bisecting fixing commit since 9f51ae62c84a23ade0ba86457d30a30c9db0c50f building syzkaller on 7df9db2eb2c94fd6324472f2ff0045cbcee9b74e testing commit 9f51ae62c84a23ade0ba86457d30a30c9db0c50f with gcc (GCC) 8.1.0 run #0: crashed: KASAN: null-ptr-deref Write in kthread_stop run #1: crashed: KASAN: null-ptr-deref Write in kthread_stop run #2: crashed: KASAN: use-after-free Read in __vb2_perform_fileio run #3: crashed: KASAN: null-ptr-deref Write in kthread_stop run #4: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #5: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #6: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #7: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #8: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #9: crashed: INFO: task hung in vivid_stop_generating_vid_cap testing current HEAD ecb095bff5d4b8711a81968625b3b4a235d3e477 testing commit ecb095bff5d4b8711a81968625b3b4a235d3e477 with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor781824868" "root@10.128.0.107:./syz-executor781824868"]: exit status 1 ssh: connect to host 10.128.0.107 port 22: Connection timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect start ecb095bff5d4b8711a81968625b3b4a235d3e477 9f51ae62c84a23ade0ba86457d30a30c9db0c50f Bisecting: 31576 revisions left to test after this (roughly 15 steps) [d92da1fbb72490f999b7d0e809d13d0d52dc78ac] Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit d92da1fbb72490f999b7d0e809d13d0d52dc78ac with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in __vb2_perform_fileio # git bisect good d92da1fbb72490f999b7d0e809d13d0d52dc78ac Bisecting: 15788 revisions left to test after this (roughly 14 steps) [3b20eb23724d493eca79f02b1e062bd5432e29d0] treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 320 testing commit 3b20eb23724d493eca79f02b1e062bd5432e29d0 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 3b20eb23724d493eca79f02b1e062bd5432e29d0 Bisecting: 8001 revisions left to test after this (roughly 13 steps) [b3a5e648f5917ea508ecab9a629028b186d38eae] Merge tag 'tty-5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit b3a5e648f5917ea508ecab9a629028b186d38eae with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in __vb2_perform_fileio # git bisect good b3a5e648f5917ea508ecab9a629028b186d38eae Bisecting: 4000 revisions left to test after this (roughly 12 steps) [7a5575212ce4b6a41581b92fe03b6be1134793ba] Merge tag 'xtensa-20190510' of git://github.com/jcmvbkbc/linux-xtensa testing commit 7a5575212ce4b6a41581b92fe03b6be1134793ba with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 7a5575212ce4b6a41581b92fe03b6be1134793ba Bisecting: 1583 revisions left to test after this (roughly 11 steps) [a2d635decbfa9c1e4ae15cb05b68b2559f7f827c] Merge tag 'drm-next-2019-05-09' of git://anongit.freedesktop.org/drm/drm testing commit a2d635decbfa9c1e4ae15cb05b68b2559f7f827c with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor035712317" "root@10.128.10.48:./syz-executor035712317"]: exit status 1 ssh: connect to host 10.128.10.48 port 22: Connection timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad a2d635decbfa9c1e4ae15cb05b68b2559f7f827c Bisecting: 1208 revisions left to test after this (roughly 10 steps) [27eaa4927dc3be669ed70670241597ac73595caf] drm/amd/display: Add power down display on boot flag testing commit 27eaa4927dc3be669ed70670241597ac73595caf with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in __vb2_perform_fileio # git bisect good 27eaa4927dc3be669ed70670241597ac73595caf Bisecting: 604 revisions left to test after this (roughly 9 steps) [e7a1414f9dc3498c4c35b9ca266d539e8bccab53] Merge tag 'media/v5.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit e7a1414f9dc3498c4c35b9ca266d539e8bccab53 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad e7a1414f9dc3498c4c35b9ca266d539e8bccab53 Bisecting: 303 revisions left to test after this (roughly 8 steps) [d1cd7c85f9e29740fddec6f25d8bf061937bf58d] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit d1cd7c85f9e29740fddec6f25d8bf061937bf58d with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in __vb2_perform_fileio # git bisect good d1cd7c85f9e29740fddec6f25d8bf061937bf58d Bisecting: 151 revisions left to test after this (roughly 7 steps) [0646d347bdc2aece81e993e01528b14ffe9029b8] media: dvb: clean up redundant break statements testing commit 0646d347bdc2aece81e993e01528b14ffe9029b8 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in __vb2_perform_fileio # git bisect good 0646d347bdc2aece81e993e01528b14ffe9029b8 Bisecting: 76 revisions left to test after this (roughly 6 steps) [fe460a6df6a8427d4ce7c731a0de43b6e10e9f6b] Merge tag 'pinctrl-v5.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit fe460a6df6a8427d4ce7c731a0de43b6e10e9f6b with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in __vb2_perform_fileio # git bisect good fe460a6df6a8427d4ce7c731a0de43b6e10e9f6b Bisecting: 38 revisions left to test after this (roughly 5 steps) [d245a940d97b5cd0dd4eecd9530fa9ff4c5938c6] media: rcar-csi2: Use standby mode instead of resetting testing commit d245a940d97b5cd0dd4eecd9530fa9ff4c5938c6 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad d245a940d97b5cd0dd4eecd9530fa9ff4c5938c6 Bisecting: 18 revisions left to test after this (roughly 4 steps) [cffc3df28450390f0de4d6907387d7c40459acab] media: dt-bindings: Document MIPID02 bindings testing commit cffc3df28450390f0de4d6907387d7c40459acab with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in __vb2_perform_fileio # git bisect good cffc3df28450390f0de4d6907387d7c40459acab Bisecting: 9 revisions left to test after this (roughly 3 steps) [d65842f7126aa1a87fb44b7c9980c12630ed4f33] media: vb2: add waiting_in_dqbuf flag testing commit d65842f7126aa1a87fb44b7c9980c12630ed4f33 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad d65842f7126aa1a87fb44b7c9980c12630ed4f33 Bisecting: 4 revisions left to test after this (roughly 2 steps) [411a414b26aa107ddbbd6995e464f6cc18a1aa8c] media: mtk-vcodec: fix vp9 content playback error with show exist frame testing commit 411a414b26aa107ddbbd6995e464f6cc18a1aa8c with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in __vb2_perform_fileio # git bisect good 411a414b26aa107ddbbd6995e464f6cc18a1aa8c Bisecting: 2 revisions left to test after this (roughly 1 step) [dad7e270ba712ba1c99cd2d91018af6044447a06] media: vivid: use vfree() instead of kfree() for dev->bitmap_cap testing commit dad7e270ba712ba1c99cd2d91018af6044447a06 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in __vb2_perform_fileio # git bisect good dad7e270ba712ba1c99cd2d91018af6044447a06 Bisecting: 0 revisions left to test after this (roughly 1 step) [c1ced46c7b49ad7bc064e68d966e0ad303f917fb] media: pvrusb2: Prevent a buffer overflow testing commit c1ced46c7b49ad7bc064e68d966e0ad303f917fb with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in __vb2_perform_fileio # git bisect good c1ced46c7b49ad7bc064e68d966e0ad303f917fb d65842f7126aa1a87fb44b7c9980c12630ed4f33 is the first bad commit commit d65842f7126aa1a87fb44b7c9980c12630ed4f33 Author: Hans Verkuil Date: Mon Nov 19 06:09:00 2018 -0500 media: vb2: add waiting_in_dqbuf flag Calling VIDIOC_DQBUF can release the core serialization lock pointed to by vb2_queue->lock if it has to wait for a new buffer to arrive. However, if userspace dup()ped the video device filehandle, then it is possible to read or call DQBUF from two filehandles at the same time. It is also possible to call REQBUFS from one filehandle while the other is waiting for a buffer. This will remove all the buffers and reallocate new ones. Removing all the buffers isn't the problem here (that's already handled correctly by DQBUF), but the reallocating part is: DQBUF isn't aware that the buffers have changed. This is fixed by setting a flag whenever the lock is released while waiting for a buffer to arrive. And checking the flag where needed so we can return -EBUSY. Signed-off-by: Hans Verkuil Reported-by: Syzbot Reviewed-by: Tomasz Figa Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab :040000 040000 1150f5c785cf3e7d341a10e54140d4df8b78c468 01f7c6cd41243d5605f4539deafc4d852b4cb86a M drivers :040000 040000 b7bda06f6fa220a3558c576a69b3e793b7ce7ec1 6c3c2b84b303fa736c9513e2dffcd1b21a50e687 M include revisions tested: 18, total time: 3h55m35.518438647s (build: 1h41m50.62107152s, test: 2h7m31.144182185s) first good commit: d65842f7126aa1a87fb44b7c9980c12630ed4f33 media: vb2: add waiting_in_dqbuf flag cc: ["hverkuil-cisco@xs4all.nl" "hverkuil@xs4all.nl" "mchehab+samsung@kernel.org" "tfiga@chromium.org"]