general protection fault in binder_update_page_range
16 views
Skip to first unread message
syzbot
Jul 24, 2019, 12:07:07 AM7/24/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1409a694600000
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=d12f159ebb94833b2096
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d12f15...@syzkaller.appspotmail.com
binder: 7070:7073 transaction failed 29189/-3, size 72-24 line 3137
binder: 7077:7079 transaction failed 29189/-22, size 72-24 line 3014
binder: undelivered TRANSACTION_ERROR: 29189
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral
protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 7088 Comm: syz-executor.1 Not tainted 4.4.174+ #17
task: ffff8801c1732f80 task.stack: ffff8801cfd98000
RIP: 0010:[<ffffffff8214c0da>] [<ffffffff8214c0da>] __read_once_size
include/linux/compiler.h:218 [inline]
RIP: 0010:[<ffffffff8214c0da>] [<ffffffff8214c0da>] atomic_read
arch/x86/include/asm/atomic.h:26 [inline]
RIP: 0010:[<ffffffff8214c0da>] [<ffffffff8214c0da>] __atomic_add_unless
arch/x86/include/asm/atomic.h:211 [inline]
RIP: 0010:[<ffffffff8214c0da>] [<ffffffff8214c0da>] atomic_add_unless
include/linux/atomic.h:437 [inline]
RIP: 0010:[<ffffffff8214c0da>] [<ffffffff8214c0da>]
binder_update_page_range drivers/android/binder_alloc.c:217 [inline]
RIP: 0010:[<ffffffff8214c0da>] [<ffffffff8214c0da>]
binder_update_page_range+0xada/0x1e00 drivers/android/binder_alloc.c:186
RSP: 0018:ffff8801cfd9f5b0 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffffc9000fff4000 RCX: ffffc9000231e000
RDX: 0000000000000009 RSI: ffffffff8214c09c RDI: ffff8801cecc8010
RBP: ffff8801cfd9f638 R08: 0000000000000000 R09: ffff8801c1733868
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000048
R13: 0000000000000000 R14: ffff8801d7295488 R15: ffff8801d7295400
FS: 0000000000000000(0000) GS:ffff8801db700000(0063) knlGS:00000000f55dcb40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000020269000 CR3: 00000001d4b51000 CR4: 00000000001606b0
Stack:
0000000000000246 360bc7c4d2464580 ffff8801c1732f80 ffffffff82ea73a0
ffffc9000fff3000 ffffffff82ea7320 ffff8801d72954c8 ffff8801d7295490
ffffffff82141492 ffff8801cfd9f620 0000000000000246 360bc7c4d2464580
Call Trace:
[<ffffffff8214eea2>] binder_alloc_new_buf_locked
drivers/android/binder_alloc.c:442 [inline]
[<ffffffff8214eea2>] binder_alloc_new_buf+0xa12/0x1020
drivers/android/binder_alloc.c:512
[<ffffffff82141b9f>] binder_transaction+0x168f/0x5fe0
drivers/android/binder.c:3127
[<ffffffff82146c3b>] binder_thread_write+0x74b/0x2240
drivers/android/binder.c:3692
[<ffffffff8214988d>] binder_ioctl_write_read drivers/android/binder.c:4632
[inline]
[<ffffffff8214988d>] binder_ioctl+0x115d/0x1c20
drivers/android/binder.c:4807
[<ffffffff8159b2c3>] C_SYSC_ioctl fs/compat_ioctl.c:1592 [inline]
[<ffffffff8159b2c3>] compat_SyS_ioctl+0x403/0x2210 fs/compat_ioctl.c:1544
[<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330
[inline]
[<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90
arch/x86/entry/common.c:397
[<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
Code: f2 48 c1 ea 03 80 3c 02 00 0f 85 7b 12 00 00 4d 8b af 88 00 00 00 48
b8 00 00 00 00 00 fc ff df 4d 8d 65 48 4c 89 e2 48 c1 ea 03 <0f> b6 14 02
4c 89 e0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
RIP [<ffffffff8214c0da>] __read_once_size include/linux/compiler.h:218
[inline]
RIP [<ffffffff8214c0da>] atomic_read arch/x86/include/asm/atomic.h:26
[inline]
RIP [<ffffffff8214c0da>] __atomic_add_unless
arch/x86/include/asm/atomic.h:211 [inline]
RIP [<ffffffff8214c0da>] atomic_add_unless include/linux/atomic.h:437
[inline]
RIP [<ffffffff8214c0da>] binder_update_page_range
drivers/android/binder_alloc.c:217 [inline]
RIP [<ffffffff8214c0da>] binder_update_page_range+0xada/0x1e00
drivers/android/binder_alloc.c:186
RSP <ffff8801cfd9f5b0>
---[ end trace 7e2da91d528c5552 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1409a694600000
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=d12f159ebb94833b2096
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d12f15...@syzkaller.appspotmail.com
binder: 7070:7073 transaction failed 29189/-3, size 72-24 line 3137
binder: 7077:7079 transaction failed 29189/-22, size 72-24 line 3014
binder: undelivered TRANSACTION_ERROR: 29189
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral
protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 7088 Comm: syz-executor.1 Not tainted 4.4.174+ #17
task: ffff8801c1732f80 task.stack: ffff8801cfd98000
RIP: 0010:[<ffffffff8214c0da>] [<ffffffff8214c0da>] __read_once_size
include/linux/compiler.h:218 [inline]
RIP: 0010:[<ffffffff8214c0da>] [<ffffffff8214c0da>] atomic_read
arch/x86/include/asm/atomic.h:26 [inline]
RIP: 0010:[<ffffffff8214c0da>] [<ffffffff8214c0da>] __atomic_add_unless
arch/x86/include/asm/atomic.h:211 [inline]
RIP: 0010:[<ffffffff8214c0da>] [<ffffffff8214c0da>] atomic_add_unless
include/linux/atomic.h:437 [inline]
RIP: 0010:[<ffffffff8214c0da>] [<ffffffff8214c0da>]
binder_update_page_range drivers/android/binder_alloc.c:217 [inline]
RIP: 0010:[<ffffffff8214c0da>] [<ffffffff8214c0da>]
binder_update_page_range+0xada/0x1e00 drivers/android/binder_alloc.c:186
RSP: 0018:ffff8801cfd9f5b0 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffffc9000fff4000 RCX: ffffc9000231e000
RDX: 0000000000000009 RSI: ffffffff8214c09c RDI: ffff8801cecc8010
RBP: ffff8801cfd9f638 R08: 0000000000000000 R09: ffff8801c1733868
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000048
R13: 0000000000000000 R14: ffff8801d7295488 R15: ffff8801d7295400
FS: 0000000000000000(0000) GS:ffff8801db700000(0063) knlGS:00000000f55dcb40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000020269000 CR3: 00000001d4b51000 CR4: 00000000001606b0
Stack:
0000000000000246 360bc7c4d2464580 ffff8801c1732f80 ffffffff82ea73a0
ffffc9000fff3000 ffffffff82ea7320 ffff8801d72954c8 ffff8801d7295490
ffffffff82141492 ffff8801cfd9f620 0000000000000246 360bc7c4d2464580
Call Trace:
[<ffffffff8214eea2>] binder_alloc_new_buf_locked
drivers/android/binder_alloc.c:442 [inline]
[<ffffffff8214eea2>] binder_alloc_new_buf+0xa12/0x1020
drivers/android/binder_alloc.c:512
[<ffffffff82141b9f>] binder_transaction+0x168f/0x5fe0
drivers/android/binder.c:3127
[<ffffffff82146c3b>] binder_thread_write+0x74b/0x2240
drivers/android/binder.c:3692
[<ffffffff8214988d>] binder_ioctl_write_read drivers/android/binder.c:4632
[inline]
[<ffffffff8214988d>] binder_ioctl+0x115d/0x1c20
drivers/android/binder.c:4807
[<ffffffff8159b2c3>] C_SYSC_ioctl fs/compat_ioctl.c:1592 [inline]
[<ffffffff8159b2c3>] compat_SyS_ioctl+0x403/0x2210 fs/compat_ioctl.c:1544
[<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330
[inline]
[<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90
arch/x86/entry/common.c:397
[<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
Code: f2 48 c1 ea 03 80 3c 02 00 0f 85 7b 12 00 00 4d 8b af 88 00 00 00 48
b8 00 00 00 00 00 fc ff df 4d 8d 65 48 4c 89 e2 48 c1 ea 03 <0f> b6 14 02
4c 89 e0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
RIP [<ffffffff8214c0da>] __read_once_size include/linux/compiler.h:218
[inline]
RIP [<ffffffff8214c0da>] atomic_read arch/x86/include/asm/atomic.h:26
[inline]
RIP [<ffffffff8214c0da>] __atomic_add_unless
arch/x86/include/asm/atomic.h:211 [inline]
RIP [<ffffffff8214c0da>] atomic_add_unless include/linux/atomic.h:437
[inline]
RIP [<ffffffff8214c0da>] binder_update_page_range
drivers/android/binder_alloc.c:217 [inline]
RIP [<ffffffff8214c0da>] binder_update_page_range+0xada/0x1e00
drivers/android/binder_alloc.c:186
RSP <ffff8801cfd9f5b0>
---[ end trace 7e2da91d528c5552 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Nov 20, 2019, 10:07:05 PM11/20/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages