From: syscaller <syscaller@163.com>
To: gregkh@linuxfoundation.org, aliceryhl@google.com
Cc: arve@android.com, tkjos@android.com, brauner@kernel.org,
cmllamas@google.com, ojeda@kernel.org, boqun@kernel.org,
rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: [BUG] android: rust binder: sleeping function called from invalid context in deferred_release()
Date: Sat, 11 Apr 2026 21:44:07 +0800 (CST) [thread overview]
Message-ID: <1f4fa7f2.351a.19d7cc91931.Coremail.syscaller@163.com> (raw)
Hello,
I hit the following issue repeatedly with a local syzkaller instance while
fuzzing Rust binder.
HEAD commit: 591cd656a1bf Linux 7.0-rc7
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://gist.githubusercontent.com/syscallerx/1ebe64a8a4a3340fb565325ba62efe53/raw/7c5e52532a94b60f442cf588926da065c7a2b11e/console-output.txt
kernel config: https://gist.githubusercontent.com/syscallerx/1ebe64a8a4a3340fb565325ba62efe53/raw/7c5e52532a94b60f442cf588926da065c7a2b11e/kernel-config.txt
dashboard link: N/A (local syzkaller instance)
compiler: gcc (Ubuntu 14.2.0-4ubuntu2) 14.2.0, GNU ld (GNU Binutils for Ubuntu) 2.43.1
userspace arch: amd64
Note: the fuzzing kernel was based on upstream v7.0-rc7 with one local
instrumentation-only change:
drivers/android/binder/Makefile
+KCOV_INSTRUMENT := y
This change was added only to enable selective KCOV instrumentation for binder
while fuzzing.
Unfortunately, I don't have a minimized reproducer for this issue yet.
The same crash family has been observed repeatedly by the local syzkaller
instance (about 300 hits in the same crash directory), but syz-repro has not
managed to extract a stable minimal reproducer so far.
I believe the warning is caused by the following code in
drivers/android/binder/process.rs:
while let Some(delivered_death) =
{ self.inner.lock().delivered_deaths.pop_front() } {
drop(delivered_death);
}
The temporary SpinLockGuard returned by self.inner.lock() appears to live
across the whole while-let statement, including the loop body. As a result,
drop(delivered_death) runs while Process::inner is still held.
The destructor chain then reaches:
drivers/android/binder/page_range.rs:633
let mm_lock = self.mm_lock.lock();
That mutex acquisition triggers the "sleeping function called from invalid
context" / "Invalid wait context" warning.
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 212920, name: kworker/3:3
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
3 locks held by kworker/3:3/212920:
#0: ffff888019c13948 ((wq_completion)events#2){+.+.}-{0:0}, at: process_one_work+0xfaa/0x1670 kernel/workqueue.c:3251
#1: ffffc900096a7d10 (Process::defer_work){+.+.}-{0:0}, at: process_one_work+0x85c/0x1670 kernel/workqueue.c:3252
#2: ffff888198d9f938 (Process::inner){+.+.}-{3:3}, at: <kernel::sync::lock::spinlock::SpinLockBackend as kernel::sync::lock::Backend>::lock rust/kernel/sync/lock/spinlock.rs:119 [inline]
#2: ffff888198d9f938 (Process::inner){+.+.}-{3:3}, at: <kernel::sync::lock::Lock<rust_binder_main::process::ProcessInner, kernel::sync::lock::spinlock::SpinLockBackend>>::lock rust/kernel/sync/lock.rs:177 [inline]
#2: ffff888198d9f938 (Process::inner){+.+.}-{3:3}, at: <rust_binder_main::process::Process>::deferred_release drivers/android/binder/process.rs:1405 [inline]
#2: ffff888198d9f938 (Process::inner){+.+.}-{3:3}, at: <rust_binder_main::process::Process as kernel::workqueue::WorkItem>::run+0x2278/0x2fd0 drivers/android/binder/process.rs:498
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 3 UID: 0 PID: 212920 Comm: kworker/3:3 Tainted: G W L 7.0.0-rc7-dirty #3 PREEMPT(full)
Tainted: [W]=WARN, [L]=SOFTLOCKUP
Hardware name: QEMU Ubuntu 24.10 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: events _RNvXs8_NtCsgzhNYVB7wSz_6kernel9workqueueINtNtNtB7_4sync3arc3ArcNtNtCsdiRiAdj6M6P_16rust_binder_main7process7ProcessEINtB5_15WorkItemPointerKy0_E3runB13_
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x6f/0xb0 lib/dump_stack.c:120
__might_resched.cold+0x1ec/0x232 kernel/sched/core.c:8888
__mutex_lock_common kernel/locking/mutex.c:591 [inline]
__mutex_lock+0x10e/0x1b90 kernel/locking/mutex.c:776
<kernel::sync::lock::mutex::MutexBackend as kernel::sync::lock::Backend>::lock rust/kernel/sync/lock/mutex.rs:120 [inline]
<kernel::sync::lock::Lock<(), kernel::sync::lock::mutex::MutexBackend>>::lock rust/kernel/sync/lock.rs:177 [inline]
<rust_binder_main::page_range::ShrinkablePageRange as pin_init::PinnedDrop>::drop+0xe1/0x310 drivers/android/binder/page_range.rs:633
<rust_binder_main::page_range::ShrinkablePageRange as core::ops::drop::Drop>::drop drivers/android/binder/page_range.rs:127 [inline]
core::ptr::drop_in_place::<rust_binder_main::page_range::ShrinkablePageRange> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::process::Process>+0xcfd/0x1010 root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805
core::ptr::drop_in_place::<kernel::sync::arc::ArcInner<rust_binder_main::process::Process>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::process::Process>, kernel::alloc::allocator::Kmalloc> as core::ops::drop::Drop>::drop rust/kernel/alloc/kbox.rs:676 [inline]
core::ptr::drop_in_place::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::process::Process>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::mem::drop::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::process::Process>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:967 [inline]
<kernel::sync::arc::Arc<rust_binder_main::process::Process> as core::ops::drop::Drop>::drop rust/kernel/sync/arc.rs:476 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::Arc<rust_binder_main::process::Process>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::node::Node> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::DTRWrap<rust_binder_main::node::Node>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>, kernel::alloc::allocator::Kmalloc> as core::ops::drop::Drop>::drop rust/kernel/alloc/kbox.rs:676 [inline]
core::ptr::drop_in_place::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::mem::drop::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:967 [inline]
<kernel::sync::arc::Arc<rust_binder_main::DTRWrap<rust_binder_main::node::Node>> as core::ops::drop::Drop>::drop rust/kernel/sync/arc.rs:476 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::Arc<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::node::NodeDeath> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>, kernel::alloc::allocator::Kmalloc> as core::ops::drop::Drop>::drop+0xdf/0x1b0 rust/kernel/alloc/kbox.rs:676
core::ptr::drop_in_place::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::mem::drop::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:967 [inline]
<kernel::sync::arc::Arc<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>> as core::ops::drop::Drop>::drop rust/kernel/sync/arc.rs:476 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::Arc<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<kernel::list::arc::ListArc<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>, 2>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::mem::drop::<kernel::list::arc::ListArc<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>, 2>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:967 [inline]
<rust_binder_main::process::Process>::deferred_release drivers/android/binder/process.rs:1406 [inline]
<rust_binder_main::process::Process as kernel::workqueue::WorkItem>::run+0x2475/0x2fd0 drivers/android/binder/process.rs:498
process_one_work+0x8df/0x1670 kernel/workqueue.c:3276
process_scheduled_works kernel/workqueue.c:3359 [inline]
worker_thread+0x4ea/0xd60 kernel/workqueue.c:3440
kthread+0x30d/0x3f0 kernel/kthread.c:436
ret_from_fork+0x614/0xa30 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
=============================
[ BUG: Invalid wait context ]
7.0.0-rc7-dirty #3 Tainted: G W L
-----------------------------
kworker/3:3/212920 is trying to lock:
ffff888188296898 (ShrinkablePageRange::mm){+.+.}-{4:4}, at: <kernel::sync::lock::mutex::MutexBackend as kernel::sync::lock::Backend>::lock rust/kernel/sync/lock/mutex.rs:120 [inline]
ffff888188296898 (ShrinkablePageRange::mm){+.+.}-{4:4}, at: <kernel::sync::lock::Lock<(), kernel::sync::lock::mutex::MutexBackend>>::lock rust/kernel/sync/lock.rs:177 [inline]
ffff888188296898 (ShrinkablePageRange::mm){+.+.}-{4:4}, at: <rust_binder_main::page_range::ShrinkablePageRange as pin_init::PinnedDrop>::drop+0xe1/0x310 drivers/android/binder/page_range.rs:633
other info that might help us debug this:
context-{5:5}
3 locks held by kworker/3:3/212920:
#0: ffff888019c13948 ((wq_completion)events#2){+.+.}-{0:0}, at: process_one_work+0xfaa/0x1670 kernel/workqueue.c:3251
#1: ffffc900096a7d10 (Process::defer_work){+.+.}-{0:0}, at: process_one_work+0x85c/0x1670 kernel/workqueue.c:3252
#2: ffff888198d9f938 (Process::inner){+.+.}-{3:3}, at: <kernel::sync::lock::spinlock::SpinLockBackend as kernel::sync::lock::Backend>::lock rust/kernel/sync/lock/spinlock.rs:119 [inline]
#2: ffff888198d9f938 (Process::inner){+.+.}-{3:3}, at: <kernel::sync::lock::Lock<rust_binder_main::process::ProcessInner, kernel::sync::lock::spinlock::SpinLockBackend>>::lock rust/kernel/sync/lock.rs:177 [inline]
#2: ffff888198d9f938 (Process::inner){+.+.}-{3:3}, at: <rust_binder_main::process::Process>::deferred_release drivers/android/binder/process.rs:1405 [inline]
#2: ffff888198d9f938 (Process::inner){+.+.}-{3:3}, at: <rust_binder_main::process::Process as kernel::workqueue::WorkItem>::run+0x2278/0x2fd0 drivers/android/binder/process.rs:498
stack backtrace:
CPU: 3 UID: 0 PID: 212920 Comm: kworker/3:3 Tainted: G W L 7.0.0-rc7-dirty #3 PREEMPT(full)
Tainted: [W]=WARN, [L]=SOFTLOCKUP
Hardware name: QEMU Ubuntu 24.10 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: events _RNvXs8_NtCsgzhNYVB7wSz_6kernel9workqueueINtNtNtB7_4sync3arc3ArcNtNtCsdiRiAdj6M6P_16rust_binder_main7process7ProcessEINtB5_15WorkItemPointerKy0_E3runB13_
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x6f/0xb0 lib/dump_stack.c:120
print_lock_invalid_wait_context kernel/locking/lockdep.c:4830 [inline]
check_wait_context kernel/locking/lockdep.c:4902 [inline]
__lock_acquire+0xfa4/0x2630 kernel/locking/lockdep.c:5187
lock_acquire kernel/locking/lockdep.c:5868 [inline]
lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825
__mutex_lock_common kernel/locking/mutex.c:614 [inline]
__mutex_lock+0x1a2/0x1b90 kernel/locking/mutex.c:776
<kernel::sync::lock::mutex::MutexBackend as kernel::sync::lock::Backend>::lock rust/kernel/sync/lock/mutex.rs:120 [inline]
<kernel::sync::lock::Lock<(), kernel::sync::lock::mutex::MutexBackend>>::lock rust/kernel/sync/lock.rs:177 [inline]
<rust_binder_main::page_range::ShrinkablePageRange as pin_init::PinnedDrop>::drop+0xe1/0x310 drivers/android/binder/page_range.rs:633
<rust_binder_main::page_range::ShrinkablePageRange as core::ops::drop::Drop>::drop drivers/android/binder/page_range.rs:127 [inline]
core::ptr::drop_in_place::<rust_binder_main::page_range::ShrinkablePageRange> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::process::Process>+0xcfd/0x1010 root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805
core::ptr::drop_in_place::<kernel::sync::arc::ArcInner<rust_binder_main::process::Process>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::process::Process>, kernel::alloc::allocator::Kmalloc> as core::ops::drop::Drop>::drop rust/kernel/alloc/kbox.rs:676 [inline]
core::ptr::drop_in_place::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::process::Process>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::mem::drop::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::process::Process>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:967 [inline]
<kernel::sync::arc::Arc<rust_binder_main::process::Process> as core::ops::drop::Drop>::drop rust/kernel/sync/arc.rs:476 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::Arc<rust_binder_main::process::Process>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::node::Node> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::DTRWrap<rust_binder_main::node::Node>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>, kernel::alloc::allocator::Kmalloc> as core::ops::drop::Drop>::drop rust/kernel/alloc/kbox.rs:676 [inline]
core::ptr::drop_in_place::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::mem::drop::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:967 [inline]
<kernel::sync::arc::Arc<rust_binder_main::DTRWrap<rust_binder_main::node::Node>> as core::ops::drop::Drop>::drop rust/kernel/sync/arc.rs:476 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::Arc<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::node::NodeDeath> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>, kernel::alloc::allocator::Kmalloc> as core::ops::drop::Drop>::drop+0xdf/0x1b0 rust/kernel/alloc/kbox.rs:676
core::ptr::drop_in_place::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::mem::drop::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:967 [inline]
<kernel::sync::arc::Arc<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>> as core::ops::drop::Drop>::drop rust/kernel/sync/arc.rs:476 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::Arc<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<kernel::list::arc::ListArc<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>, 2>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::mem::drop::<kernel::list::arc::ListArc<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>, 2>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:967 [inline]
<rust_binder_main::process::Process>::deferred_release drivers/android/binder/process.rs:1406 [inline]
<rust_binder_main::process::Process as kernel::workqueue::WorkItem>::run+0x2475/0x2fd0 drivers/android/binder/process.rs:498
process_one_work+0x8df/0x1670 kernel/workqueue.c:3276
process_scheduled_works kernel/workqueue.c:3359 [inline]
worker_thread+0x4ea/0xd60 kernel/workqueue.c:3440
kthread+0x30d/0x3f0 kernel/kthread.c:436
ret_from_fork+0x614/0xa30 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
If needed, I can share the local syzkaller reproducer attempts and additional
testing details in a follow-up.
Thanks,
syscaller
next reply other threads:[~2026-04-11 13:45 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-11 13:44 syscaller [this message]
2026-04-11 15:24 ` [BUG] android: rust binder: sleeping function called from invalid context in deferred_release() Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1f4fa7f2.351a.19d7cc91931.Coremail.syscaller@163.com \
--to=syscaller@163.com \
--cc=aliceryhl@google.com \
--cc=arve@android.com \
--cc=boqun@kernel.org \
--cc=brauner@kernel.org \
--cc=cmllamas@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tkjos@android.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox