All of lore.kernel.org
 help / color / mirror / Atom feed
* [syzbot] WARNING in binder_alloc_vma_close
@ 2022-06-27  7:20 syzbot
  2022-06-27 13:16 ` Liam Howlett
  0 siblings, 1 reply; 3+ messages in thread
From: syzbot @ 2022-06-27  7:20 UTC (permalink / raw)
  To: Liam.Howlett, akpm, arve, brauner, gregkh, hridya, joel,
	liam.howlett, linux-kernel, maco, surenb, syzkaller-bugs, tkjos

Hello,

syzbot found the following issue on:

HEAD commit:    08897940f458 Add linux-next specific files for 20220623
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=160dc3b0080000
kernel config:  https://syzkaller.appspot.com/x/.config?x=fb185a52c6ad0a8e
dashboard link: https://syzkaller.appspot.com/bug?extid=da54fa8d793ca89c741f
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14ef6974080000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13b9f0d4080000

The issue was bisected to:

commit 472a68df605b149ca58e931b4936e3136f5ecca0
Author: Liam R. Howlett <Liam.Howlett@oracle.com>
Date:   Tue Jun 21 01:09:09 2022 +0000

    android: binder: stop saving a pointer to the VMA

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=123596c4080000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=113596c4080000
console output: https://syzkaller.appspot.com/x/log.txt?x=163596c4080000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+da54fa8d793ca89c741f@syzkaller.appspotmail.com
Fixes: 472a68df605b ("android: binder: stop saving a pointer to the VMA")

------------[ cut here ]------------
WARNING: CPU: 0 PID: 3611 at include/linux/mmap_lock.h:161 mmap_assert_write_locked include/linux/mmap_lock.h:161 [inline]
WARNING: CPU: 0 PID: 3611 at include/linux/mmap_lock.h:161 binder_alloc_set_vma drivers/android/binder_alloc.c:323 [inline]
WARNING: CPU: 0 PID: 3611 at include/linux/mmap_lock.h:161 binder_alloc_vma_close+0x123/0x170 drivers/android/binder_alloc.c:970
Modules linked in:
CPU: 0 PID: 3611 Comm: syz-executor763 Not tainted 5.19.0-rc3-next-20220623-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mmap_assert_write_locked include/linux/mmap_lock.h:161 [inline]
RIP: 0010:binder_alloc_set_vma drivers/android/binder_alloc.c:323 [inline]
RIP: 0010:binder_alloc_vma_close+0x123/0x170 drivers/android/binder_alloc.c:970
Code: 5b fa 48 8d bd 58 01 00 00 31 f6 e8 d7 44 5d 02 31 ff 41 89 c4 89 c6 e8 7b f8 5b fa 45 85 e4 0f 85 5b ff ff ff e8 1d fc 5b fa <0f> 0b e9 4f ff ff ff e8 11 fc 5b fa 48 89 ef e8 99 cd 91 fa 0f 0b
RSP: 0018:ffffc90002dffbe0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888078e119e0 RCX: 0000000000000000
RDX: ffff8880219d0000 RSI: ffffffff871ec183 RDI: 0000000000000005
RBP: ffff88807744c880 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff88807744c880 R15: 0000000000000000
FS:  0000555556a5c300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6863e39130 CR3: 00000000217f4000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 remove_vma+0x81/0x130 mm/mmap.c:187
 remove_mt mm/mmap.c:2232 [inline]
 do_mas_align_munmap+0x9e6/0xef0 mm/mmap.c:2507
 do_mas_munmap+0x202/0x2c0 mm/mmap.c:2562
 __vm_munmap+0x159/0x290 mm/mmap.c:2833
 __do_sys_munmap mm/mmap.c:2858 [inline]
 __se_sys_munmap mm/mmap.c:2855 [inline]
 __x64_sys_munmap+0x55/0x80 mm/mmap.c:2855
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f6863dc8099
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdc69a2808 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f6863dc8099
RDX: 00007f6863dc8099 RSI: 0000000000004000 RDI: 0000000020ffa000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 00007ffdc69a2850
R13: 00007ffdc69a2840 R14: 00007ffdc69a2830 R15: 0000000000000000
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [syzbot] WARNING in binder_alloc_vma_close
  2022-06-27  7:20 [syzbot] WARNING in binder_alloc_vma_close syzbot
@ 2022-06-27 13:16 ` Liam Howlett
  0 siblings, 0 replies; 3+ messages in thread
From: Liam Howlett @ 2022-06-27 13:16 UTC (permalink / raw)
  To: syzbot
  Cc: akpm, arve, brauner, gregkh, hridya, joel, linux-kernel, maco,
	surenb, syzkaller-bugs, tkjos

* syzbot <syzbot+da54fa8d793ca89c741f@syzkaller.appspotmail.com> [220627 03:20]:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    08897940f458 Add linux-next specific files for 20220623
> git tree:       linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=160dc3b0080000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=fb185a52c6ad0a8e
> dashboard link: https://syzkaller.appspot.com/bug?extid=da54fa8d793ca89c741f
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14ef6974080000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13b9f0d4080000
> 
> The issue was bisected to:
> 
> commit 472a68df605b149ca58e931b4936e3136f5ecca0
> Author: Liam R. Howlett <Liam.Howlett@oracle.com>
> Date:   Tue Jun 21 01:09:09 2022 +0000
> 
>     android: binder: stop saving a pointer to the VMA
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=123596c4080000
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=113596c4080000
> console output: https://syzkaller.appspot.com/x/log.txt?x=163596c4080000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+da54fa8d793ca89c741f@syzkaller.appspotmail.com
> Fixes: 472a68df605b ("android: binder: stop saving a pointer to the VMA")
> 
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 3611 at include/linux/mmap_lock.h:161 mmap_assert_write_locked include/linux/mmap_lock.h:161 [inline]
> WARNING: CPU: 0 PID: 3611 at include/linux/mmap_lock.h:161 binder_alloc_set_vma drivers/android/binder_alloc.c:323 [inline]
> WARNING: CPU: 0 PID: 3611 at include/linux/mmap_lock.h:161 binder_alloc_vma_close+0x123/0x170 drivers/android/binder_alloc.c:970
> Modules linked in:
> CPU: 0 PID: 3611 Comm: syz-executor763 Not tainted 5.19.0-rc3-next-20220623-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:mmap_assert_write_locked include/linux/mmap_lock.h:161 [inline]
> RIP: 0010:binder_alloc_set_vma drivers/android/binder_alloc.c:323 [inline]
> RIP: 0010:binder_alloc_vma_close+0x123/0x170 drivers/android/binder_alloc.c:970
> Code: 5b fa 48 8d bd 58 01 00 00 31 f6 e8 d7 44 5d 02 31 ff 41 89 c4 89 c6 e8 7b f8 5b fa 45 85 e4 0f 85 5b ff ff ff e8 1d fc 5b fa <0f> 0b e9 4f ff ff ff e8 11 fc 5b fa 48 89 ef e8 99 cd 91 fa 0f 0b
> RSP: 0018:ffffc90002dffbe0 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffff888078e119e0 RCX: 0000000000000000
> RDX: ffff8880219d0000 RSI: ffffffff871ec183 RDI: 0000000000000005
> RBP: ffff88807744c880 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
> R13: dffffc0000000000 R14: ffff88807744c880 R15: 0000000000000000
> FS:  0000555556a5c300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f6863e39130 CR3: 00000000217f4000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  remove_vma+0x81/0x130 mm/mmap.c:187
>  remove_mt mm/mmap.c:2232 [inline]
>  do_mas_align_munmap+0x9e6/0xef0 mm/mmap.c:2507

do_mas_align_munmap() may downgrade the lock.  remove_vma is closing the
file - which binder is using to detect the removal of the vma.  I think
the best plan here is to allow clearing the vma without asserting the
write lock.  The read lock is still held so ensuring the read lock is
held is probably a worthy addition to the clearing path.


>  do_mas_munmap+0x202/0x2c0 mm/mmap.c:2562
>  __vm_munmap+0x159/0x290 mm/mmap.c:2833
>  __do_sys_munmap mm/mmap.c:2858 [inline]
>  __se_sys_munmap mm/mmap.c:2855 [inline]
>  __x64_sys_munmap+0x55/0x80 mm/mmap.c:2855
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x46/0xb0
> RIP: 0033:0x7f6863dc8099
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffdc69a2808 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f6863dc8099
> RDX: 00007f6863dc8099 RSI: 0000000000004000 RDI: 0000000020ffa000
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000003 R11: 0000000000000246 R12: 00007ffdc69a2850
> R13: 00007ffdc69a2840 R14: 00007ffdc69a2830 R15: 0000000000000000
>  </TASK>
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> syzbot can test patches for this issue, for details see:
> https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [syzbot] WARNING in binder_alloc_vma_close
       [not found] <20220627104113.933-1-hdanton@sina.com>
@ 2022-06-27 11:33 ` syzbot
  0 siblings, 0 replies; 3+ messages in thread
From: syzbot @ 2022-06-27 11:33 UTC (permalink / raw)
  To: hdanton, linux-kernel, syzkaller-bugs

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+da54fa8d793ca89c741f@syzkaller.appspotmail.com

Tested on:

commit:         08897940 Add linux-next specific files for 20220623
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16ecb94c080000
kernel config:  https://syzkaller.appspot.com/x/.config?x=fb185a52c6ad0a8e
dashboard link: https://syzkaller.appspot.com/bug?extid=da54fa8d793ca89c741f
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=134bd9e4080000

Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-06-27 13:18 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-27  7:20 [syzbot] WARNING in binder_alloc_vma_close syzbot
2022-06-27 13:16 ` Liam Howlett
     [not found] <20220627104113.933-1-hdanton@sina.com>
2022-06-27 11:33 ` syzbot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.