* [BUG] android: rust binder: sleeping function called from invalid context in deferred_release()
@ 2026-04-11 13:44 syscaller
2026-04-11 15:24 ` Miguel Ojeda
0 siblings, 1 reply; 2+ messages in thread
From: syscaller @ 2026-04-11 13:44 UTC (permalink / raw)
To: gregkh, aliceryhl
Cc: arve, tkjos, brauner, cmllamas, ojeda, boqun, rust-for-linux,
linux-kernel, syzkaller-bugs
Hello,
I hit the following issue repeatedly with a local syzkaller instance while
fuzzing Rust binder.
HEAD commit: 591cd656a1bf Linux 7.0-rc7
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://gist.githubusercontent.com/syscallerx/1ebe64a8a4a3340fb565325ba62efe53/raw/7c5e52532a94b60f442cf588926da065c7a2b11e/console-output.txt
kernel config: https://gist.githubusercontent.com/syscallerx/1ebe64a8a4a3340fb565325ba62efe53/raw/7c5e52532a94b60f442cf588926da065c7a2b11e/kernel-config.txt
dashboard link: N/A (local syzkaller instance)
compiler: gcc (Ubuntu 14.2.0-4ubuntu2) 14.2.0, GNU ld (GNU Binutils for Ubuntu) 2.43.1
userspace arch: amd64
Note: the fuzzing kernel was based on upstream v7.0-rc7 with one local
instrumentation-only change:
drivers/android/binder/Makefile
+KCOV_INSTRUMENT := y
This change was added only to enable selective KCOV instrumentation for binder
while fuzzing.
Unfortunately, I don't have a minimized reproducer for this issue yet.
The same crash family has been observed repeatedly by the local syzkaller
instance (about 300 hits in the same crash directory), but syz-repro has not
managed to extract a stable minimal reproducer so far.
I believe the warning is caused by the following code in
drivers/android/binder/process.rs:
while let Some(delivered_death) =
{ self.inner.lock().delivered_deaths.pop_front() } {
drop(delivered_death);
}
The temporary SpinLockGuard returned by self.inner.lock() appears to live
across the whole while-let statement, including the loop body. As a result,
drop(delivered_death) runs while Process::inner is still held.
The destructor chain then reaches:
drivers/android/binder/page_range.rs:633
let mm_lock = self.mm_lock.lock();
That mutex acquisition triggers the "sleeping function called from invalid
context" / "Invalid wait context" warning.
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 212920, name: kworker/3:3
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
3 locks held by kworker/3:3/212920:
#0: ffff888019c13948 ((wq_completion)events#2){+.+.}-{0:0}, at: process_one_work+0xfaa/0x1670 kernel/workqueue.c:3251
#1: ffffc900096a7d10 (Process::defer_work){+.+.}-{0:0}, at: process_one_work+0x85c/0x1670 kernel/workqueue.c:3252
#2: ffff888198d9f938 (Process::inner){+.+.}-{3:3}, at: <kernel::sync::lock::spinlock::SpinLockBackend as kernel::sync::lock::Backend>::lock rust/kernel/sync/lock/spinlock.rs:119 [inline]
#2: ffff888198d9f938 (Process::inner){+.+.}-{3:3}, at: <kernel::sync::lock::Lock<rust_binder_main::process::ProcessInner, kernel::sync::lock::spinlock::SpinLockBackend>>::lock rust/kernel/sync/lock.rs:177 [inline]
#2: ffff888198d9f938 (Process::inner){+.+.}-{3:3}, at: <rust_binder_main::process::Process>::deferred_release drivers/android/binder/process.rs:1405 [inline]
#2: ffff888198d9f938 (Process::inner){+.+.}-{3:3}, at: <rust_binder_main::process::Process as kernel::workqueue::WorkItem>::run+0x2278/0x2fd0 drivers/android/binder/process.rs:498
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 3 UID: 0 PID: 212920 Comm: kworker/3:3 Tainted: G W L 7.0.0-rc7-dirty #3 PREEMPT(full)
Tainted: [W]=WARN, [L]=SOFTLOCKUP
Hardware name: QEMU Ubuntu 24.10 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: events _RNvXs8_NtCsgzhNYVB7wSz_6kernel9workqueueINtNtNtB7_4sync3arc3ArcNtNtCsdiRiAdj6M6P_16rust_binder_main7process7ProcessEINtB5_15WorkItemPointerKy0_E3runB13_
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x6f/0xb0 lib/dump_stack.c:120
__might_resched.cold+0x1ec/0x232 kernel/sched/core.c:8888
__mutex_lock_common kernel/locking/mutex.c:591 [inline]
__mutex_lock+0x10e/0x1b90 kernel/locking/mutex.c:776
<kernel::sync::lock::mutex::MutexBackend as kernel::sync::lock::Backend>::lock rust/kernel/sync/lock/mutex.rs:120 [inline]
<kernel::sync::lock::Lock<(), kernel::sync::lock::mutex::MutexBackend>>::lock rust/kernel/sync/lock.rs:177 [inline]
<rust_binder_main::page_range::ShrinkablePageRange as pin_init::PinnedDrop>::drop+0xe1/0x310 drivers/android/binder/page_range.rs:633
<rust_binder_main::page_range::ShrinkablePageRange as core::ops::drop::Drop>::drop drivers/android/binder/page_range.rs:127 [inline]
core::ptr::drop_in_place::<rust_binder_main::page_range::ShrinkablePageRange> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::process::Process>+0xcfd/0x1010 root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805
core::ptr::drop_in_place::<kernel::sync::arc::ArcInner<rust_binder_main::process::Process>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::process::Process>, kernel::alloc::allocator::Kmalloc> as core::ops::drop::Drop>::drop rust/kernel/alloc/kbox.rs:676 [inline]
core::ptr::drop_in_place::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::process::Process>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::mem::drop::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::process::Process>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:967 [inline]
<kernel::sync::arc::Arc<rust_binder_main::process::Process> as core::ops::drop::Drop>::drop rust/kernel/sync/arc.rs:476 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::Arc<rust_binder_main::process::Process>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::node::Node> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::DTRWrap<rust_binder_main::node::Node>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>, kernel::alloc::allocator::Kmalloc> as core::ops::drop::Drop>::drop rust/kernel/alloc/kbox.rs:676 [inline]
core::ptr::drop_in_place::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::mem::drop::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:967 [inline]
<kernel::sync::arc::Arc<rust_binder_main::DTRWrap<rust_binder_main::node::Node>> as core::ops::drop::Drop>::drop rust/kernel/sync/arc.rs:476 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::Arc<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::node::NodeDeath> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>, kernel::alloc::allocator::Kmalloc> as core::ops::drop::Drop>::drop+0xdf/0x1b0 rust/kernel/alloc/kbox.rs:676
core::ptr::drop_in_place::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::mem::drop::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:967 [inline]
<kernel::sync::arc::Arc<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>> as core::ops::drop::Drop>::drop rust/kernel/sync/arc.rs:476 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::Arc<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<kernel::list::arc::ListArc<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>, 2>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::mem::drop::<kernel::list::arc::ListArc<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>, 2>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:967 [inline]
<rust_binder_main::process::Process>::deferred_release drivers/android/binder/process.rs:1406 [inline]
<rust_binder_main::process::Process as kernel::workqueue::WorkItem>::run+0x2475/0x2fd0 drivers/android/binder/process.rs:498
process_one_work+0x8df/0x1670 kernel/workqueue.c:3276
process_scheduled_works kernel/workqueue.c:3359 [inline]
worker_thread+0x4ea/0xd60 kernel/workqueue.c:3440
kthread+0x30d/0x3f0 kernel/kthread.c:436
ret_from_fork+0x614/0xa30 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
=============================
[ BUG: Invalid wait context ]
7.0.0-rc7-dirty #3 Tainted: G W L
-----------------------------
kworker/3:3/212920 is trying to lock:
ffff888188296898 (ShrinkablePageRange::mm){+.+.}-{4:4}, at: <kernel::sync::lock::mutex::MutexBackend as kernel::sync::lock::Backend>::lock rust/kernel/sync/lock/mutex.rs:120 [inline]
ffff888188296898 (ShrinkablePageRange::mm){+.+.}-{4:4}, at: <kernel::sync::lock::Lock<(), kernel::sync::lock::mutex::MutexBackend>>::lock rust/kernel/sync/lock.rs:177 [inline]
ffff888188296898 (ShrinkablePageRange::mm){+.+.}-{4:4}, at: <rust_binder_main::page_range::ShrinkablePageRange as pin_init::PinnedDrop>::drop+0xe1/0x310 drivers/android/binder/page_range.rs:633
other info that might help us debug this:
context-{5:5}
3 locks held by kworker/3:3/212920:
#0: ffff888019c13948 ((wq_completion)events#2){+.+.}-{0:0}, at: process_one_work+0xfaa/0x1670 kernel/workqueue.c:3251
#1: ffffc900096a7d10 (Process::defer_work){+.+.}-{0:0}, at: process_one_work+0x85c/0x1670 kernel/workqueue.c:3252
#2: ffff888198d9f938 (Process::inner){+.+.}-{3:3}, at: <kernel::sync::lock::spinlock::SpinLockBackend as kernel::sync::lock::Backend>::lock rust/kernel/sync/lock/spinlock.rs:119 [inline]
#2: ffff888198d9f938 (Process::inner){+.+.}-{3:3}, at: <kernel::sync::lock::Lock<rust_binder_main::process::ProcessInner, kernel::sync::lock::spinlock::SpinLockBackend>>::lock rust/kernel/sync/lock.rs:177 [inline]
#2: ffff888198d9f938 (Process::inner){+.+.}-{3:3}, at: <rust_binder_main::process::Process>::deferred_release drivers/android/binder/process.rs:1405 [inline]
#2: ffff888198d9f938 (Process::inner){+.+.}-{3:3}, at: <rust_binder_main::process::Process as kernel::workqueue::WorkItem>::run+0x2278/0x2fd0 drivers/android/binder/process.rs:498
stack backtrace:
CPU: 3 UID: 0 PID: 212920 Comm: kworker/3:3 Tainted: G W L 7.0.0-rc7-dirty #3 PREEMPT(full)
Tainted: [W]=WARN, [L]=SOFTLOCKUP
Hardware name: QEMU Ubuntu 24.10 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: events _RNvXs8_NtCsgzhNYVB7wSz_6kernel9workqueueINtNtNtB7_4sync3arc3ArcNtNtCsdiRiAdj6M6P_16rust_binder_main7process7ProcessEINtB5_15WorkItemPointerKy0_E3runB13_
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x6f/0xb0 lib/dump_stack.c:120
print_lock_invalid_wait_context kernel/locking/lockdep.c:4830 [inline]
check_wait_context kernel/locking/lockdep.c:4902 [inline]
__lock_acquire+0xfa4/0x2630 kernel/locking/lockdep.c:5187
lock_acquire kernel/locking/lockdep.c:5868 [inline]
lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825
__mutex_lock_common kernel/locking/mutex.c:614 [inline]
__mutex_lock+0x1a2/0x1b90 kernel/locking/mutex.c:776
<kernel::sync::lock::mutex::MutexBackend as kernel::sync::lock::Backend>::lock rust/kernel/sync/lock/mutex.rs:120 [inline]
<kernel::sync::lock::Lock<(), kernel::sync::lock::mutex::MutexBackend>>::lock rust/kernel/sync/lock.rs:177 [inline]
<rust_binder_main::page_range::ShrinkablePageRange as pin_init::PinnedDrop>::drop+0xe1/0x310 drivers/android/binder/page_range.rs:633
<rust_binder_main::page_range::ShrinkablePageRange as core::ops::drop::Drop>::drop drivers/android/binder/page_range.rs:127 [inline]
core::ptr::drop_in_place::<rust_binder_main::page_range::ShrinkablePageRange> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::process::Process>+0xcfd/0x1010 root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805
core::ptr::drop_in_place::<kernel::sync::arc::ArcInner<rust_binder_main::process::Process>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::process::Process>, kernel::alloc::allocator::Kmalloc> as core::ops::drop::Drop>::drop rust/kernel/alloc/kbox.rs:676 [inline]
core::ptr::drop_in_place::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::process::Process>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::mem::drop::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::process::Process>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:967 [inline]
<kernel::sync::arc::Arc<rust_binder_main::process::Process> as core::ops::drop::Drop>::drop rust/kernel/sync/arc.rs:476 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::Arc<rust_binder_main::process::Process>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::node::Node> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::DTRWrap<rust_binder_main::node::Node>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>, kernel::alloc::allocator::Kmalloc> as core::ops::drop::Drop>::drop rust/kernel/alloc/kbox.rs:676 [inline]
core::ptr::drop_in_place::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::mem::drop::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:967 [inline]
<kernel::sync::arc::Arc<rust_binder_main::DTRWrap<rust_binder_main::node::Node>> as core::ops::drop::Drop>::drop rust/kernel/sync/arc.rs:476 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::Arc<rust_binder_main::DTRWrap<rust_binder_main::node::Node>>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::node::NodeDeath> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>, kernel::alloc::allocator::Kmalloc> as core::ops::drop::Drop>::drop+0xdf/0x1b0 rust/kernel/alloc/kbox.rs:676
core::ptr::drop_in_place::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::mem::drop::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>, kernel::alloc::allocator::Kmalloc>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:967 [inline]
<kernel::sync::arc::Arc<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>> as core::ops::drop::Drop>::drop rust/kernel/sync/arc.rs:476 [inline]
core::ptr::drop_in_place::<kernel::sync::arc::Arc<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::ptr::drop_in_place::<kernel::list::arc::ListArc<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>, 2>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:805 [inline]
core::mem::drop::<kernel::list::arc::ListArc<rust_binder_main::DTRWrap<rust_binder_main::node::NodeDeath>, 2>> root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:967 [inline]
<rust_binder_main::process::Process>::deferred_release drivers/android/binder/process.rs:1406 [inline]
<rust_binder_main::process::Process as kernel::workqueue::WorkItem>::run+0x2475/0x2fd0 drivers/android/binder/process.rs:498
process_one_work+0x8df/0x1670 kernel/workqueue.c:3276
process_scheduled_works kernel/workqueue.c:3359 [inline]
worker_thread+0x4ea/0xd60 kernel/workqueue.c:3440
kthread+0x30d/0x3f0 kernel/kthread.c:436
ret_from_fork+0x614/0xa30 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
If needed, I can share the local syzkaller reproducer attempts and additional
testing details in a follow-up.
Thanks,
syscaller
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [BUG] android: rust binder: sleeping function called from invalid context in deferred_release()
2026-04-11 13:44 [BUG] android: rust binder: sleeping function called from invalid context in deferred_release() syscaller
@ 2026-04-11 15:24 ` Miguel Ojeda
0 siblings, 0 replies; 2+ messages in thread
From: Miguel Ojeda @ 2026-04-11 15:24 UTC (permalink / raw)
To: syscaller, Matthew Maurer
Cc: gregkh, aliceryhl, arve, tkjos, brauner, cmllamas, ojeda, boqun,
rust-for-linux, linux-kernel, syzkaller-bugs
On Sat, Apr 11, 2026 at 3:45 PM syscaller <syscaller@163.com> wrote:
>
> I believe the warning is caused by the following code in
> drivers/android/binder/process.rs:
>
> while let Some(delivered_death) =
> { self.inner.lock().delivered_deaths.pop_front() } {
> drop(delivered_death);
> }
>
> The temporary SpinLockGuard returned by self.inner.lock() appears to live
> across the whole while-let statement, including the loop body. As a result,
> drop(delivered_death) runs while Process::inner is still held.
Please take a look at:
https://lore.kernel.org/rust-for-linux/20260403-lockhold-v1-1-c332b56cd8ae@google.com/
Thanks for the report!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-11 15:24 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-11 13:44 [BUG] android: rust binder: sleeping function called from invalid context in deferred_release() syscaller
2026-04-11 15:24 ` Miguel Ojeda
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox