bisecting fixing commit since 19bb613acb9ad8e57593cad5118acaee117cc303
building syzkaller on b617407b25b37a7a8efa47127005d1f20dd0abe1
testing commit 19bb613acb9ad8e57593cad5118acaee117cc303 with gcc (GCC) 8.1.0
kernel signature: 75bb3e0a74f2378bc7a31e108086ac7dc57b3246
run #0: crashed: KASAN: use-after-free Read in __vb2_perform_fileio
run #1: crashed: INFO: task hung in vivid_stop_generating_vid_cap
run #2: crashed: INFO: task hung in vivid_stop_generating_vid_cap
run #3: crashed: INFO: task hung in vivid_stop_generating_vid_cap
run #4: crashed: INFO: task hung in vivid_stop_generating_vid_cap
run #5: crashed: INFO: task hung in vivid_stop_generating_vid_cap
run #6: crashed: INFO: task hung in vivid_stop_generating_vid_cap
run #7: crashed: INFO: task hung in vivid_stop_generating_vid_cap
run #8: crashed: INFO: task hung in vivid_stop_generating_vid_cap
run #9: crashed: INFO: task hung in vivid_stop_generating_vid_cap
testing current HEAD 672481c2deffb371d8a7dfdc009e44c09864a869
testing commit 672481c2deffb371d8a7dfdc009e44c09864a869 with gcc (GCC) 8.1.0
kernel signature: bc5fcb7a4517b06160d52e0c77bf41e0269720f0
all runs: OK
# git bisect start 672481c2deffb371d8a7dfdc009e44c09864a869 19bb613acb9ad8e57593cad5118acaee117cc303
Bisecting: 2988 revisions left to test after this (roughly 12 steps)
[842da8fac1821f3a63130f5e87c9356ed51d046c] mmc: sdhci-pci: Add support for Intel CML
testing commit 842da8fac1821f3a63130f5e87c9356ed51d046c with gcc (GCC) 8.1.0
kernel signature: cf0a2c2b99c62edc91334d923bb24adf6ea93dd0
all runs: crashed: INFO: task hung in vivid_stop_generating_vid_cap
# git bisect good 842da8fac1821f3a63130f5e87c9356ed51d046c
Bisecting: 1494 revisions left to test after this (roughly 11 steps)
[75fd1aec33c6395c602fb866b37115eb23da04b6] arm64: dts: rockchip: Fix I2C bus unit-address error on rk3399-puma-haikou
testing commit 75fd1aec33c6395c602fb866b37115eb23da04b6 with gcc (GCC) 8.1.0
kernel signature: 794d6754b4fadbe9e62edbdd91e7b9b676640beb
all runs: crashed: INFO: task hung in vivid_stop_generating_vid_cap
# git bisect good 75fd1aec33c6395c602fb866b37115eb23da04b6
Bisecting: 747 revisions left to test after this (roughly 10 steps)
[7302e7b10855e8512d406e2cb32916c71edb8936] can: mcp251x: mcp251x_restart_work_handler(): Fix potential force_quit race condition
testing commit 7302e7b10855e8512d406e2cb32916c71edb8936 with gcc (GCC) 8.1.0
kernel signature: 53c95211df0644d63c372691ad83d085d451d441
all runs: OK
# git bisect bad 7302e7b10855e8512d406e2cb32916c71edb8936
Bisecting: 373 revisions left to test after this (roughly 9 steps)
[d56fe8f59a236845ed3c90deba063780282ec2ba] lightnvm: pblk: guarantee emeta on line close
testing commit d56fe8f59a236845ed3c90deba063780282ec2ba with gcc (GCC) 8.1.0
kernel signature: bf1ab491a2b02a22d09d97b8e1684b6f59f3c3e8
all runs: crashed: INFO: task hung in vivid_stop_generating_vid_cap
# git bisect good d56fe8f59a236845ed3c90deba063780282ec2ba
Bisecting: 186 revisions left to test after this (roughly 8 steps)
[bcba80f38a003f0cfcebb8502ab81cb043a68977] fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in dlm_print_one_mle()
testing commit bcba80f38a003f0cfcebb8502ab81cb043a68977 with gcc (GCC) 8.1.0
kernel signature: be4307f1670f8ab150bd405113687e7a7d6d63ff
all runs: crashed: INFO: task hung in vivid_stop_generating_vid_cap
# git bisect good bcba80f38a003f0cfcebb8502ab81cb043a68977
Bisecting: 93 revisions left to test after this (roughly 7 steps)
[367e64ce11fc59fc51b41a8f0f2ba4b5daa23a17] of: unittest: initialize args before calling of_*parse_*()
testing commit 367e64ce11fc59fc51b41a8f0f2ba4b5daa23a17 with gcc (GCC) 8.1.0
kernel signature: eff83504a4eef77466ac94d0d926a3021d0c5f7d
all runs: crashed: INFO: task hung in vivid_stop_generating_vid_cap
# git bisect good 367e64ce11fc59fc51b41a8f0f2ba4b5daa23a17
Bisecting: 46 revisions left to test after this (roughly 6 steps)
[0439d6b901872933da7003413e1bae327c225717] USB: chaoskey: fix error case of a timeout
testing commit 0439d6b901872933da7003413e1bae327c225717 with gcc (GCC) 8.1.0
kernel signature: d73362488b9a52d88e91fa5b913cf741a83b6f2b
all runs: OK
# git bisect bad 0439d6b901872933da7003413e1bae327c225717
Bisecting: 23 revisions left to test after this (roughly 5 steps)
[046f0fcf7397fa0b6c7925d1f4fd3fe69af2278a] ocfs2: remove ocfs2_is_o2cb_active()
testing commit 046f0fcf7397fa0b6c7925d1f4fd3fe69af2278a with gcc (GCC) 8.1.0
kernel signature: bd9890a799dae1737acbcf9bdc93337da5d512df
all runs: crashed: INFO: task hung in vivid_stop_generating_vid_cap
# git bisect good 046f0fcf7397fa0b6c7925d1f4fd3fe69af2278a
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[467052f6ea5a51524992e43f02b543550495c391] media: vivid: Fix wrong locking that causes race conditions on streaming stop
testing commit 467052f6ea5a51524992e43f02b543550495c391 with gcc (GCC) 8.1.0
kernel signature: 411a025282cc8b253185500b71afd0f75ac8b2a3
all runs: OK
# git bisect bad 467052f6ea5a51524992e43f02b543550495c391
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[344966da99c962bea479298e4d3744e0c6a513f1] nbd: prevent memory leak
testing commit 344966da99c962bea479298e4d3744e0c6a513f1 with gcc (GCC) 8.1.0
kernel signature: 2ba97053b1670019f8e5eb630f0039d8db4a19d0
all runs: crashed: INFO: task hung in vivid_stop_generating_vid_cap
# git bisect good 344966da99c962bea479298e4d3744e0c6a513f1
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[3510fb7947d5a7ca662178efe4f8d3712bb85177] ALSA: usb-audio: Fix NULL dereference at parsing BADD
testing commit 3510fb7947d5a7ca662178efe4f8d3712bb85177 with gcc (GCC) 8.1.0
kernel signature: f7341f055d27287c4dee8ba21e047cf59ba0e866
run #0: crashed: WARNING in __vb2_queue_cancel
run #1: crashed: INFO: task hung in vivid_stop_generating_vid_cap
run #2: crashed: INFO: task hung in vivid_stop_generating_vid_cap
run #3: crashed: INFO: task hung in vivid_stop_generating_vid_cap
run #4: crashed: INFO: task hung in vivid_stop_generating_vid_cap
run #5: crashed: INFO: task hung in vivid_stop_generating_vid_cap
run #6: crashed: INFO: task hung in vivid_stop_generating_vid_cap
run #7: crashed: INFO: task hung in vivid_stop_generating_vid_cap
run #8: crashed: INFO: task hung in vivid_stop_generating_vid_cap
run #9: crashed: INFO: task hung in vivid_stop_generating_vid_cap
# git bisect good 3510fb7947d5a7ca662178efe4f8d3712bb85177
Bisecting: 0 revisions left to test after this (roughly 1 step)
[b73b28b1b2cbc345cbe24d98b0997ec599bf4d06] media: vivid: Set vid_cap_streaming and vid_out_streaming to true
testing commit b73b28b1b2cbc345cbe24d98b0997ec599bf4d06 with gcc (GCC) 8.1.0
kernel signature: 589acef6d723db341f8e4cb97ec8a3b4c56a3a4a
all runs: crashed: INFO: task hung in vivid_stop_generating_vid_cap
# git bisect good b73b28b1b2cbc345cbe24d98b0997ec599bf4d06
467052f6ea5a51524992e43f02b543550495c391 is the first bad commit
commit 467052f6ea5a51524992e43f02b543550495c391
Author: Alexander Popov <alex.popov@linux.com>
Date:   Sun Nov 3 23:17:19 2019 +0100

    media: vivid: Fix wrong locking that causes race conditions on streaming stop
    
    commit 6dcd5d7a7a29c1e4b8016a06aed78cd650cd8c27 upstream.
    
    There is the same incorrect approach to locking implemented in
    vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out() and
    sdr_cap_stop_streaming().
    
    These functions are called during streaming stopping with vivid_dev.mutex
    locked. And they all do the same mistake while stopping their kthreads,
    which need to lock this mutex as well. See the example from
    vivid_stop_generating_vid_cap():
      /* shutdown control thread */
      vivid_grab_controls(dev, false);
      mutex_unlock(&dev->mutex);
      kthread_stop(dev->kthread_vid_cap);
      dev->kthread_vid_cap = NULL;
      mutex_lock(&dev->mutex);
    
    But when this mutex is unlocked, another vb2_fop_read() can lock it
    instead of vivid_thread_vid_cap() and manipulate the buffer queue.
    That causes a use-after-free access later.
    
    To fix those issues let's:
      1. avoid unlocking the mutex in vivid_stop_generating_vid_cap(),
    vivid_stop_generating_vid_out() and sdr_cap_stop_streaming();
      2. use mutex_trylock() with schedule_timeout_uninterruptible() in
    the loops of the vivid kthread handlers.
    
    Signed-off-by: Alexander Popov <alex.popov@linux.com>
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Tested-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Cc: <stable@vger.kernel.org>      # for v3.18 and up
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/media/platform/vivid/vivid-kthread-cap.c | 8 +++++---
 drivers/media/platform/vivid/vivid-kthread-out.c | 8 +++++---
 drivers/media/platform/vivid/vivid-sdr-cap.c     | 8 +++++---
 3 files changed, 15 insertions(+), 9 deletions(-)
culprit signature: 411a025282cc8b253185500b71afd0f75ac8b2a3
parent  signature: 589acef6d723db341f8e4cb97ec8a3b4c56a3a4a
revisions tested: 14, total time: 3h46m15.505392232s (build: 2h1m40.215010369s, test: 1h43m10.05369463s)
first good commit: 467052f6ea5a51524992e43f02b543550495c391 media: vivid: Fix wrong locking that causes race conditions on streaming stop
cc: ["alex.popov@linux.com" "gregkh@linuxfoundation.org" "hverkuil-cisco@xs4all.nl" "mchehab@kernel.org" "torvalds@linux-foundation.org"]