fix(windows-drivers): pf-vdisplay robustness — AdapterInitStatus gate, pooled-device TDR check, MMCSS-optional worker

Batch B of the audit's medium tier (M4+M5+M6):

- M4: adapter_init_finished now reads AdapterInitStatus (was ignored) and
  only stashes the adapter on NT_SUCCESS, per the MS sample. A failed async
  init previously produced a HUSK adapter: monitors created on it arrive
  but the OS never assigns a swap-chain — every session black-screens with
  no visible cause (the exact signature live fault-injection produced after
  a WUDFHost kill). Unset adapter → ADD fails cleanly (host-retryable) and
  a re-entrant D0 retries the init; the status is now in the debug log.
- M5: pooled_device checks GetDeviceRemovedReason on a cache hit — a TDR'd
  device was returned for its LUID forever (SetDevice fail-loop, black
  virtual display until device teardown); now it falls through to a fresh
  create.
- M6: an AvSetMmThreadCharacteristicsW failure no longer aborts the worker
  before draining (which stalled the monitor and leaked the WDF swap-chain
  object) — continue unprioritized like the MS sample; revert only if MMCSS
  actually engaged.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-03 17:20:48 +00:00
parent 058630f542
commit b46aa15afb
3 changed files with 44 additions and 14 deletions
@@ -25,13 +25,23 @@ pub unsafe extern "C" fn device_d0_entry(
crate::adapter::init_adapter(device)
}
/// Async completion of `IddCxAdapterInitAsync`: stash the adapter for later DDIs. STEP 4 also starts the
/// watchdog here.
/// Async completion of `IddCxAdapterInitAsync`: stash the adapter for later DDIs — IFF the init
/// actually SUCCEEDED. STEP 4 also starts the watchdog here.
pub unsafe extern "C" fn adapter_init_finished(
adapter: iddcx::IDDCX_ADAPTER,
_p_in: *const iddcx::IDARG_IN_ADAPTER_INIT_FINISHED,
p_in: *const iddcx::IDARG_IN_ADAPTER_INIT_FINISHED,
) -> NTSTATUS {
dbglog!("[pf-vd] adapter_init_finished");
// SAFETY: the framework supplies a valid, live input-args pointer for the call.
let status = unsafe { (*p_in).AdapterInitStatus };
dbglog!("[pf-vd] adapter_init_finished (AdapterInitStatus={status:#010x})");
// The MS sample gates on NT_SUCCESS(AdapterInitStatus). An adapter whose async init FAILED is a
// husk the contract forbids using: monitors created on it arrive but are never activated (no
// swap-chain ever assigned) — every session then black-screens with no visible cause. Leaving
// the ADAPTER unset makes `create_monitor` fail the ADD cleanly (host-visible + retryable), and
// a re-entrant D0 retries the init (`init_adapter` only short-circuits once the stash is set).
if status < 0 {
return STATUS_SUCCESS; // the callback itself succeeded; the failure is in NOT adopting
}
crate::adapter::set_adapter(adapter);
crate::control::start_watchdog();
STATUS_SUCCESS