bisecting fixing commit since c63ee2939dc1c6eee6c544af1b4ab441490bfe6e building syzkaller on 598ca6c8b8766304c3b2865e38f5f301c39bd299 testing commit c63ee2939dc1c6eee6c544af1b4ab441490bfe6e with gcc (GCC) 8.1.0 kernel signature: 0c524f5f1bea76ef62b180fc546be871c66c5cbd run #0: crashed: WARNING in __vb2_queue_cancel run #1: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #2: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #3: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #4: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #5: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #6: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #7: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #8: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #9: crashed: INFO: task hung in vivid_stop_generating_vid_cap testing current HEAD 672481c2deffb371d8a7dfdc009e44c09864a869 testing commit 672481c2deffb371d8a7dfdc009e44c09864a869 with gcc (GCC) 8.1.0 kernel signature: 7814dbff878b8de514d9b40de0da378721c5b452 all runs: OK # git bisect start 672481c2deffb371d8a7dfdc009e44c09864a869 c63ee2939dc1c6eee6c544af1b4ab441490bfe6e Bisecting: 651 revisions left to test after this (roughly 9 steps) [005874c5170e70c92010a23d766f76f721ae52ba] vfio-mdev/samples: Use u8 instead of char for handle functions testing commit 005874c5170e70c92010a23d766f76f721ae52ba with gcc (GCC) 8.1.0 kernel signature: 5aafd4647d6c9ab450d591e8f457d3b53b083957 all runs: OK # git bisect bad 005874c5170e70c92010a23d766f76f721ae52ba Bisecting: 325 revisions left to test after this (roughly 8 steps) [9b572e8bc0385c05009b173f0385ee7d1fb45583] s390/perf: Return error when debug_register fails testing commit 9b572e8bc0385c05009b173f0385ee7d1fb45583 with gcc (GCC) 8.1.0 kernel signature: a684331b8fdd99041820af8d90c4f7db69217ae1 run #0: crashed: WARNING in __vb2_queue_cancel run #1: crashed: WARNING in __vb2_queue_cancel run #2: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #3: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #4: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #5: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #6: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #7: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #8: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #9: crashed: INFO: task hung in vivid_stop_generating_vid_cap # git bisect good 9b572e8bc0385c05009b173f0385ee7d1fb45583 Bisecting: 162 revisions left to test after this (roughly 7 steps) [0af5ae268e24e265494ea4e91119ddd241744195] x86/speculation: Fix incorrect MDS/TAA mitigation status testing commit 0af5ae268e24e265494ea4e91119ddd241744195 with gcc (GCC) 8.1.0 kernel signature: a61fe01dbbb25e0bcfe714519d9548b49c820085 run #0: crashed: WARNING in __vb2_queue_cancel run #1: crashed: WARNING in __vb2_queue_cancel run #2: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #3: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #4: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #5: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #6: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #7: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #8: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #9: crashed: INFO: task hung in vivid_stop_generating_vid_cap # git bisect good 0af5ae268e24e265494ea4e91119ddd241744195 Bisecting: 81 revisions left to test after this (roughly 6 steps) [ee6d2bedb400ffc904ddddc06270167ec43c6565] scsi: lpfc: Fix dif and first burst use in write commands testing commit ee6d2bedb400ffc904ddddc06270167ec43c6565 with gcc (GCC) 8.1.0 kernel signature: 9d9045340233731fd594af20562bdc7c2cef3393 all runs: OK # git bisect bad ee6d2bedb400ffc904ddddc06270167ec43c6565 Bisecting: 40 revisions left to test after this (roughly 5 steps) [80e28fa256c9ebf9174662a62c8cf0fa529c992f] ASoC: kirkwood: fix device remove ordering testing commit 80e28fa256c9ebf9174662a62c8cf0fa529c992f with gcc (GCC) 8.1.0 kernel signature: 27468c7a59a80fe9cb5094c2ed80529c2470b92a all runs: OK # git bisect bad 80e28fa256c9ebf9174662a62c8cf0fa529c992f Bisecting: 19 revisions left to test after this (roughly 4 steps) [0439d6b901872933da7003413e1bae327c225717] USB: chaoskey: fix error case of a timeout testing commit 0439d6b901872933da7003413e1bae327c225717 with gcc (GCC) 8.1.0 kernel signature: b2c0bdab9e31919c5bb2c77285b6368f3a77994d all runs: OK # git bisect bad 0439d6b901872933da7003413e1bae327c225717 Bisecting: 9 revisions left to test after this (roughly 3 steps) [61e73cf57ed81f63ccce6209f16568578953a3ef] cpufreq: Add NULL checks to show() and store() methods of cpufreq testing commit 61e73cf57ed81f63ccce6209f16568578953a3ef with gcc (GCC) 8.1.0 kernel signature: ce359b642dec26ea29b7b0bc8c4ea0a75f7ab8b6 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor487061062" "root@10.128.10.37:./syz-executor487061062"]: exit status 1 ssh: connect to host 10.128.10.37 port 22: Connection timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 61e73cf57ed81f63ccce6209f16568578953a3ef Bisecting: 4 revisions left to test after this (roughly 2 steps) [3510fb7947d5a7ca662178efe4f8d3712bb85177] ALSA: usb-audio: Fix NULL dereference at parsing BADD testing commit 3510fb7947d5a7ca662178efe4f8d3712bb85177 with gcc (GCC) 8.1.0 kernel signature: a6b241d44cd1a89d6a29f2de34f82b68efa5c07b run #0: crashed: WARNING in __vb2_queue_cancel run #1: crashed: WARNING in __vb2_queue_cancel run #2: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #3: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #4: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #5: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #6: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #7: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #8: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #9: crashed: INFO: task hung in vivid_stop_generating_vid_cap # git bisect good 3510fb7947d5a7ca662178efe4f8d3712bb85177 Bisecting: 2 revisions left to test after this (roughly 1 step) [b73b28b1b2cbc345cbe24d98b0997ec599bf4d06] media: vivid: Set vid_cap_streaming and vid_out_streaming to true testing commit b73b28b1b2cbc345cbe24d98b0997ec599bf4d06 with gcc (GCC) 8.1.0 kernel signature: d56fd29f837d891ee2cb5d8146195cdcb72b2876 run #0: crashed: WARNING in __vb2_queue_cancel run #1: crashed: WARNING in __vb2_queue_cancel run #2: crashed: WARNING in __vb2_queue_cancel run #3: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #4: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #5: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #6: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #7: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #8: crashed: INFO: task hung in vivid_stop_generating_vid_cap run #9: crashed: INFO: task hung in vivid_stop_generating_vid_cap # git bisect good b73b28b1b2cbc345cbe24d98b0997ec599bf4d06 Bisecting: 0 revisions left to test after this (roughly 1 step) [f217cef919dacaab257df22355ae6d275c126f61] media: usbvision: Fix races among open, close, and disconnect testing commit f217cef919dacaab257df22355ae6d275c126f61 with gcc (GCC) 8.1.0 kernel signature: c49e3cbbfc7b2599152fbdec3f9ded058e4380f5 all runs: OK # git bisect bad f217cef919dacaab257df22355ae6d275c126f61 Bisecting: 0 revisions left to test after this (roughly 0 steps) [467052f6ea5a51524992e43f02b543550495c391] media: vivid: Fix wrong locking that causes race conditions on streaming stop testing commit 467052f6ea5a51524992e43f02b543550495c391 with gcc (GCC) 8.1.0 kernel signature: 89bbcf7f4e1bc6af73c3f5ab969f79ebcbb32193 all runs: OK # git bisect bad 467052f6ea5a51524992e43f02b543550495c391 467052f6ea5a51524992e43f02b543550495c391 is the first bad commit commit 467052f6ea5a51524992e43f02b543550495c391 Author: Alexander Popov Date: Sun Nov 3 23:17:19 2019 +0100 media: vivid: Fix wrong locking that causes race conditions on streaming stop commit 6dcd5d7a7a29c1e4b8016a06aed78cd650cd8c27 upstream. There is the same incorrect approach to locking implemented in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out() and sdr_cap_stop_streaming(). These functions are called during streaming stopping with vivid_dev.mutex locked. And they all do the same mistake while stopping their kthreads, which need to lock this mutex as well. See the example from vivid_stop_generating_vid_cap(): /* shutdown control thread */ vivid_grab_controls(dev, false); mutex_unlock(&dev->mutex); kthread_stop(dev->kthread_vid_cap); dev->kthread_vid_cap = NULL; mutex_lock(&dev->mutex); But when this mutex is unlocked, another vb2_fop_read() can lock it instead of vivid_thread_vid_cap() and manipulate the buffer queue. That causes a use-after-free access later. To fix those issues let's: 1. avoid unlocking the mutex in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out() and sdr_cap_stop_streaming(); 2. use mutex_trylock() with schedule_timeout_uninterruptible() in the loops of the vivid kthread handlers. Signed-off-by: Alexander Popov Acked-by: Linus Torvalds Tested-by: Hans Verkuil Signed-off-by: Hans Verkuil Cc: # for v3.18 and up Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman drivers/media/platform/vivid/vivid-kthread-cap.c | 8 +++++--- drivers/media/platform/vivid/vivid-kthread-out.c | 8 +++++--- drivers/media/platform/vivid/vivid-sdr-cap.c | 8 +++++--- 3 files changed, 15 insertions(+), 9 deletions(-) culprit signature: 89bbcf7f4e1bc6af73c3f5ab969f79ebcbb32193 parent signature: d56fd29f837d891ee2cb5d8146195cdcb72b2876 revisions tested: 13, total time: 3h47m30.85761855s (build: 1h50m26.970107935s, test: 1h55m53.803800573s) first good commit: 467052f6ea5a51524992e43f02b543550495c391 media: vivid: Fix wrong locking that causes race conditions on streaming stop cc: ["alex.popov@linux.com" "gregkh@linuxfoundation.org" "hverkuil-cisco@xs4all.nl" "mchehab@kernel.org" "torvalds@linux-foundation.org"]