bisecting fixing commit since c98875d930e915d01e8c40c7d3c16f00b3c8abe1 building syzkaller on 53199d6e8aee5f0ebd3775d2b1c674f4e6e64e2b testing commit c98875d930e915d01e8c40c7d3c16f00b3c8abe1 with gcc (GCC) 8.1.0 kernel signature: 155e5bf08328442788b06641a5c58ddf834f9984 all runs: crashed: INFO: task hung in sdr_cap_stop_streaming testing current HEAD 174651bdf802a2139065e8e31ce950e2f3fc4a94 testing commit 174651bdf802a2139065e8e31ce950e2f3fc4a94 with gcc (GCC) 8.1.0 kernel signature: feccb495fb41dffee9d442560b48eb662b75f369 all runs: OK # git bisect start 174651bdf802a2139065e8e31ce950e2f3fc4a94 c98875d930e915d01e8c40c7d3c16f00b3c8abe1 Bisecting: 2646 revisions left to test after this (roughly 11 steps) [ca5b26a8f1d8084970218ce97e3177be0c956cc9] clk: renesas: cpg-mssr: Fix reset control race condition testing commit ca5b26a8f1d8084970218ce97e3177be0c956cc9 with gcc (GCC) 8.1.0 kernel signature: 629cce38227ad2b791751207cd7a9ee17c5566af all runs: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good ca5b26a8f1d8084970218ce97e3177be0c956cc9 Bisecting: 1323 revisions left to test after this (roughly 10 steps) [ab0888699734c36e8cf28d73367c133bd38a140b] tools/power turbostat: fix goldmont C-state limit decoding testing commit ab0888699734c36e8cf28d73367c133bd38a140b with gcc (GCC) 8.1.0 kernel signature: 3f7837c14a32920909690485e666384ac5cfa821 all runs: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good ab0888699734c36e8cf28d73367c133bd38a140b Bisecting: 661 revisions left to test after this (roughly 9 steps) [ae95237256de0cef566c7c5f5452d55b5f393bf9] net: hns3: Fix cmdq registers initialization issue for vf testing commit ae95237256de0cef566c7c5f5452d55b5f393bf9 with gcc (GCC) 8.1.0 kernel signature: fe43e9083b9bd8296d6be7572b73bb8aa33bda53 all runs: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good ae95237256de0cef566c7c5f5452d55b5f393bf9 Bisecting: 330 revisions left to test after this (roughly 8 steps) [312de5a09d10d15984082b5c3e9e5e358386f51a] net: fix generic XDP to handle if eth header was mangled testing commit 312de5a09d10d15984082b5c3e9e5e358386f51a with gcc (GCC) 8.1.0 kernel signature: 5bee947444cbc1072a9d42192e233f479505befe all runs: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good 312de5a09d10d15984082b5c3e9e5e358386f51a Bisecting: 165 revisions left to test after this (roughly 7 steps) [adcb6d9ff121bcff8365ab42321d71fbed4725ea] spi: uniphier: fix incorrect property items testing commit adcb6d9ff121bcff8365ab42321d71fbed4725ea with gcc (GCC) 8.1.0 kernel signature: 0983578c063c63312fc9b03a072ace7442f22f03 all runs: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good adcb6d9ff121bcff8365ab42321d71fbed4725ea Bisecting: 82 revisions left to test after this (roughly 6 steps) [c262dc0655dfdd1d61298a132027159d87e80407] wil6210: fix locking in wmi_call testing commit c262dc0655dfdd1d61298a132027159d87e80407 with gcc (GCC) 8.1.0 kernel signature: 3daaab144cf73221ab2cedd819118aa6d8ac9b4c all runs: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good c262dc0655dfdd1d61298a132027159d87e80407 Bisecting: 41 revisions left to test after this (roughly 5 steps) [f0cfe98332d650f31b462207d63c496b4cedaee2] ath10k: Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe testing commit f0cfe98332d650f31b462207d63c496b4cedaee2 with gcc (GCC) 8.1.0 kernel signature: 184d7b7e7d79dd0eeb81e2f4250ec1ec70e13e80 all runs: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good f0cfe98332d650f31b462207d63c496b4cedaee2 Bisecting: 20 revisions left to test after this (roughly 4 steps) [56be9f1b8733395caf570a80aa97d30e1fc61c28] media: uvcvideo: Fix error path in control parsing failure testing commit 56be9f1b8733395caf570a80aa97d30e1fc61c28 with gcc (GCC) 8.1.0 kernel signature: 25183c54f4b72a4e4499b43085b1e5fcf641e582 all runs: OK # git bisect bad 56be9f1b8733395caf570a80aa97d30e1fc61c28 Bisecting: 10 revisions left to test after this (roughly 3 steps) [0af5ae268e24e265494ea4e91119ddd241744195] x86/speculation: Fix incorrect MDS/TAA mitigation status testing commit 0af5ae268e24e265494ea4e91119ddd241744195 with gcc (GCC) 8.1.0 kernel signature: 1d22da527a31126f1a432d7b5b5f6fec6dac7f84 all runs: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good 0af5ae268e24e265494ea4e91119ddd241744195 Bisecting: 5 revisions left to test after this (roughly 3 steps) [3510fb7947d5a7ca662178efe4f8d3712bb85177] ALSA: usb-audio: Fix NULL dereference at parsing BADD testing commit 3510fb7947d5a7ca662178efe4f8d3712bb85177 with gcc (GCC) 8.1.0 kernel signature: 9f4247d3cb321190c57e285dec2bc2cfae8c69ca all runs: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good 3510fb7947d5a7ca662178efe4f8d3712bb85177 Bisecting: 2 revisions left to test after this (roughly 2 steps) [467052f6ea5a51524992e43f02b543550495c391] media: vivid: Fix wrong locking that causes race conditions on streaming stop testing commit 467052f6ea5a51524992e43f02b543550495c391 with gcc (GCC) 8.1.0 kernel signature: 7e2cafa5b27853363527abb5e45d22a220c52905 all runs: OK # git bisect bad 467052f6ea5a51524992e43f02b543550495c391 Bisecting: 0 revisions left to test after this (roughly 1 step) [b73b28b1b2cbc345cbe24d98b0997ec599bf4d06] media: vivid: Set vid_cap_streaming and vid_out_streaming to true testing commit b73b28b1b2cbc345cbe24d98b0997ec599bf4d06 with gcc (GCC) 8.1.0 kernel signature: f17e2f1b455b21c19b16457cc3abeaa24cf1a5fe all runs: crashed: INFO: task hung in sdr_cap_stop_streaming # git bisect good b73b28b1b2cbc345cbe24d98b0997ec599bf4d06 467052f6ea5a51524992e43f02b543550495c391 is the first bad commit commit 467052f6ea5a51524992e43f02b543550495c391 Author: Alexander Popov Date: Sun Nov 3 23:17:19 2019 +0100 media: vivid: Fix wrong locking that causes race conditions on streaming stop commit 6dcd5d7a7a29c1e4b8016a06aed78cd650cd8c27 upstream. There is the same incorrect approach to locking implemented in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out() and sdr_cap_stop_streaming(). These functions are called during streaming stopping with vivid_dev.mutex locked. And they all do the same mistake while stopping their kthreads, which need to lock this mutex as well. See the example from vivid_stop_generating_vid_cap(): /* shutdown control thread */ vivid_grab_controls(dev, false); mutex_unlock(&dev->mutex); kthread_stop(dev->kthread_vid_cap); dev->kthread_vid_cap = NULL; mutex_lock(&dev->mutex); But when this mutex is unlocked, another vb2_fop_read() can lock it instead of vivid_thread_vid_cap() and manipulate the buffer queue. That causes a use-after-free access later. To fix those issues let's: 1. avoid unlocking the mutex in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out() and sdr_cap_stop_streaming(); 2. use mutex_trylock() with schedule_timeout_uninterruptible() in the loops of the vivid kthread handlers. Signed-off-by: Alexander Popov Acked-by: Linus Torvalds Tested-by: Hans Verkuil Signed-off-by: Hans Verkuil Cc: # for v3.18 and up Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman drivers/media/platform/vivid/vivid-kthread-cap.c | 8 +++++--- drivers/media/platform/vivid/vivid-kthread-out.c | 8 +++++--- drivers/media/platform/vivid/vivid-sdr-cap.c | 8 +++++--- 3 files changed, 15 insertions(+), 9 deletions(-) kernel signature: 7e2cafa5b27853363527abb5e45d22a220c52905 previous signature: f17e2f1b455b21c19b16457cc3abeaa24cf1a5fe revisions tested: 14, total time: 3h41m6.640065155s (build: 1h59m21.335535728s, test: 1h37m19.110623564s) first good commit: 467052f6ea5a51524992e43f02b543550495c391 media: vivid: Fix wrong locking that causes race conditions on streaming stop cc: ["alex.popov@linux.com" "gregkh@linuxfoundation.org" "hverkuil-cisco@xs4all.nl" "mchehab@kernel.org" "torvalds@linux-foundation.org"]