kernel BUG at drivers/android/binder_alloc.c:LINE!

Dan Carpenter dan.carpenter at oracle.com
Wed Jan 31 08:08:43 UTC 2018 

On Tue, Jan 30, 2018 at 11:59:47PM -0800, Eric Biggers wrote:
> On Fri, Dec 01, 2017 at 04:22:00PM -0800, syzbot wrote:
> > syzkaller has found reproducer for the following crash on
> > 3c1c4ddffb58b9e10b3365764fe59546130b3f32
> > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> > compiler: gcc (GCC) 7.1.1 20170620
> > .config is attached
> > Raw console output is attached.
> > C reproducer is attached
> > syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> > for information about syzkaller reproducers
> > 
> > 
> > binder: 3087:3087 ERROR: BC_REGISTER_LOOPER called without request
> > binder: 3087:3087 ioctl c0306201 2000dfd0 returned -14
> > ------------[ cut here ]------------
> > kernel BUG at drivers/android/binder_alloc.c:750!
> > invalid opcode: 0000 [#1] SMP KASAN
> > Dumping ftrace buffer:
> >    (ftrace buffer empty)
> > Modules linked in:
> > CPU: 0 PID: 1404 Comm: kworker/0:2 Not tainted 4.15.0-rc1+ #203
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Workqueue: events binder_deferred_func
> > task: 0000000009b739b6 task.stack: 00000000c1d4442c
> > RIP: 0010:binder_alloc_deferred_release+0x146/0xa40
> > drivers/android/binder_alloc.c:750
> > RSP: 0018:ffff8801d2b16fd8 EFLAGS: 00010293
> > RAX: ffff8801d2b08080 RBX: ffff8801d7829300 RCX: ffffffff8403b856
> > RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8801d7829330
> > RBP: ffff8801d2b17138 R08: ffffffff8403b7d9 R09: 1ffffffff0e53001
> > R10: ffff8801d2b16fc8 R11: ffffffff87489d60 R12: 0000000000000000
> > R13: dffffc0000000000 R14: ffff8801d2b17110 R15: ffff8801d7829310
> > FS:  0000000000000000(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00000000006d00a8 CR3: 0000000005e25000 CR4: 00000000001406f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> >  binder_free_proc drivers/android/binder.c:4200 [inline]
> >  binder_proc_dec_tmpref+0x2f3/0x420 drivers/android/binder.c:1833
> >  binder_deferred_release drivers/android/binder.c:4858 [inline]
> >  binder_deferred_func+0xe22/0x12f0 drivers/android/binder.c:4893
> >  process_one_work+0xbfd/0x1be0 kernel/workqueue.c:2112
> >  worker_thread+0x223/0x1990 kernel/workqueue.c:2246
> >  kthread+0x37a/0x440 kernel/kthread.c:238
> >  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:441
> > Code: e8 00 40 6c fd 49 8d 7f 20 49 8d 5f f0 48 89 fa 48 c1 ea 03 42 80 3c
> > 2a 00 0f 85 84 07 00 00 49 83 7f 20 00 74 a9 e8 da 3f 6c fd <0f> 0b 48 8b 9d
> > e8 fe ff ff 44 89 a5 bc fe ff ff e8 c5 3f 6c fd
> > RIP: binder_alloc_deferred_release+0x146/0xa40
> > drivers/android/binder_alloc.c:750 RSP: ffff8801d2b16fd8
> > ---[ end trace 616e085d0dbf3c21 ]---
> > Kernel panic - not syncing: Fatal exception
> > Dumping ftrace buffer:
> >    (ftrace buffer empty)
> > Kernel Offset: disabled
> > Rebooting in 86400 seconds..
> 
> This crash stopped occurring in v4.15-rc3, and I verified that it was commit
> fb2c445277e which fixed it (thanks Martijn!).  So, telling syzbot so that it can
> start reporting similar crashes again:
> 
> #syz fix: ANDROID: binder: fix transaction leak.

Could you change the syz fix format to include the hash in case we want
to look it up?

regards,
dan carpenter

More information about the devel mailing list