Re: kernel BUG at drivers/android/binder_alloc.c:LINE! (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+55de1eb4975dec156d8f@syzkaller.appspotmail.com>
To: arve@android.com, christian@brauner.io,
	devel@driverdev.osuosl.org, gregkh@linuxfoundation.org,
	joel@joelfernandes.org, linux-kernel@vger.kernel.org,
	maco@android.com, syzkaller-bugs@googlegroups.com,
	tkjos@android.com
Subject: Re: kernel BUG at drivers/android/binder_alloc.c:LINE! (2)
Date: Thu, 14 Feb 2019 03:35:03 -0800	[thread overview]
Message-ID: <0000000000009e34680581d90c3f@google.com> (raw)
In-Reply-To: <00000000000048c0060581d8fe23@google.com>

syzbot has found a reproducer for the following crash on:

HEAD commit:    b3418f8bddf4 Add linux-next specific files for 20190214
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=161d2048c00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8a3a37525a677c71
dashboard link: https://syzkaller.appspot.com/bug?extid=55de1eb4975dec156d8f
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11cd2f1f400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+55de1eb4975dec156d8f@syzkaller.appspotmail.com

binder: 7792:7794 transaction failed 29189/-22, size 24-8 line 2994
------------[ cut here ]------------
kernel BUG at drivers/android/binder_alloc.c:1141!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7794 Comm: syz-executor.5 Not tainted 5.0.0-rc6-next-20190214  
#35
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510  
drivers/android/binder_alloc.c:1141
Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 9f e1 26 fc 4c 89  
e6 4c 89 ef e8 b4 e2 26 fc 4d 39 e5 76 07 e8 8a e1 26 fc <0f> 0b e8 83 e1  
26 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 91
RSP: 0018:ffff888051747558 EFLAGS: 00010293
RAX: ffff8880a55d8040 RBX: 0000000020001000 RCX: ffffffff8549806c
RDX: 0000000000000000 RSI: ffffffff85498076 RDI: 0000000000000006
RBP: ffff8880517475d8 R08: ffff8880a55d8040 R09: 0000000000000028
R10: ffffed100a2e8f01 R11: ffff88805174780f R12: 0000000000000020
R13: 0000000000000028 R14: ffff888096952b50 R15: 0000000000000000
FS:  00007f526c1e3700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f526c1a0db8 CR3: 0000000032547000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  binder_alloc_copy_from_buffer+0x37/0x42 drivers/android/binder_alloc.c:1187
  binder_get_object+0xa2/0x1e0 drivers/android/binder.c:2062
  binder_transaction+0x2b4a/0x6690 drivers/android/binder.c:3231
  binder_thread_write+0x64a/0x2820 drivers/android/binder.c:3792
  binder_ioctl_write_read drivers/android/binder.c:4825 [inline]
  binder_ioctl+0x1033/0x183b drivers/android/binder.c:5002
  vfs_ioctl fs/ioctl.c:46 [inline]
  file_ioctl fs/ioctl.c:509 [inline]
  do_vfs_ioctl+0xd6e/0x1390 fs/ioctl.c:696
  ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
  __do_sys_ioctl fs/ioctl.c:720 [inline]
  __se_sys_ioctl fs/ioctl.c:718 [inline]
  __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
  do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457e29
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f526c1e2c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457e29
RDX: 0000000020000000 RSI: 00000000c0306201 RDI: 0000000000000006
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f526c1e36d4
R13: 00000000004bf15b R14: 00000000004d0a60 R15: 00000000ffffffff
Modules linked in:
---[ end trace f34ec74539dae8b5 ]---
RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510  
drivers/android/binder_alloc.c:1141
Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 9f e1 26 fc 4c 89  
e6 4c 89 ef e8 b4 e2 26 fc 4d 39 e5 76 07 e8 8a e1 26 fc <0f> 0b e8 83 e1  
26 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 91
RSP: 0018:ffff888051747558 EFLAGS: 00010293
RAX: ffff8880a55d8040 RBX: 0000000020001000 RCX: ffffffff8549806c
RDX: 0000000000000000 RSI: ffffffff85498076 RDI: 0000000000000006
RBP: ffff8880517475d8 R08: ffff8880a55d8040 R09: 0000000000000028
R10: ffffed100a2e8f01 R11: ffff88805174780f R12: 0000000000000020
R13: 0000000000000028 R14: ffff888096952b50 R15: 0000000000000000
FS:  00007f526c1e3700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 0000000032547000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

next prev parent reply	other threads:[~2019-02-14 11:35 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-14 11:31 kernel BUG at drivers/android/binder_alloc.c:LINE! (2) syzbot
2019-02-14 11:35 ` syzbot [this message]
2019-02-14 22:34   ` Todd Kjos
2019-02-14 22:36     ` syzbot
2019-02-14 22:46     ` Todd Kjos
2019-02-14 23:04       ` syzbot
2019-02-15  5:38 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000009e34680581d90c3f@google.com \
    --to=syzbot+55de1eb4975dec156d8f@syzkaller.appspotmail.com \
    --cc=arve@android.com \
    --cc=christian@brauner.io \
    --cc=devel@driverdev.osuosl.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=joel@joelfernandes.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maco@android.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tkjos@android.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.