie = jiffies + wait_timeout; 807 } 808 809 base = vmw_fence_obj_lookup(tfile, arg->handle); 810 if (IS_ERR(base)) 811 return PTR_ERR(base); 812 813 fence = &(container_of(base, struct vmw_user_fence, base)->fence); 814 815 timeout = jiffies; 816 if (time_after_eq(timeout, (unsigned long)arg->kernel_cookie)) { 817 ret = ((vmw_fence_obj_signaled(fence)) ? 818 0 : -EBUSY); 819 goto out; 820 } 821 822 timeout = (unsigned long)arg->kernel_cookie - timeout; 823 824 ret = vmw_fence_obj_wait(fence, arg->lazy, true, timeout); This is a new Smatch warning. To try figure out places which can trigger sysbot "task hung" warnings. I don't know if an upper bound on timeout is appropriate here because this is new experimental check... 825 826 out: 827 ttm_base_object_unref(&base); regards, dan carpenter