bisecting fixing commit since db2d0b7c1dde59b93045a6d011f392fb04b276af building syzkaller on 03e0d245596b0276ea0cdc8efe6120f51653a713 testing commit db2d0b7c1dde59b93045a6d011f392fb04b276af with gcc (GCC) 8.1.0 kernel signature: 88108425d85f35c7cdf7b20475a61ceafbaa2ad7 all runs: crashed: INFO: task hung in sdr_cap_stop_streaming testing current HEAD 672481c2deffb371d8a7dfdc009e44c09864a869 testing commit 672481c2deffb371d8a7dfdc009e44c09864a869 with gcc (GCC) 8.1.0 kernel signature: 81a392e6b7e01c69aac20db5e0c0d28433368268 all runs: OK # git bisect start 672481c2deffb371d8a7dfdc009e44c09864a869 db2d0b7c1dde59b93045a6d011f392fb04b276af Bisecting: 1463 revisions left to test after this (roughly 11 steps) [0ab2545aa4041357d7300b7ebc402313671c7a1c] powerpc/64s/hash: Fix stab_rr off by one initialization testing commit 0ab2545aa4041357d7300b7ebc402313671c7a1c with gcc (GCC) 8.1.0 kernel signature: 211accb93f4d3b5fce2076869baa4a179c68590e all runs: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good 0ab2545aa4041357d7300b7ebc402313671c7a1c Bisecting: 731 revisions left to test after this (roughly 10 steps) [dee3f77032077225a2346ffd142091c7c41fe939] tracing: Lock event_mutex before synth_event_mutex testing commit dee3f77032077225a2346ffd142091c7c41fe939 with gcc (GCC) 8.1.0 kernel signature: 659d54c924cfba91b88b7441419d6c5bf285da57 all runs: OK # git bisect bad dee3f77032077225a2346ffd142091c7c41fe939 Bisecting: 365 revisions left to test after this (roughly 9 steps) [e6c540bf97860b1256ea623f4257743ea22268df] net: sched: avoid writing on noop_qdisc testing commit e6c540bf97860b1256ea623f4257743ea22268df with gcc (GCC) 8.1.0 kernel signature: 95df6dd8d91efe6efaafd1761f76e982392c0e6a all runs: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good e6c540bf97860b1256ea623f4257743ea22268df Bisecting: 182 revisions left to test after this (roughly 8 steps) [8deaaf77ce2efb3f314c97fa2e1f73eb6899d8c3] linux/bitmap.h: handle constant zero-size bitmaps correctly testing commit 8deaaf77ce2efb3f314c97fa2e1f73eb6899d8c3 with gcc (GCC) 8.1.0 kernel signature: 2d85fc49e8e974badf417f78a30a260cba176a03 all runs: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good 8deaaf77ce2efb3f314c97fa2e1f73eb6899d8c3 Bisecting: 91 revisions left to test after this (roughly 7 steps) [f8dc0350d32bc4c7c3b27698bbde319ca1e632a3] ath9k_hw: fix uninitialized variable data testing commit f8dc0350d32bc4c7c3b27698bbde319ca1e632a3 with gcc (GCC) 8.1.0 kernel signature: d814be323be200ded8a701d1eca09301b9990a24 all runs: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good f8dc0350d32bc4c7c3b27698bbde319ca1e632a3 Bisecting: 45 revisions left to test after this (roughly 6 steps) [9a5933aa1242fc11ba3474dd4b73ee9dbdfcf995] reset: Fix memory leak in reset_control_array_put() testing commit 9a5933aa1242fc11ba3474dd4b73ee9dbdfcf995 with gcc (GCC) 8.1.0 kernel signature: 04380e23f4aecf27d686975f6f35f064cb16ead8 all runs: OK # git bisect bad 9a5933aa1242fc11ba3474dd4b73ee9dbdfcf995 Bisecting: 22 revisions left to test after this (roughly 5 steps) [78260a294c04952758f9367f6d92ab129dd8fffb] media: imon: invalid dereference in imon_touch_event testing commit 78260a294c04952758f9367f6d92ab129dd8fffb with gcc (GCC) 8.1.0 kernel signature: b2f1f4eb6de8ac41d473cf989cb0a760927afb48 all runs: OK # git bisect bad 78260a294c04952758f9367f6d92ab129dd8fffb Bisecting: 11 revisions left to test after this (roughly 4 steps) [344966da99c962bea479298e4d3744e0c6a513f1] nbd: prevent memory leak testing commit 344966da99c962bea479298e4d3744e0c6a513f1 with gcc (GCC) 8.1.0 kernel signature: 2d0eb4f81aa375a59ffc7b0193090982eb841b0f run #0: crashed: KASAN: null-ptr-deref Write in sdr_cap_stop_streaming run #1: crashed: INFO: task hung in sdr_cap_stop_streaming run #2: crashed: INFO: task hung in sdr_cap_stop_streaming run #3: crashed: INFO: task hung in sdr_cap_stop_streaming run #4: crashed: INFO: task hung in sdr_cap_stop_streaming run #5: crashed: INFO: task hung in sdr_cap_stop_streaming run #6: crashed: INFO: task hung in sdr_cap_stop_streaming run #7: crashed: INFO: task hung in sdr_cap_stop_streaming run #8: crashed: INFO: task hung in sdr_cap_stop_streaming run #9: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good 344966da99c962bea479298e4d3744e0c6a513f1 Bisecting: 5 revisions left to test after this (roughly 3 steps) [467052f6ea5a51524992e43f02b543550495c391] media: vivid: Fix wrong locking that causes race conditions on streaming stop testing commit 467052f6ea5a51524992e43f02b543550495c391 with gcc (GCC) 8.1.0 kernel signature: 9e11bd80beb7893bc7cb35501da549f7d30683fd run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor376060539" "root@10.128.1.21:./syz-executor376060539"]: exit status 1 ssh: connect to host 10.128.1.21 port 22: Connection timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 467052f6ea5a51524992e43f02b543550495c391 Bisecting: 2 revisions left to test after this (roughly 2 steps) [3510fb7947d5a7ca662178efe4f8d3712bb85177] ALSA: usb-audio: Fix NULL dereference at parsing BADD testing commit 3510fb7947d5a7ca662178efe4f8d3712bb85177 with gcc (GCC) 8.1.0 kernel signature: f9c250c4b5095631489b9a6fa039a8de62021b24 all runs: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good 3510fb7947d5a7ca662178efe4f8d3712bb85177 Bisecting: 0 revisions left to test after this (roughly 1 step) [b73b28b1b2cbc345cbe24d98b0997ec599bf4d06] media: vivid: Set vid_cap_streaming and vid_out_streaming to true testing commit b73b28b1b2cbc345cbe24d98b0997ec599bf4d06 with gcc (GCC) 8.1.0 kernel signature: 7fed615f431ea9bacd2c20808518047af8d86f44 all runs: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good b73b28b1b2cbc345cbe24d98b0997ec599bf4d06 467052f6ea5a51524992e43f02b543550495c391 is the first bad commit commit 467052f6ea5a51524992e43f02b543550495c391 Author: Alexander Popov Date: Sun Nov 3 23:17:19 2019 +0100 media: vivid: Fix wrong locking that causes race conditions on streaming stop commit 6dcd5d7a7a29c1e4b8016a06aed78cd650cd8c27 upstream. There is the same incorrect approach to locking implemented in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out() and sdr_cap_stop_streaming(). These functions are called during streaming stopping with vivid_dev.mutex locked. And they all do the same mistake while stopping their kthreads, which need to lock this mutex as well. See the example from vivid_stop_generating_vid_cap(): /* shutdown control thread */ vivid_grab_controls(dev, false); mutex_unlock(&dev->mutex); kthread_stop(dev->kthread_vid_cap); dev->kthread_vid_cap = NULL; mutex_lock(&dev->mutex); But when this mutex is unlocked, another vb2_fop_read() can lock it instead of vivid_thread_vid_cap() and manipulate the buffer queue. That causes a use-after-free access later. To fix those issues let's: 1. avoid unlocking the mutex in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out() and sdr_cap_stop_streaming(); 2. use mutex_trylock() with schedule_timeout_uninterruptible() in the loops of the vivid kthread handlers. Signed-off-by: Alexander Popov Acked-by: Linus Torvalds Tested-by: Hans Verkuil Signed-off-by: Hans Verkuil Cc: # for v3.18 and up Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman drivers/media/platform/vivid/vivid-kthread-cap.c | 8 +++++--- drivers/media/platform/vivid/vivid-kthread-out.c | 8 +++++--- drivers/media/platform/vivid/vivid-sdr-cap.c | 8 +++++--- 3 files changed, 15 insertions(+), 9 deletions(-) culprit signature: 9e11bd80beb7893bc7cb35501da549f7d30683fd parent signature: 7fed615f431ea9bacd2c20808518047af8d86f44 revisions tested: 13, total time: 3h34m22.258923688s (build: 1h50m57.225727808s, test: 1h41m40.722287676s) first good commit: 467052f6ea5a51524992e43f02b543550495c391 media: vivid: Fix wrong locking that causes race conditions on streaming stop cc: ["alex.popov@linux.com" "gregkh@linuxfoundation.org" "hverkuil-cisco@xs4all.nl" "mchehab@kernel.org" "torvalds@linux-foundation.org"]