[syzbot] [kernel?] possible deadlock in binder_alloc_free_page

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 7b4b9bf203da Add linux-next specific files for 20250107
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17d02dc4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=63fa2c9d5e12faef
dashboard link: https://syzkaller.appspot.com/bug?extid=799a2d4576c454ac2693
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10302dc4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c179cc0c7a3c/disk-7b4b9bf2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fdea80f2ec16/vmlinux-7b4b9bf2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a277fcaff608/bzImage-7b4b9bf2.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+799a2d...@syzkaller.appspotmail.com

binder: 7926:7927 ioctl 4018620d 0 returned -22
======================================================
WARNING: possible circular locking dependency detected
6.13.0-rc6-next-20250107-syzkaller #0 Not tainted
------------------------------------------------------
syz.2.906/7927 is trying to acquire lock:
ffff88803376f5c8 (vm_lock){++++}-{0:0}, at: binder_alloc_free_page+0x150/0xd50 drivers/android/binder_alloc.c:1156

but task is already holding lock:
ffff888030320e30 (&l->lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff888030320e30 (&l->lock){+.+.}-{3:3}, at: lock_list_lru_of_memcg+0x24c/0x4d0 mm/list_lru.c:77

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (&l->lock){+.+.}-{3:3}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
lock_list_lru_of_memcg+0x24c/0x4d0 mm/list_lru.c:77
list_lru_add+0x59/0x270 mm/list_lru.c:163
list_lru_add_obj+0x17b/0x250 mm/list_lru.c:186
__inode_add_lru fs/inode.c:534 [inline]
iput_final fs/inode.c:1923 [inline]
iput+0x89c/0xa50 fs/inode.c:1972
__dentry_kill+0x20d/0x630 fs/dcache.c:625
shrink_kill+0xa9/0x2c0 fs/dcache.c:1070
shrink_dentry_list+0x2c0/0x5b0 fs/dcache.c:1097
shrink_dcache_sb+0x25e/0x3e0 fs/dcache.c:1217
reconfigure_super+0x2c6/0x870 fs/super.c:1061
do_remount fs/namespace.c:3100 [inline]
path_mount+0xc22/0xfa0 fs/namespace.c:3879
do_mount fs/namespace.c:3900 [inline]
__do_sys_mount fs/namespace.c:4111 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4088
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #2 (&sb->s_type->i_lock_key#23){+.+.}-{3:3}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
__mark_inode_dirty+0x3ff/0xe90 fs/fs-writeback.c:2540
generic_update_time fs/inode.c:2112 [inline]
inode_update_time fs/inode.c:2125 [inline]
__file_update_time fs/inode.c:2353 [inline]
file_update_time+0x3d2/0x450 fs/inode.c:2383
ext4_page_mkwrite+0x210/0x1100 fs/ext4/inode.c:6160
do_page_mkwrite+0x159/0x340 mm/memory.c:3244
wp_page_shared mm/memory.c:3645 [inline]
do_wp_page+0x23cd/0x49b0 mm/memory.c:3795
handle_pte_fault mm/memory.c:5905 [inline]
__handle_mm_fault+0x24cf/0x70f0 mm/memory.c:6032
handle_mm_fault+0x3e2/0x8c0 mm/memory.c:6201
do_user_addr_fault arch/x86/mm/fault.c:1337 [inline]
handle_page_fault arch/x86/mm/fault.c:1480 [inline]
exc_page_fault+0x459/0x8b0 arch/x86/mm/fault.c:1538
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

-> #1 (sb_pagefaults){.+.+}-{0:0}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
percpu_down_read+0x44/0x1b0 include/linux/percpu-rwsem.h:51
__sb_start_write include/linux/fs.h:1773 [inline]
sb_start_pagefault include/linux/fs.h:1938 [inline]
ext4_page_mkwrite+0x1f9/0x1100 fs/ext4/inode.c:6159
do_page_mkwrite+0x159/0x340 mm/memory.c:3244
do_shared_fault mm/memory.c:5468 [inline]
do_fault mm/memory.c:5530 [inline]
do_pte_missing mm/memory.c:4047 [inline]
handle_pte_fault mm/memory.c:5889 [inline]
__handle_mm_fault+0x22dc/0x70f0 mm/memory.c:6032
handle_mm_fault+0x3e2/0x8c0 mm/memory.c:6201
do_user_addr_fault arch/x86/mm/fault.c:1337 [inline]
handle_page_fault arch/x86/mm/fault.c:1480 [inline]
exc_page_fault+0x459/0x8b0 arch/x86/mm/fault.c:1538
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

-> #0 (vm_lock){++++}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3163 [inline]
check_prevs_add kernel/locking/lockdep.c:3282 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3906
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5228
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
vma_start_read include/linux/mm.h:749 [inline]
lock_vma_under_rcu+0x35f/0x9a0 mm/memory.c:6436
binder_alloc_free_page+0x150/0xd50 drivers/android/binder_alloc.c:1156
__list_lru_walk_one+0x170/0x470 mm/list_lru.c:300
list_lru_walk_one mm/list_lru.c:337 [inline]
list_lru_walk_node+0xc4/0xa70 mm/list_lru.c:357
list_lru_walk include/linux/list_lru.h:282 [inline]
binder_shrink_scan+0x138/0x260 drivers/android/binder_alloc.c:1226
do_shrink_slab+0x72d/0x1160 mm/shrinker.c:437
shrink_slab+0x1093/0x14d0 mm/shrinker.c:664
drop_slab_node mm/vmscan.c:421 [inline]
drop_slab+0x142/0x280 mm/vmscan.c:439
drop_caches_sysctl_handler+0xbc/0x160 fs/drop_caches.c:68
proc_sys_call_handler+0x5ec/0x920 fs/proc/proc_sysctl.c:601
do_iter_readv_writev+0x71a/0x9d0
vfs_writev+0x38b/0xbc0 fs/read_write.c:1050
do_writev+0x1b6/0x360 fs/read_write.c:1096
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

Chain exists of:
vm_lock --> &sb->s_type->i_lock_key#23 --> &l->lock

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&l->lock);
lock(&sb->s_type->i_lock_key#23);
lock(&l->lock);
rlock(vm_lock);

*** DEADLOCK ***

4 locks held by syz.2.906/7927:
#0: ffff888032732d38 (&f->f_pos_lock){+.+.}-{4:4}, at: fdget_pos+0x254/0x320 fs/file.c:1192
#1: ffff888027bea420 (sb_writers#3){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:3016 [inline]
#1: ffff888027bea420 (sb_writers#3){.+.+}-{0:0}, at: vfs_writev+0x2d6/0xbc0 fs/read_write.c:1048
#2: ffff888030320e30 (&l->lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
#2: ffff888030320e30 (&l->lock){+.+.}-{3:3}, at: lock_list_lru_of_memcg+0x24c/0x4d0 mm/list_lru.c:77
#3: ffffffff8e937ee0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
#3: ffffffff8e937ee0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
#3: ffffffff8e937ee0 (rcu_read_lock){....}-{1:3}, at: lock_vma_under_rcu+0x1dd/0x9a0 mm/memory.c:6431

stack backtrace:
CPU: 1 UID: 0 PID: 7927 Comm: syz.2.906 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2076
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2208
check_prev_add kernel/locking/lockdep.c:3163 [inline]
check_prevs_add kernel/locking/lockdep.c:3282 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3906
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5228
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
vma_start_read include/linux/mm.h:749 [inline]
lock_vma_under_rcu+0x35f/0x9a0 mm/memory.c:6436
binder_alloc_free_page+0x150/0xd50 drivers/android/binder_alloc.c:1156
__list_lru_walk_one+0x170/0x470 mm/list_lru.c:300
list_lru_walk_one mm/list_lru.c:337 [inline]
list_lru_walk_node+0xc4/0xa70 mm/list_lru.c:357
list_lru_walk include/linux/list_lru.h:282 [inline]
binder_shrink_scan+0x138/0x260 drivers/android/binder_alloc.c:1226
do_shrink_slab+0x72d/0x1160 mm/shrinker.c:437
shrink_slab+0x1093/0x14d0 mm/shrinker.c:664
drop_slab_node mm/vmscan.c:421 [inline]
drop_slab+0x142/0x280 mm/vmscan.c:439
drop_caches_sysctl_handler+0xbc/0x160 fs/drop_caches.c:68
proc_sys_call_handler+0x5ec/0x920 fs/proc/proc_sysctl.c:601
do_iter_readv_writev+0x71a/0x9d0
vfs_writev+0x38b/0xbc0 fs/read_write.c:1050
do_writev+0x1b6/0x360 fs/read_write.c:1096
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc9ae785d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc9af619038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007fc9ae975fa0 RCX: 00007fc9ae785d29
RDX: 0000000000000001 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00007fc9ae801b08 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fc9ae975fa0 R15: 00007ffd15c33b58
</TASK>
syz.2.906 (7927): drop_caches: 2


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Hillf Danton]

On Sat, 11 Jan 2025 02:30:22 -0800

> syzbot found the following issue on:
>
> HEAD commit: 7b4b9bf203da Add linux-next specific files for 20250107
> git tree: linux-next

> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10302dc4580000

#syz test

--- x/drivers/android/binder_alloc.c
+++ y/drivers/android/binder_alloc.c
@@ -1247,9 +1247,10 @@ void binder_alloc_init(struct binder_all

int binder_alloc_shrinker_init(void)
{
+ static struct lock_class_key key;
int ret;

- ret = list_lru_init(&binder_freelist);
+ ret = __list_lru_init(&binder_freelist, false, &key, NULL);
if (ret)
return ret;

--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

drivers/android/binder_alloc.c:1253:55: error: too many arguments to function call, expected 3, have 4


Tested on:

commit: 2b88851f Add linux-next specific files for 20250110
git tree: linux-next

kernel config: https://syzkaller.appspot.com/x/.config?x=63fa2c9d5e12faef
dashboard link: https://syzkaller.appspot.com/bug?extid=799a2d4576c454ac2693
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=17359ef8580000

[Hillf Danton]

On Sat, 11 Jan 2025 02:30:22 -0800

> syzbot found the following issue on:
>
> HEAD commit: 7b4b9bf203da Add linux-next specific files for 20250107
> git tree: linux-next

> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10302dc4580000

#syz test

--- x/drivers/android/binder_alloc.c
+++ y/drivers/android/binder_alloc.c

@@ -1245,10 +1245,12 @@ void binder_alloc_init(struct binder_all
INIT_LIST_HEAD(&alloc->buffers);
}

+static struct lock_class_key key;
int binder_alloc_shrinker_init(void)
{
int ret;

+ binder_freelist.key = &key;
ret = list_lru_init(&binder_freelist);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

WARNING in __debugfs_file_get

------------[ cut here ]------------
WARNING: CPU: 1 PID: 5834 at fs/debugfs/file.c:90 __debugfs_file_get+0x5e3/0x6f0 fs/debugfs/file.c:90
Modules linked in:
CPU: 1 UID: 0 PID: 5834 Comm: syz-executor Not tainted 6.13.0-rc6-next-20250110-syzkaller-g2b88851f583d-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024

RIP: 0010:__debugfs_file_get+0x5e3/0x6f0 fs/debugfs/file.c:90
Code: 3f 01 48 b8 00 00 00 00 00 fc ff df 41 0f b6 44 05 00 84 c0 0f 85 e9 00 00 00 44 8b 74 24 40 e9 4f ff ff ff e8 2e 90 19 fe 90 <0f> 0b 90 b8 ea ff ff ff 4c 8b 3c 24 e9 5c ff ff ff 44 89 e9 80 e1
RSP: 0018:ffffc900040ff720 EFLAGS: 00010293
RAX: ffffffff83a5b0b2 RBX: 1ffff11004680fc2 RCX: ffff888027e38000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900040ff7d0 R08: ffffffff83a5abc7 R09: ffffffff8235b45d
R10: 0000000000000002 R11: ffffffff83a5b7b0 R12: 0000000000000000
R13: ffff888023407e10 R14: dffffc0000000000 R15: ffffffff8c47e761
FS: 00005555811cc500(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0a441e34c8 CR3: 0000000078ba8000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
debugfs_file_get fs/debugfs/file.c:152 [inline]
open_proxy_open+0x4f/0x4c0 fs/debugfs/file.c:283
do_dentry_open+0xdec/0x1960 fs/open.c:955
vfs_open+0x3b/0x370 fs/open.c:1085
do_open fs/namei.c:3828 [inline]
path_openat+0x2c74/0x3580 fs/namei.c:3987
do_filp_open+0x27f/0x4e0 fs/namei.c:4014
do_sys_openat2+0x13e/0x1d0 fs/open.c:1427
do_sys_open fs/open.c:1442 [inline]
__do_sys_openat fs/open.c:1458 [inline]
__se_sys_openat fs/open.c:1453 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1453

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f0a44184611
Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d 3a 7f 1c 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
RSP: 002b:00007ffefaf48b90 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000080001 RCX: 00007f0a44184611
RDX: 0000000000080001 RSI: 00007f0a441e34c8 RDI: 00000000ffffff9c
RBP: 00007f0a441e34c8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 000000000000000b
R13: 00007ffefaf48c30 R14: 00007f0a44201a6d R15: 00005555811e6010
</TASK>


Warning: Permanently added '10.128.1.98' (ED25519) to the list of known hosts.
2025/01/12 00:31:45 ignoring optional flag "sandboxArg"="0"
2025/01/12 00:31:45 parsed 1 programs
[ 65.085843][ T5834] ------------[ cut here ]------------
[ 65.091402][ T5834] WARNING: CPU: 1 PID: 5834 at fs/debugfs/file.c:90 __debugfs_file_get+0x5e3/0x6f0
[ 65.100743][ T5834] Modules linked in:
[ 65.104667][ T5834] CPU: 1 UID: 0 PID: 5834 Comm: syz-executor Not tainted 6.13.0-rc6-next-20250110-syzkaller-g2b88851f583d-dirty #0
[ 65.116850][ T5834] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 65.127029][ T5834] RIP: 0010:__debugfs_file_get+0x5e3/0x6f0
[ 65.132936][ T5834] Code: 3f 01 48 b8 00 00 00 00 00 fc ff df 41 0f b6 44 05 00 84 c0 0f 85 e9 00 00 00 44 8b 74 24 40 e9 4f ff ff ff e8 2e 90 19 fe 90 <0f> 0b 90 b8 ea ff ff ff 4c 8b 3c 24 e9 5c ff ff ff 44 89 e9 80 e1
[ 65.152788][ T5834] RSP: 0018:ffffc900040ff720 EFLAGS: 00010293
[ 65.158858][ T5834] RAX: ffffffff83a5b0b2 RBX: 1ffff11004680fc2 RCX: ffff888027e38000
[ 65.166875][ T5834] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 65.174980][ T5834] RBP: ffffc900040ff7d0 R08: ffffffff83a5abc7 R09: ffffffff8235b45d
[ 65.183044][ T5834] R10: 0000000000000002 R11: ffffffff83a5b7b0 R12: 0000000000000000
[ 65.191090][ T5834] R13: ffff888023407e10 R14: dffffc0000000000 R15: ffffffff8c47e761
[ 65.199056][ T5834] FS: 00005555811cc500(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
[ 65.208020][ T5834] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 65.214659][ T5834] CR2: 00007f0a441e34c8 CR3: 0000000078ba8000 CR4: 00000000003526f0
[ 65.222668][ T5834] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 65.230697][ T5834] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 65.238662][ T5834] Call Trace:
[ 65.241982][ T5834] <TASK>
[ 65.244921][ T5834] ? __warn+0x165/0x4d0
[ 65.249069][ T5834] ? __debugfs_file_get+0x5e3/0x6f0
[ 65.254331][ T5834] ? report_bug+0x2b3/0x500
[ 65.258872][ T5834] ? __debugfs_file_get+0x5e3/0x6f0
[ 65.264138][ T5834] ? handle_bug+0x60/0x90
[ 65.268512][ T5834] ? exc_invalid_op+0x1a/0x50
[ 65.273268][ T5834] ? asm_exc_invalid_op+0x1a/0x20
[ 65.278305][ T5834] ? __pfx_open_proxy_open+0x10/0x10
[ 65.283636][ T5834] ? do_dentry_open+0x65d/0x1960
[ 65.288584][ T5834] ? __debugfs_file_get+0xf7/0x6f0
[ 65.293754][ T5834] ? __debugfs_file_get+0x5e2/0x6f0
[ 65.298964][ T5834] ? __debugfs_file_get+0x5e3/0x6f0
[ 65.304258][ T5834] ? __pfx___debugfs_file_get+0x10/0x10
[ 65.309817][ T5834] ? __pfx_apparmor_file_open+0x10/0x10
[ 65.315611][ T5834] ? mnt_get_write_access+0x68/0x2b0
[ 65.320969][ T5834] ? mnt_get_write_access+0x68/0x2b0
[ 65.326282][ T5834] open_proxy_open+0x4f/0x4c0
[ 65.331042][ T5834] ? do_dentry_open+0xde0/0x1960
[ 65.336000][ T5834] ? __pfx_open_proxy_open+0x10/0x10
[ 65.341336][ T5834] do_dentry_open+0xdec/0x1960
[ 65.346116][ T5834] ? vfs_open+0x31/0x370
[ 65.350613][ T5834] vfs_open+0x3b/0x370
[ 65.354693][ T5834] path_openat+0x2c74/0x3580
[ 65.359295][ T5834] ? count_memcg_event_mm+0x94/0x420
[ 65.364639][ T5834] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 65.370765][ T5834] ? __pfx_path_openat+0x10/0x10
[ 65.375709][ T5834] do_filp_open+0x27f/0x4e0
[ 65.380201][ T5834] ? __pfx_do_filp_open+0x10/0x10
[ 65.385285][ T5834] ? do_raw_spin_lock+0x14f/0x370
[ 65.390343][ T5834] do_sys_openat2+0x13e/0x1d0
[ 65.395105][ T5834] ? __pfx_do_sys_openat2+0x10/0x10
[ 65.400334][ T5834] ? __pfx_lock_acquire+0x10/0x10
[ 65.405419][ T5834] __x64_sys_openat+0x247/0x2a0
[ 65.410366][ T5834] ? __pfx___x64_sys_openat+0x10/0x10
[ 65.415809][ T5834] ? exc_page_fault+0x590/0x8b0
[ 65.420701][ T5834] ? do_syscall_64+0xb6/0x230
[ 65.425367][ T5834] do_syscall_64+0xf3/0x230
[ 65.429850][ T5834] ? clear_bhb_loop+0x35/0x90
[ 65.434588][ T5834] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 65.440638][ T5834] RIP: 0033:0x7f0a44184611
[ 65.445169][ T5834] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d 3a 7f 1c 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
[ 65.465236][ T5834] RSP: 002b:00007ffefaf48b90 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
[ 65.473715][ T5834] RAX: ffffffffffffffda RBX: 0000000000080001 RCX: 00007f0a44184611
[ 65.481783][ T5834] RDX: 0000000000080001 RSI: 00007f0a441e34c8 RDI: 00000000ffffff9c
[ 65.489766][ T5834] RBP: 00007f0a441e34c8 R08: 0000000000000000 R09: 0000000000000000
[ 65.497775][ T5834] R10: 0000000000000000 R11: 0000000000000202 R12: 000000000000000b
[ 65.505824][ T5834] R13: 00007ffefaf48c30 R14: 00007f0a44201a6d R15: 00005555811e6010
[ 65.513863][ T5834] </TASK>
[ 65.516994][ T5834] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 65.524276][ T5834] CPU: 1 UID: 0 PID: 5834 Comm: syz-executor Not tainted 6.13.0-rc6-next-20250110-syzkaller-g2b88851f583d-dirty #0
[ 65.536331][ T5834] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 65.546493][ T5834] Call Trace:
[ 65.549767][ T5834] <TASK>
[ 65.552703][ T5834] dump_stack_lvl+0x241/0x360
[ 65.557389][ T5834] ? __pfx_dump_stack_lvl+0x10/0x10
[ 65.562754][ T5834] ? __pfx__printk+0x10/0x10
[ 65.567621][ T5834] ? _printk+0xd5/0x120
[ 65.571781][ T5834] ? __init_begin+0x41000/0x41000
[ 65.576798][ T5834] ? vscnprintf+0x5d/0x90
[ 65.581117][ T5834] panic+0x349/0x880
[ 65.585016][ T5834] ? __warn+0x174/0x4d0
[ 65.589177][ T5834] ? __pfx_panic+0x10/0x10
[ 65.593615][ T5834] __warn+0x344/0x4d0
[ 65.597603][ T5834] ? __debugfs_file_get+0x5e3/0x6f0
[ 65.602797][ T5834] report_bug+0x2b3/0x500
[ 65.607125][ T5834] ? __debugfs_file_get+0x5e3/0x6f0
[ 65.612332][ T5834] handle_bug+0x60/0x90
[ 65.616488][ T5834] exc_invalid_op+0x1a/0x50
[ 65.620993][ T5834] asm_exc_invalid_op+0x1a/0x20
[ 65.625841][ T5834] RIP: 0010:__debugfs_file_get+0x5e3/0x6f0
[ 65.631641][ T5834] Code: 3f 01 48 b8 00 00 00 00 00 fc ff df 41 0f b6 44 05 00 84 c0 0f 85 e9 00 00 00 44 8b 74 24 40 e9 4f ff ff ff e8 2e 90 19 fe 90 <0f> 0b 90 b8 ea ff ff ff 4c 8b 3c 24 e9 5c ff ff ff 44 89 e9 80 e1
[ 65.651239][ T5834] RSP: 0018:ffffc900040ff720 EFLAGS: 00010293
[ 65.657312][ T5834] RAX: ffffffff83a5b0b2 RBX: 1ffff11004680fc2 RCX: ffff888027e38000
[ 65.665277][ T5834] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 65.673245][ T5834] RBP: ffffc900040ff7d0 R08: ffffffff83a5abc7 R09: ffffffff8235b45d
[ 65.681210][ T5834] R10: 0000000000000002 R11: ffffffff83a5b7b0 R12: 0000000000000000
[ 65.689178][ T5834] R13: ffff888023407e10 R14: dffffc0000000000 R15: ffffffff8c47e761
[ 65.697147][ T5834] ? __pfx_open_proxy_open+0x10/0x10
[ 65.702429][ T5834] ? do_dentry_open+0x65d/0x1960
[ 65.707352][ T5834] ? __debugfs_file_get+0xf7/0x6f0
[ 65.712450][ T5834] ? __debugfs_file_get+0x5e2/0x6f0
[ 65.717644][ T5834] ? __pfx___debugfs_file_get+0x10/0x10
[ 65.723182][ T5834] ? __pfx_apparmor_file_open+0x10/0x10
[ 65.728720][ T5834] ? mnt_get_write_access+0x68/0x2b0
[ 65.733995][ T5834] ? mnt_get_write_access+0x68/0x2b0
[ 65.739270][ T5834] open_proxy_open+0x4f/0x4c0
[ 65.743937][ T5834] ? do_dentry_open+0xde0/0x1960
[ 65.748866][ T5834] ? __pfx_open_proxy_open+0x10/0x10
[ 65.754146][ T5834] do_dentry_open+0xdec/0x1960
[ 65.758903][ T5834] ? vfs_open+0x31/0x370
[ 65.763146][ T5834] vfs_open+0x3b/0x370
[ 65.767204][ T5834] path_openat+0x2c74/0x3580
[ 65.771786][ T5834] ? count_memcg_event_mm+0x94/0x420
[ 65.777074][ T5834] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 65.783059][ T5834] ? __pfx_path_openat+0x10/0x10
[ 65.787998][ T5834] do_filp_open+0x27f/0x4e0
[ 65.792669][ T5834] ? __pfx_do_filp_open+0x10/0x10
[ 65.797684][ T5834] ? do_raw_spin_lock+0x14f/0x370
[ 65.802720][ T5834] do_sys_openat2+0x13e/0x1d0
[ 65.807389][ T5834] ? __pfx_do_sys_openat2+0x10/0x10
[ 65.812588][ T5834] ? __pfx_lock_acquire+0x10/0x10
[ 65.817609][ T5834] __x64_sys_openat+0x247/0x2a0
[ 65.823062][ T5834] ? __pfx___x64_sys_openat+0x10/0x10
[ 65.828425][ T5834] ? exc_page_fault+0x590/0x8b0
[ 65.833270][ T5834] ? do_syscall_64+0xb6/0x230
[ 65.837941][ T5834] do_syscall_64+0xf3/0x230
[ 65.842435][ T5834] ? clear_bhb_loop+0x35/0x90
[ 65.847106][ T5834] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 65.852995][ T5834] RIP: 0033:0x7f0a44184611
[ 65.857407][ T5834] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d 3a 7f 1c 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
[ 65.877436][ T5834] RSP: 002b:00007ffefaf48b90 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
[ 65.885845][ T5834] RAX: ffffffffffffffda RBX: 0000000000080001 RCX: 00007f0a44184611
[ 65.893806][ T5834] RDX: 0000000000080001 RSI: 00007f0a441e34c8 RDI: 00000000ffffff9c
[ 65.901765][ T5834] RBP: 00007f0a441e34c8 R08: 0000000000000000 R09: 0000000000000000
[ 65.909726][ T5834] R10: 0000000000000000 R11: 0000000000000202 R12: 000000000000000b
[ 65.917687][ T5834] R13: 00007ffefaf48c30 R14: 00007f0a44201a6d R15: 00005555811e6010
[ 65.925657][ T5834] </TASK>
[ 65.928921][ T5834] Kernel Offset: disabled
[ 65.933292][ T5834] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4067228094=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 6dbc6a9bc
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6dbc6a9bc76e06852841ed5c5bdbb78409b17f53 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250110-142744'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"6dbc6a9bc76e06852841ed5c5bdbb78409b17f53\"
/usr/bin/ld: /tmp/ccwLE3p3.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

Tested on:

commit: 2b88851f Add linux-next specific files for 20250110
git tree: linux-next

kernel config: https://syzkaller.appspot.com/x/.config?x=2c9d32675cb8d2a5

dashboard link: https://syzkaller.appspot.com/bug?extid=799a2d4576c454ac2693
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=15bc2bc4580000

[Hillf Danton]

On Sat, 11 Jan 2025 02:30:22 -0800

> syzbot found the following issue on:
>
> HEAD commit: 7b4b9bf203da Add linux-next specific files for 20250107
> git tree: linux-next

> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10302dc4580000

#syz test

--- x/drivers/android/binder_alloc.c
+++ y/drivers/android/binder_alloc.c
@@ -1245,10 +1245,12 @@ void binder_alloc_init(struct binder_all
INIT_LIST_HEAD(&alloc->buffers);
}

+static struct lock_class_key key;
int binder_alloc_shrinker_init(void)
{
int ret;

+ binder_freelist.key = &key;
ret = list_lru_init(&binder_freelist);
if (ret)
return ret;

--- x/fs/debugfs/file.c
+++ y/fs/debugfs/file.c
@@ -87,9 +87,6 @@ static int __debugfs_file_get(struct den
if (!((unsigned long)d_fsd & DEBUGFS_FSDATA_IS_REAL_FOPS_BIT)) {
fsd = d_fsd;
} else {
- if (WARN_ON(mode == DBGFS_GET_ALREADY))
- return -EINVAL;
-
fsd = kmalloc(sizeof(*fsd), GFP_KERNEL);
if (!fsd)
return -ENOMEM;
--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

t/kcm/kcmsock.c:1894
do_one_initcall+0x248/0x870 init/main.c:1257
do_initcall_level+0x157/0x210 init/main.c:1319
do_initcalls+0x3f/0x80 init/main.c:1335
kernel_init_freeable+0x435/0x5d0 init/main.c:1568
page_owner free stack trace missing

Memory state around the buggy address:
ffff88814d417300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88814d417380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88814d417400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88814d417480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88814d417500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Warning: Permanently added '10.128.1.39' (ED25519) to the list of known hosts.
2025/01/12 02:04:36 ignoring optional flag "sandboxArg"="0"
2025/01/12 02:04:37 parsed 1 programs
[ 65.713765][ T5830] cgroup: Unknown subsys name 'net'
[ 65.818359][ T5830] cgroup: Unknown subsys name 'cpuset'
[ 65.826115][ T5830] cgroup: Unknown subsys name 'rlimit'
[ 67.112683][ T5830] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 69.916938][ T1795] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 69.932640][ T1795] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 69.950227][ T5843] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linu...@kvack.org if you depend on this functionality.
[ 69.994445][ T63] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 70.006076][ T63] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 70.118741][ T5852] ==================================================================
[ 70.126850][ T5852] BUG: KASAN: slab-use-after-free in binder_add_device+0x5f/0xa0
[ 70.134622][ T5852] Write of size 8 at addr ffff88814d417408 by task syz-executor/5852
[ 70.142706][ T5852]
[ 70.145069][ T5852] CPU: 1 UID: 0 PID: 5852 Comm: syz-executor Not tainted 6.13.0-rc6-next-20250110-syzkaller-g2b88851f583d-dirty #0
[ 70.145097][ T5852] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 70.145111][ T5852] Call Trace:
[ 70.145117][ T5852] <TASK>
[ 70.145124][ T5852] dump_stack_lvl+0x241/0x360
[ 70.145147][ T5852] ? __pfx_dump_stack_lvl+0x10/0x10
[ 70.145161][ T5852] ? __pfx__printk+0x10/0x10
[ 70.145183][ T5852] ? _printk+0xd5/0x120
[ 70.145203][ T5852] ? __virt_addr_valid+0x183/0x530
[ 70.145224][ T5852] ? __virt_addr_valid+0x183/0x530
[ 70.145245][ T5852] print_report+0x169/0x550
[ 70.145265][ T5852] ? __virt_addr_valid+0x183/0x530
[ 70.145282][ T5852] ? __virt_addr_valid+0x183/0x530
[ 70.145299][ T5852] ? __virt_addr_valid+0x45f/0x530
[ 70.145316][ T5852] ? __phys_addr+0xba/0x170
[ 70.145335][ T5852] ? binder_add_device+0x5f/0xa0
[ 70.145353][ T5852] kasan_report+0x143/0x180
[ 70.145373][ T5852] ? binder_add_device+0x5f/0xa0
[ 70.145393][ T5852] binder_add_device+0x5f/0xa0
[ 70.145411][ T5852] binderfs_binder_device_create+0x7bf/0x9c0
[ 70.145432][ T5852] binderfs_fill_super+0x944/0xd90
[ 70.145452][ T5852] ? __pfx_binderfs_fill_super+0x10/0x10
[ 70.145479][ T5852] ? shrinker_register+0x160/0x230
[ 70.145496][ T5852] ? sget_fc+0x909/0x9c0
[ 70.145513][ T5852] ? __pfx_set_anon_super_fc+0x10/0x10
[ 70.145531][ T5852] ? __pfx_binderfs_fill_super+0x10/0x10
[ 70.145550][ T5852] get_tree_nodev+0xb7/0x140
[ 70.145570][ T5852] vfs_get_tree+0x90/0x2b0
[ 70.145590][ T5852] do_new_mount+0x2be/0xb40
[ 70.145607][ T5852] ? __pfx_do_new_mount+0x10/0x10
[ 70.145625][ T5852] __se_sys_mount+0x2d6/0x3c0
[ 70.145640][ T5852] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 70.145660][ T5852] ? __pfx___se_sys_mount+0x10/0x10
[ 70.145674][ T5852] ? do_syscall_64+0x100/0x230
[ 70.145691][ T5852] ? __x64_sys_mount+0x20/0xc0
[ 70.145706][ T5852] do_syscall_64+0xf3/0x230
[ 70.145720][ T5852] ? clear_bhb_loop+0x35/0x90
[ 70.145741][ T5852] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.145766][ T5852] RIP: 0033:0x7fbe9df874ca
[ 70.145784][ T5852] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 70.145797][ T5852] RSP: 002b:00007ffe8c95a878 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 70.145815][ T5852] RAX: ffffffffffffffda RBX: 00007fbe9e001ecb RCX: 00007fbe9df874ca
[ 70.145826][ T5852] RDX: 00007fbe9e00ec27 RSI: 00007fbe9e001ecb RDI: 00007fbe9e00ec27
[ 70.145837][ T5852] RBP: 00007fbe9e0020c3 R08: 0000000000000000 R09: 00000000000001ff
[ 70.145845][ T5852] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbe9dfe41c8
[ 70.145854][ T5852] R13: 00007fbe9dfe41a8 R14: 0000000000000009 R15: 0000000000000000
[ 70.145870][ T5852] </TASK>
[ 70.145875][ T5852]
[ 70.420660][ T5852] Allocated by task 5842:
[ 70.424987][ T5852] kasan_save_track+0x3f/0x80
[ 70.429661][ T5852] __kasan_kmalloc+0x98/0xb0
[ 70.434242][ T5852] __kmalloc_cache_noprof+0x243/0x390
[ 70.439600][ T5852] binderfs_binder_device_create+0x16c/0x9c0
[ 70.445569][ T5852] binderfs_fill_super+0x944/0xd90
[ 70.450669][ T5852] get_tree_nodev+0xb7/0x140
[ 70.455255][ T5852] vfs_get_tree+0x90/0x2b0
[ 70.459671][ T5852] do_new_mount+0x2be/0xb40
[ 70.464247][ T5852] __se_sys_mount+0x2d6/0x3c0
[ 70.469098][ T5852] do_syscall_64+0xf3/0x230
[ 70.473614][ T5852] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.479525][ T5852]
[ 70.482036][ T5852] Freed by task 5842:
[ 70.486218][ T5852] kasan_save_track+0x3f/0x80
[ 70.490899][ T5852] kasan_save_free_info+0x40/0x50
[ 70.495916][ T5852] __kasan_slab_free+0x59/0x70
[ 70.500672][ T5852] kfree+0x196/0x430
[ 70.504553][ T5852] evict+0x4e8/0x9a0
[ 70.508436][ T5852] __dentry_kill+0x20d/0x630
[ 70.513013][ T5852] shrink_kill+0xa9/0x2c0
[ 70.517329][ T5852] shrink_dentry_list+0x2c0/0x5b0
[ 70.522355][ T5852] shrink_dcache_parent+0xcb/0x3b0
[ 70.527479][ T5852] do_one_tree+0x23/0xe0
[ 70.531729][ T5852] shrink_dcache_for_umount+0xb4/0x180
[ 70.537181][ T5852] generic_shutdown_super+0x6a/0x2d0
[ 70.542629][ T5852] kill_litter_super+0x76/0xb0
[ 70.547378][ T5852] binderfs_kill_super+0x44/0x90
[ 70.552304][ T5852] deactivate_locked_super+0xc4/0x130
[ 70.557664][ T5852] cleanup_mnt+0x41f/0x4b0
[ 70.562066][ T5852] task_work_run+0x24f/0x310
[ 70.566647][ T5852] do_exit+0xa2a/0x28e0
[ 70.570801][ T5852] do_group_exit+0x207/0x2c0
[ 70.575387][ T5852] __x64_sys_exit_group+0x3f/0x40
[ 70.580410][ T5852] x64_sys_call+0x26a8/0x26b0
[ 70.585092][ T5852] do_syscall_64+0xf3/0x230
[ 70.589590][ T5852] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.595612][ T5852]
[ 70.597920][ T5852] The buggy address belongs to the object at ffff88814d417400
[ 70.597920][ T5852] which belongs to the cache kmalloc-512 of size 512
[ 70.612220][ T5852] The buggy address is located 8 bytes inside of
[ 70.612220][ T5852] freed 512-byte region [ffff88814d417400, ffff88814d417600)
[ 70.625931][ T5852]
[ 70.628249][ T5852] The buggy address belongs to the physical page:
[ 70.635009][ T5852] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14d414
[ 70.644053][ T5852] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 70.652545][ T5852] flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
[ 70.660344][ T5852] page_type: f5(slab)
[ 70.664420][ T5852] raw: 057ff00000000040 ffff88801ac41c80 ffffea00051aca00 dead000000000002
[ 70.672994][ T5852] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 70.681567][ T5852] head: 057ff00000000040 ffff88801ac41c80 ffffea00051aca00 dead000000000002
[ 70.690233][ T5852] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 70.698889][ T5852] head: 057ff00000000002 ffffea0005350501 ffffffffffffffff 0000000000000000
[ 70.707542][ T5852] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 70.716195][ T5852] page dumped because: kasan: bad access detected
[ 70.722603][ T5852] page_owner tracks the page as allocated
[ 70.728390][ T5852] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 14278460266, free_ts 0
[ 70.748169][ T5852] post_alloc_hook+0x1f4/0x240
[ 70.752929][ T5852] get_page_from_freelist+0x365c/0x37a0
[ 70.758467][ T5852] __alloc_frozen_pages_noprof+0x292/0x710
[ 70.764261][ T5852] alloc_pages_mpol+0x311/0x660
[ 70.769206][ T5852] allocate_slab+0x8f/0x3a0
[ 70.773709][ T5852] ___slab_alloc+0xc27/0x14a0
[ 70.778383][ T5852] __slab_alloc+0x58/0xa0
[ 70.782700][ T5852] __kmalloc_noprof+0x2e6/0x4c0
[ 70.787538][ T5852] ops_init+0x75/0x590
[ 70.791598][ T5852] register_pernet_operations+0x30d/0x630
[ 70.797331][ T5852] register_pernet_device+0x33/0x80
[ 70.802543][ T5852] kcm_init+0x21a/0x2f0
[ 70.806693][ T5852] do_one_initcall+0x248/0x870
[ 70.811446][ T5852] do_initcall_level+0x157/0x210
[ 70.816382][ T5852] do_initcalls+0x3f/0x80
[ 70.820874][ T5852] kernel_init_freeable+0x435/0x5d0
[ 70.826066][ T5852] page_owner free stack trace missing
[ 70.831432][ T5852]
[ 70.833754][ T5852] Memory state around the buggy address:
[ 70.839372][ T5852] ffff88814d417300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 70.847420][ T5852] ffff88814d417380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 70.855468][ T5852] >ffff88814d417400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 70.863512][ T5852] ^
[ 70.867824][ T5852] ffff88814d417480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 70.875908][ T5852] ffff88814d417500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 70.884657][ T5852] ==================================================================
[ 70.921510][ T5852] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 70.928745][ T5852] CPU: 1 UID: 0 PID: 5852 Comm: syz-executor Not tainted 6.13.0-rc6-next-20250110-syzkaller-g2b88851f583d-dirty #0
[ 70.940823][ T5852] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 70.951001][ T5852] Call Trace:
[ 70.954299][ T5852] <TASK>
[ 70.957251][ T5852] dump_stack_lvl+0x241/0x360
[ 70.961951][ T5852] ? __pfx_dump_stack_lvl+0x10/0x10
[ 70.967257][ T5852] ? __pfx__printk+0x10/0x10
[ 70.971876][ T5852] ? preempt_schedule+0xe1/0xf0
[ 70.976763][ T5852] ? vscnprintf+0x5d/0x90
[ 70.981200][ T5852] panic+0x349/0x880
[ 70.985119][ T5852] ? check_panic_on_warn+0x21/0xb0
[ 70.990292][ T5852] ? __pfx_panic+0x10/0x10
[ 70.994725][ T5852] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 71.000729][ T5852] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 71.007429][ T5852] ? print_report+0x502/0x550
[ 71.012146][ T5852] check_panic_on_warn+0x86/0xb0
[ 71.017293][ T5852] ? binder_add_device+0x5f/0xa0
[ 71.022263][ T5852] end_report+0x77/0x160
[ 71.026795][ T5852] kasan_report+0x154/0x180
[ 71.031347][ T5852] ? binder_add_device+0x5f/0xa0
[ 71.036321][ T5852] binder_add_device+0x5f/0xa0
[ 71.041110][ T5852] binderfs_binder_device_create+0x7bf/0x9c0
[ 71.047216][ T5852] binderfs_fill_super+0x944/0xd90
[ 71.052455][ T5852] ? __pfx_binderfs_fill_super+0x10/0x10
[ 71.058125][ T5852] ? shrinker_register+0x160/0x230
[ 71.063266][ T5852] ? sget_fc+0x909/0x9c0
[ 71.067538][ T5852] ? __pfx_set_anon_super_fc+0x10/0x10
[ 71.073031][ T5852] ? __pfx_binderfs_fill_super+0x10/0x10
[ 71.078700][ T5852] get_tree_nodev+0xb7/0x140
[ 71.083320][ T5852] vfs_get_tree+0x90/0x2b0
[ 71.087766][ T5852] do_new_mount+0x2be/0xb40
[ 71.092295][ T5852] ? __pfx_do_new_mount+0x10/0x10
[ 71.097414][ T5852] __se_sys_mount+0x2d6/0x3c0
[ 71.102157][ T5852] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 71.108164][ T5852] ? __pfx___se_sys_mount+0x10/0x10
[ 71.113509][ T5852] ? do_syscall_64+0x100/0x230
[ 71.118306][ T5852] ? __x64_sys_mount+0x20/0xc0
[ 71.123096][ T5852] do_syscall_64+0xf3/0x230
[ 71.127627][ T5852] ? clear_bhb_loop+0x35/0x90
[ 71.132332][ T5852] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 71.138342][ T5852] RIP: 0033:0x7fbe9df874ca
[ 71.142750][ T5852] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 71.162427][ T5852] RSP: 002b:00007ffe8c95a878 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 71.170832][ T5852] RAX: ffffffffffffffda RBX: 00007fbe9e001ecb RCX: 00007fbe9df874ca
[ 71.178810][ T5852] RDX: 00007fbe9e00ec27 RSI: 00007fbe9e001ecb RDI: 00007fbe9e00ec27
[ 71.186778][ T5852] RBP: 00007fbe9e0020c3 R08: 0000000000000000 R09: 00000000000001ff
[ 71.194730][ T5852] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbe9dfe41c8
[ 71.202697][ T5852] R13: 00007fbe9dfe41a8 R14: 0000000000000009 R15: 0000000000000000
[ 71.210939][ T5852] </TASK>
[ 71.214271][ T5852] Kernel Offset: disabled
[ 71.218610][ T5852] Rebooting in 86400 seconds..

GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4079523737=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 6dbc6a9bc
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6dbc6a9bc76e06852841ed5c5bdbb78409b17f53 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250110-142744'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"6dbc6a9bc76e06852841ed5c5bdbb78409b17f53\"

/usr/bin/ld: /tmp/cc9IC3Dw.o: in function `Connection::Connect(char const*, char const*)':

executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1420def8580000

Tested on:

commit: 2b88851f Add linux-next specific files for 20250110
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=2c9d32675cb8d2a5
dashboard link: https://syzkaller.appspot.com/bug?extid=799a2d4576c454ac2693
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=157f5ef8580000

[Carlos Llamas]

On Sat, Jan 11, 2025 at 02:30:22AM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 7b4b9bf203da Add linux-next specific files for 20250107
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=17d02dc4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=63fa2c9d5e12faef
> dashboard link: https://syzkaller.appspot.com/bug?extid=799a2d4576c454ac2693
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10302dc4580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/c179cc0c7a3c/disk-7b4b9bf2.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/fdea80f2ec16/vmlinux-7b4b9bf2.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/a277fcaff608/bzImage-7b4b9bf2.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+799a2d...@syzkaller.appspotmail.com

Hey Suren, just FYI. I bisected this to commit e8f32ff00a66 ("mm:
replace vm_lock and detached flag with a reference count"), which was an
older version (v7) of your patchset. However, I've tested the same on
the newer linux-next tip with your v10 and it no longer reproduces the
problem.

Nothing else for me to do here.

Regards,
Carlos Llamas

[Suren Baghdasaryan]

Thanks Carlos! There were a number of fixes since v7, including a
memory ordering fix. That issue might have caused this.

[Carlos Llamas]

On Sat, Jan 11, 2025 at 02:30:22AM -0800, syzbot wrote:

> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 7b4b9bf203da Add linux-next specific files for 20250107
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=17d02dc4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=63fa2c9d5e12faef
> dashboard link: https://syzkaller.appspot.com/bug?extid=799a2d4576c454ac2693
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10302dc4580000

This was fixed by a new version of commit e8f32ff00a66 ("mm: replace
vm_lock and detached flag with a reference count"), making this report
now obsolete.

#syz invalid