bisecting fixing commit since ef244c3088856cf048c77231653b4c92a7b2213c
building syzkaller on af5c522d02400b35a930d6fbdf286f9ce2afc8ba
testing commit ef244c3088856cf048c77231653b4c92a7b2213c with gcc (GCC) 8.1.0
kernel signature: 3cddcc08717c5f743a8e835bc2d98c2b7050b404
all runs: crashed: INFO: task hung in vivid_stop_generating_vid_cap
testing current HEAD 672481c2deffb371d8a7dfdc009e44c09864a869
testing commit 672481c2deffb371d8a7dfdc009e44c09864a869 with gcc (GCC) 8.1.0
kernel signature: e32f7719e7764a9a1728f466f605f745d6475149
all runs: OK
# git bisect start 672481c2deffb371d8a7dfdc009e44c09864a869 ef244c3088856cf048c77231653b4c92a7b2213c
Bisecting: 1061 revisions left to test after this (roughly 10 steps)
[e80e88ef6057c7947409bda9898387d25e54aaa9] drm/i915/userptr: Try to acquire the page lock around set_page_dirty()
testing commit e80e88ef6057c7947409bda9898387d25e54aaa9 with gcc (GCC) 8.1.0
kernel signature: 7d0d2bdaf6ba1e07f3729940a6f1e30911015f87
all runs: crashed: INFO: task hung in vivid_stop_generating_vid_cap
# git bisect good e80e88ef6057c7947409bda9898387d25e54aaa9
Bisecting: 530 revisions left to test after this (roughly 9 steps)
[07575de062cde051926e1f951548f112d9463637] ACPI / APEI: Don't wait to serialise with oops messages when panic()ing
testing commit 07575de062cde051926e1f951548f112d9463637 with gcc (GCC) 8.1.0
kernel signature: c70e804faefb6749a2f355902805c43125c426c5
all runs: OK
# git bisect bad 07575de062cde051926e1f951548f112d9463637
Bisecting: 265 revisions left to test after this (roughly 8 steps)
[61f6a3fac394fb4f2325196d8fb4cd2b6c8a3ac7] usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit()
testing commit 61f6a3fac394fb4f2325196d8fb4cd2b6c8a3ac7 with gcc (GCC) 8.1.0
kernel signature: f0fc31827cd47d2f3f9be8954373950bd7fef9c7
all runs: OK
# git bisect bad 61f6a3fac394fb4f2325196d8fb4cd2b6c8a3ac7
Bisecting: 132 revisions left to test after this (roughly 7 steps)
[b948d56951be8e8fe169c608cf384f5303ae4d0c] macsec: let the administrator set UP state even if lowerdev is down
testing commit b948d56951be8e8fe169c608cf384f5303ae4d0c with gcc (GCC) 8.1.0
kernel signature: c91bdd138bc1e7f0775427d42af366467db3a04b
all runs: crashed: INFO: task hung in vivid_stop_generating_vid_cap
# git bisect good b948d56951be8e8fe169c608cf384f5303ae4d0c
Bisecting: 66 revisions left to test after this (roughly 6 steps)
[06ed77066838a07a0126c4d09fc843d1a692c419] wlcore: Fix the return value in case of error in 'wlcore_vendor_cmd_smart_config_start()'
testing commit 06ed77066838a07a0126c4d09fc843d1a692c419 with gcc (GCC) 8.1.0
kernel signature: 6e990c1bfb995d52cb1df4200a5854e57eae767c
all runs: crashed: INFO: task hung in vivid_stop_generating_vid_cap
# git bisect good 06ed77066838a07a0126c4d09fc843d1a692c419
Bisecting: 33 revisions left to test after this (roughly 5 steps)
[091ed093c9c8a1c4c0243924131c8344383aeec3] mm/memory_hotplug: Do not unlock when fails to take the device_hotplug_lock
testing commit 091ed093c9c8a1c4c0243924131c8344383aeec3 with gcc (GCC) 8.1.0
kernel signature: 1e93b45a4200ca5c1fdab831c4215c34b98ab5f6
all runs: crashed: INFO: task hung in vivid_stop_generating_vid_cap
# git bisect good 091ed093c9c8a1c4c0243924131c8344383aeec3
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[ed7a3dde0aa224051c6455fce3755bf48c062178] x86/speculation: Fix redundant MDS mitigation message
testing commit ed7a3dde0aa224051c6455fce3755bf48c062178 with gcc (GCC) 8.1.0
kernel signature: 165ac4fb31150620af530f00c3180d2b40d65953
all runs: crashed: INFO: task hung in vivid_stop_generating_vid_cap
# git bisect good ed7a3dde0aa224051c6455fce3755bf48c062178
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[f217cef919dacaab257df22355ae6d275c126f61] media: usbvision: Fix races among open, close, and disconnect
testing commit f217cef919dacaab257df22355ae6d275c126f61 with gcc (GCC) 8.1.0
kernel signature: 7c73c3c5867de58dcf57832e5aec850027e7f2a9
all runs: OK
# git bisect bad f217cef919dacaab257df22355ae6d275c126f61
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[3510fb7947d5a7ca662178efe4f8d3712bb85177] ALSA: usb-audio: Fix NULL dereference at parsing BADD
testing commit 3510fb7947d5a7ca662178efe4f8d3712bb85177 with gcc (GCC) 8.1.0
kernel signature: 8a24e8114695f416ff1f0126a70428607f0435be
all runs: crashed: INFO: task hung in vivid_stop_generating_vid_cap
# git bisect good 3510fb7947d5a7ca662178efe4f8d3712bb85177
Bisecting: 1 revision left to test after this (roughly 1 step)
[b73b28b1b2cbc345cbe24d98b0997ec599bf4d06] media: vivid: Set vid_cap_streaming and vid_out_streaming to true
testing commit b73b28b1b2cbc345cbe24d98b0997ec599bf4d06 with gcc (GCC) 8.1.0
kernel signature: 0c9ca4bd68cf476895fd71c866d8a7c6d7e7e044
all runs: crashed: INFO: task hung in vivid_stop_generating_vid_cap
# git bisect good b73b28b1b2cbc345cbe24d98b0997ec599bf4d06
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[467052f6ea5a51524992e43f02b543550495c391] media: vivid: Fix wrong locking that causes race conditions on streaming stop
testing commit 467052f6ea5a51524992e43f02b543550495c391 with gcc (GCC) 8.1.0
kernel signature: 84d7a48590ee1eeca2343cc14f5d5e61849e9995
all runs: OK
# git bisect bad 467052f6ea5a51524992e43f02b543550495c391
467052f6ea5a51524992e43f02b543550495c391 is the first bad commit
commit 467052f6ea5a51524992e43f02b543550495c391
Author: Alexander Popov <alex.popov@linux.com>
Date:   Sun Nov 3 23:17:19 2019 +0100

    media: vivid: Fix wrong locking that causes race conditions on streaming stop
    
    commit 6dcd5d7a7a29c1e4b8016a06aed78cd650cd8c27 upstream.
    
    There is the same incorrect approach to locking implemented in
    vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out() and
    sdr_cap_stop_streaming().
    
    These functions are called during streaming stopping with vivid_dev.mutex
    locked. And they all do the same mistake while stopping their kthreads,
    which need to lock this mutex as well. See the example from
    vivid_stop_generating_vid_cap():
      /* shutdown control thread */
      vivid_grab_controls(dev, false);
      mutex_unlock(&dev->mutex);
      kthread_stop(dev->kthread_vid_cap);
      dev->kthread_vid_cap = NULL;
      mutex_lock(&dev->mutex);
    
    But when this mutex is unlocked, another vb2_fop_read() can lock it
    instead of vivid_thread_vid_cap() and manipulate the buffer queue.
    That causes a use-after-free access later.
    
    To fix those issues let's:
      1. avoid unlocking the mutex in vivid_stop_generating_vid_cap(),
    vivid_stop_generating_vid_out() and sdr_cap_stop_streaming();
      2. use mutex_trylock() with schedule_timeout_uninterruptible() in
    the loops of the vivid kthread handlers.
    
    Signed-off-by: Alexander Popov <alex.popov@linux.com>
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Tested-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Cc: <stable@vger.kernel.org>      # for v3.18 and up
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/media/platform/vivid/vivid-kthread-cap.c | 8 +++++---
 drivers/media/platform/vivid/vivid-kthread-out.c | 8 +++++---
 drivers/media/platform/vivid/vivid-sdr-cap.c     | 8 +++++---
 3 files changed, 15 insertions(+), 9 deletions(-)
culprit signature: 84d7a48590ee1eeca2343cc14f5d5e61849e9995
parent  signature: 0c9ca4bd68cf476895fd71c866d8a7c6d7e7e044
revisions tested: 13, total time: 3h33m27.480621883s (build: 1h50m43.255751818s, test: 1h41m17.236756695s)
first good commit: 467052f6ea5a51524992e43f02b543550495c391 media: vivid: Fix wrong locking that causes race conditions on streaming stop
cc: ["alex.popov@linux.com" "gregkh@linuxfoundation.org" "hverkuil-cisco@xs4all.nl" "mchehab@kernel.org" "torvalds@linux-foundation.org"]