bisecting fixing commit since e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0 building syzkaller on 7b5f86212c1bcfb5120dd42086b1c1192468d3b3 testing commit e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in vb2_mmap run #1: crashed: general protection fault in vb2_mmap run #2: crashed: KASAN: use-after-free Read in vb2_mmap run #3: crashed: KASAN: use-after-free Read in vb2_mmap run #4: crashed: general protection fault in vb2_mmap run #5: crashed: general protection fault in corrupted run #6: crashed: general protection fault in vb2_mmap run #7: crashed: general protection fault in vb2_mmap run #8: crashed: general protection fault in vb2_mmap run #9: crashed: KASAN: use-after-free Read in vb2_mmap testing current HEAD 451577f3e3a9bf1861218641dbbf98e214e77851 testing commit 451577f3e3a9bf1861218641dbbf98e214e77851 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 451577f3e3a9bf1861218641dbbf98e214e77851 e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0 Bisecting: 29770 revisions left to test after this (roughly 15 steps) [ab4ba2e133463c702b37242560d7fabedd2dc750] btrfs: tree-checker: Verify dev item testing commit ab4ba2e133463c702b37242560d7fabedd2dc750 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad ab4ba2e133463c702b37242560d7fabedd2dc750 Bisecting: 14884 revisions left to test after this (roughly 14 steps) [3856ec55270099494afa0cabba020365a38430a2] RDMA/hns: Use for_each_sg_dma_page iterator on umem SGL testing commit 3856ec55270099494afa0cabba020365a38430a2 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 3856ec55270099494afa0cabba020365a38430a2 Bisecting: 7006 revisions left to test after this (roughly 13 steps) [e0c38a4d1f196a4b17d2eba36afff8f656a4f1de] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit e0c38a4d1f196a4b17d2eba36afff8f656a4f1de with gcc (GCC) 8.1.0 all runs: OK # git bisect bad e0c38a4d1f196a4b17d2eba36afff8f656a4f1de Bisecting: 3891 revisions left to test after this (roughly 12 steps) [8e61e7b5c4de2bea534438bd7a008accd85492b0] Merge tag 'sound-4.21-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit 8e61e7b5c4de2bea534438bd7a008accd85492b0 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 8e61e7b5c4de2bea534438bd7a008accd85492b0 Bisecting: 2003 revisions left to test after this (roughly 11 steps) [2a3c83f5fe0770d13bbb71b23674886ff4111f44] Merge tag 'vmwgfx-next-2018-12-13' of git://people.freedesktop.org/~thomash/linux into drm-next testing commit 2a3c83f5fe0770d13bbb71b23674886ff4111f44 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in vb2_mmap run #1: crashed: general protection fault in vb2_mmap run #2: crashed: general protection fault in vb2_mmap run #3: crashed: general protection fault in vb2_mmap run #4: crashed: general protection fault in corrupted run #5: crashed: general protection fault in vb2_mmap run #6: crashed: general protection fault in vb2_mmap run #7: crashed: general protection fault in vb2_mmap run #8: crashed: general protection fault in vb2_mmap run #9: crashed: general protection fault in vb2_mmap # git bisect good 2a3c83f5fe0770d13bbb71b23674886ff4111f44 Bisecting: 1017 revisions left to test after this (roughly 10 steps) [ab63e725b49c80f941446327d79ba5b68593bf5a] Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost testing commit ab63e725b49c80f941446327d79ba5b68593bf5a with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in vb2_mmap run #1: crashed: general protection fault in vb2_mmap run #2: crashed: general protection fault in vb2_mmap run #3: crashed: general protection fault in corrupted run #4: crashed: general protection fault in vb2_mmap run #5: crashed: general protection fault in vb2_mmap run #6: crashed: general protection fault in vb2_mmap run #7: crashed: general protection fault in vb2_mmap run #8: crashed: general protection fault in vb2_mmap run #9: crashed: general protection fault in vb2_mmap # git bisect good ab63e725b49c80f941446327d79ba5b68593bf5a Bisecting: 581 revisions left to test after this (roughly 9 steps) [eaa76499711535fd64d747cc4ef0d78ab0fd41c6] Merge tag 'mtd/for-4.21' of git://git.infradead.org/linux-mtd testing commit eaa76499711535fd64d747cc4ef0d78ab0fd41c6 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in vb2_mmap run #1: crashed: KASAN: use-after-free Read in vb2_mmap run #2: crashed: general protection fault in vb2_mmap run #3: crashed: general protection fault in vb2_mmap run #4: crashed: general protection fault in corrupted run #5: crashed: general protection fault in vb2_mmap run #6: crashed: general protection fault in vb2_mmap run #7: crashed: KASAN: use-after-free Read in vb2_mmap run #8: crashed: general protection fault in vb2_mmap run #9: crashed: general protection fault in vb2_mmap # git bisect good eaa76499711535fd64d747cc4ef0d78ab0fd41c6 Bisecting: 290 revisions left to test after this (roughly 8 steps) [d82b51c855a20eb456ac09f2f40ea98312373263] ALSA: HD-Audio: SKL+: force HDaudio legacy or SKL+ driver selection testing commit d82b51c855a20eb456ac09f2f40ea98312373263 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in vb2_mmap run #1: crashed: general protection fault in vb2_mmap run #2: crashed: general protection fault in vb2_mmap run #3: crashed: general protection fault in vb2_mmap run #4: crashed: general protection fault in vb2_mmap run #5: crashed: general protection fault in vb2_mmap run #6: crashed: KASAN: use-after-free Read in vb2_mmap run #7: crashed: general protection fault in vb2_mmap run #8: crashed: general protection fault in vb2_mmap run #9: crashed: KASAN: use-after-free Read in vb2_mmap # git bisect good d82b51c855a20eb456ac09f2f40ea98312373263 Bisecting: 145 revisions left to test after this (roughly 7 steps) [92799ef7209bfd4c8eadb88c2c8f6fcba544b367] media: v4l: Add 4bpp packed depth confidence format CNF4 testing commit 92799ef7209bfd4c8eadb88c2c8f6fcba544b367 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 92799ef7209bfd4c8eadb88c2c8f6fcba544b367 Bisecting: 72 revisions left to test after this (roughly 6 steps) [01a2d72149d867f3e13c2f6cd503aaec02ecd5e5] media: coda: print SEQ_INIT error code as hex value testing commit 01a2d72149d867f3e13c2f6cd503aaec02ecd5e5 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in vb2_mmap run #1: crashed: general protection fault in corrupted run #2: crashed: general protection fault in vb2_mmap run #3: crashed: general protection fault in corrupted run #4: crashed: general protection fault in vb2_mmap run #5: crashed: general protection fault in vb2_mmap run #6: crashed: general protection fault in vb2_mmap run #7: crashed: general protection fault in vb2_mmap run #8: crashed: general protection fault in corrupted run #9: crashed: KASAN: use-after-free Read in vb2_mmap # git bisect good 01a2d72149d867f3e13c2f6cd503aaec02ecd5e5 Bisecting: 36 revisions left to test after this (roughly 5 steps) [5df317c8786b5ecef9ccb2d8df7b4f6f1bc5dcd1] media: venus: firmware: add routine to reset ARM9 testing commit 5df317c8786b5ecef9ccb2d8df7b4f6f1bc5dcd1 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 5df317c8786b5ecef9ccb2d8df7b4f6f1bc5dcd1 Bisecting: 17 revisions left to test after this (roughly 4 steps) [40d91c9988af56d7a831df92c58fe28cebb3a764] media: adv7604: add CEC support for adv7611/adv7612 testing commit 40d91c9988af56d7a831df92c58fe28cebb3a764 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 40d91c9988af56d7a831df92c58fe28cebb3a764 Bisecting: 8 revisions left to test after this (roughly 3 steps) [72a8914ff0667f029bd80a51a14719e70a3c82a9] media: dt-bindings: rcar-csi2: Add R8A77990 testing commit 72a8914ff0667f029bd80a51a14719e70a3c82a9 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in vb2_mmap run #1: crashed: general protection fault in vb2_mmap run #2: crashed: KASAN: use-after-free Read in vb2_mmap run #3: crashed: general protection fault in vb2_mmap run #4: crashed: general protection fault in vb2_mmap run #5: crashed: general protection fault in vb2_mmap run #6: crashed: general protection fault in vb2_mmap run #7: crashed: general protection fault in vb2_mmap run #8: crashed: KASAN: use-after-free Read in vb2_mmap run #9: crashed: general protection fault in vb2_mmap # git bisect good 72a8914ff0667f029bd80a51a14719e70a3c82a9 Bisecting: 4 revisions left to test after this (roughly 2 steps) [b12c7afc10b01297949ef2cbc72385576169c9ed] media: platform: fix platform_no_drv_owner.cocci warnings testing commit b12c7afc10b01297949ef2cbc72385576169c9ed with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in vb2_mmap run #1: crashed: general protection fault in vb2_mmap run #2: crashed: general protection fault in vb2_mmap run #3: crashed: general protection fault in vb2_mmap run #4: crashed: general protection fault in corrupted run #5: crashed: general protection fault in vb2_mmap run #6: crashed: general protection fault in vb2_mmap run #7: crashed: general protection fault in vb2_mmap run #8: crashed: general protection fault in vb2_mmap run #9: crashed: general protection fault in vb2_mmap # git bisect good b12c7afc10b01297949ef2cbc72385576169c9ed Bisecting: 2 revisions left to test after this (roughly 1 step) [ac791f19a273a7fe254a7596f193af6534582a9f] media: cec-pin: fix broken tx_ignore_nack_until_eom error injection testing commit ac791f19a273a7fe254a7596f193af6534582a9f with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in vb2_mmap # git bisect good ac791f19a273a7fe254a7596f193af6534582a9f Bisecting: 0 revisions left to test after this (roughly 1 step) [cd26d1c4d1bc947b56ae404998ae2276df7b39b7] media: vb2: vb2_mmap: move lock up testing commit cd26d1c4d1bc947b56ae404998ae2276df7b39b7 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad cd26d1c4d1bc947b56ae404998ae2276df7b39b7 Bisecting: 0 revisions left to test after this (roughly 0 steps) [2e84eb9affac43eeaf834992888b72426a8cd442] media: pulse8-cec: return 0 when invalidating the logical address testing commit 2e84eb9affac43eeaf834992888b72426a8cd442 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in vb2_mmap run #1: crashed: KASAN: use-after-free Read in vb2_mmap run #2: crashed: general protection fault in vb2_mmap run #3: crashed: general protection fault in vb2_mmap run #4: crashed: general protection fault in vb2_mmap run #5: crashed: general protection fault in vb2_mmap run #6: crashed: general protection fault in vb2_mmap run #7: crashed: general protection fault in vb2_mmap run #8: crashed: general protection fault in vb2_mmap run #9: crashed: general protection fault in vb2_mmap # git bisect good 2e84eb9affac43eeaf834992888b72426a8cd442 cd26d1c4d1bc947b56ae404998ae2276df7b39b7 is the first bad commit commit cd26d1c4d1bc947b56ae404998ae2276df7b39b7 Author: Hans Verkuil Date: Tue Nov 13 09:06:46 2018 -0500 media: vb2: vb2_mmap: move lock up If a filehandle is dup()ped, then it is possible to close it from one fd and call mmap from the other. This creates a race condition in vb2_mmap where it is using queue data that __vb2_queue_free (called from close()) is in the process of releasing. By moving up the mutex_lock(mmap_lock) in vb2_mmap this race is avoided since __vb2_queue_free is called with the same mutex locked. So vb2_mmap now reads consistent buffer data. Signed-off-by: Hans Verkuil Reported-by: syzbot+be93025dd45dccd8923c@syzkaller.appspotmail.com Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab :040000 040000 587a356eabbf44b8168c5aafb2d64d5c21e7658b 018bf579bba63c6ee215f323a95381398fc636a0 M drivers revisions tested: 19, total time: 4h26m2.108338013s (build: 1h50m6.852800342s, test: 2h29m25.527730912s) first good commit: cd26d1c4d1bc947b56ae404998ae2276df7b39b7 media: vb2: vb2_mmap: move lock up cc: ["hansverk@cisco.com" "hverkuil@xs4all.nl" "kyungmin.park@samsung.com" "linux-kernel@vger.kernel.org" "linux-media@vger.kernel.org" "m.szyprowski@samsung.com" "mchehab+samsung@kernel.org" "mchehab@kernel.org" "pawel@osciak.com" "tfiga@chromium.org"]