syzbot

 sign-in | mailing list | source | docs
🐞 Open [196] 🐞 Fixed [42] 🐞 Invalid [470] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

kernel BUG at drivers/android/binder.c:LINE!

Status: public: reported syz repro on 2019/04/14 09:28
Reported-by: syzbot+91c2ac92fcaeb6745ca8@syzkaller.appspotmail.com
First crash: 2240d, last: 2118d

Sample crash report:
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 9 to 3815:3817
binder: 3818:3821 transaction failed 29189/-22, size 0-0 line 3004
------------[ cut here ]------------
binder: 3822:3823 ERROR: BC_REGISTER_LOOPER called without request
kernel BUG at drivers/android/binder.c:2006!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
binder: release 3822:3823 transaction 15 out, still active
binder: release 3822:3823 transaction 14 in, still active
binder: undelivered TRANSACTION_COMPLETE
Modules linked in:[   26.930348] binder: 3822:3824 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2
binder: 3822:3824 got reply transaction with bad target transaction stack 0, expected 16
binder: 3822:3824 transaction failed 29201/-71, size 40-72 line 2956
binder: BINDER_SET_CONTEXT_MGR already set
binder: 3825:3826 ioctl 40046207 0 returned -16
binder: 3825:3826 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3825:3827 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 4.9.86-gb324a70 #58
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3825:3828 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 3829:3830 ioctl 40046207 0 returned -16
binder: 3829:3830 ERROR: BC_REGISTER_LOOPER called without request
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3829:3831 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
Workqueue: events binder_deferred_func[   27.059295] binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3829:3832 transaction failed 29189/-3, size 0-0 line 3127
task: ffff8801d9510000 task.stack: ffff8801d9518000
binder: BINDER_SET_CONTEXT_MGR already set
binder: 3833:3834 ioctl 40046207 0 returned -16
binder: 3833:3834 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3833:3835 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
RIP: 0010:[<ffffffff82d565e5>]  [<ffffffff82d565e5>] binder_pop_transaction_ilocked+0x145/0x190 drivers/android/binder.c:2006
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3833:3836 transaction failed 29189/-3, size 0-0 line 3127
RSP: 0018:ffff8801d951fa80  EFLAGS: 00010293
binder: BINDER_SET_CONTEXT_MGR already set
binder: 3837:3838 ioctl 40046207 0 returned -16
binder: 3837:3838 ERROR: BC_REGISTER_LOOPER called without request
RAX: ffff8801d9510000 RBX: ffff8801c20db680 RCX: ffffffff82d565e5
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3837:3839 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
RDX: 0000000000000000 RSI: ffff8801d44d1200 RDI: ffff8801c20db6c0
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3837:3840 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 3841:3842 ioctl 40046207 0 returned -16
binder: 3841:3842 ERROR: BC_REGISTER_LOOPER called without request
RBP: ffff8801d951faa0 R08: 0000000000000001 R09: 0000000000000000
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3841:3843 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
R10: 0000000000000003 R11: 0000000000000001 R12: 0000000000000000
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3841:3844 transaction failed 29189/-3, size 0-0 line 3127
R13: ffff8801d44d1200 R14: 0000000000007205 R15: 0000000000000ee7
binder: BINDER_SET_CONTEXT_MGR already set
binder: 3845:3846 ioctl 40046207 0 returned -16
binder: 3845:3846 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3845:3847 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
FS:  0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3845:3848 transaction failed 29189/-3, size 0-0 line 3127
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
binder: BINDER_SET_CONTEXT_MGR already set
binder: 3849:3850 ioctl 40046207 0 returned -16
binder: 3849:3850 ERROR: BC_REGISTER_LOOPER called without request
CR2: 0000000008340008 CR3: 000000000441e000 CR4: 0000000000160670
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3849:3851 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3849:3852 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 3853:3854 ioctl 40046207 0 returned -16
binder: 3853:3854 ERROR: BC_REGISTER_LOOPER called without request
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3853:3855 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
Stack:
 ffff8801d44d1200[   27.453298] binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3853:3856 transaction failed 29189/-3, size 0-0 line 3127
 ffff8801c20db680[   27.468855] binder: BINDER_SET_CONTEXT_MGR already set
binder: 3857:3858 ioctl 40046207 0 returned -16
binder: 3857:3858 ERROR: BC_REGISTER_LOOPER called without request
 0000000000000ee9 0000000000007205[   27.491172] binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3857:3859 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
 ffff8801d951fad8 ffffffff82d64839 ffff8801d44d1200 ffff8801c0ce7400
 0000000000007205[   27.518306] binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3857:3860 transaction failed 29189/-3, size 0-0 line 3127
 ffffffff83eaf4c0[   27.533767] binder: BINDER_SET_CONTEXT_MGR already set
binder: 3861:3862 ioctl 40046207 0 returned -16
binder: 3861:3862 ERROR: BC_REGISTER_LOOPER called without request
 ffffed003841b6d9[   27.556197] binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3861:3863 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
 ffff8801d951fb08[   27.578825] Call Trace:
 [<ffffffff82d64839>] binder_send_failed_reply+0xe9/0x3a0 drivers/android/binder.c:2142
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3861:3864 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 3865:3866 ioctl 40046207 0 returned -16
binder: 3865:3866 ERROR: BC_REGISTER_LOOPER called without request
 [<ffffffff82d64bc2>] binder_cleanup_transaction+0xd2/0x140 drivers/android/binder.c:2188
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3865:3867 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
 [<ffffffff82d64de0>] binder_release_work+0x1b0/0x260 drivers/android/binder.c:4365
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3865:3868 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 3869:3870 ioctl 40046207 0 returned -16
binder: 3869:3870 ERROR: BC_REGISTER_LOOPER called without request
 [<ffffffff82d652b8>] binder_thread_release+0x428/0x600 drivers/android/binder.c:4563
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3869:3871 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3869:3872 transaction failed 29189/-3, size 0-0 line 3127
 [<ffffffff82d658cf>] binder_deferred_release drivers/android/binder.c:5104 [inline]
 [<ffffffff82d658cf>] binder_deferred_func+0x43f/0xd10 drivers/android/binder.c:5176
binder: BINDER_SET_CONTEXT_MGR already set
binder: 3873:3874 ioctl 40046207 0 returned -16
binder: 3873:3874 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3873:3875 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
 [<ffffffff811898a0>] process_one_work+0x7e0/0x1610 kernel/workqueue.c:2092
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3873:3876 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 3877:3878 ioctl 40046207 0 returned -16
binder: 3877:3878 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3877:3879 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3877:3880 transaction failed 29189/-3, size 0-0 line 3127
 [<ffffffff8118a7b0>] worker_thread+0xe0/0x10d0 kernel/workqueue.c:2226
binder: BINDER_SET_CONTEXT_MGR already set
binder: 3881:3882 ioctl 40046207 0 returned -16
binder: 3881:3882 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3881:3883 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
 [<ffffffff8119a7bd>] kthread+0x26d/0x300 kernel/kthread.c:211
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3881:3884 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 3885:3886 ioctl 40046207 0 returned -16
binder: 3885:3886 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3885:3887 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3885:3888 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 3889:3890 ioctl 40046207 0 returned -16
binder: 3889:3890 ERROR: BC_REGISTER_LOOPER called without request
 [<ffffffff838b57ac>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:374
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3889:3891 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
Code: df 80 3c 02 00 75 62 [   28.042279] binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3889:3892 transaction failed 29189/-3, size 0-0 line 3127
5b 49 c7 45 20 00 [   28.058347] binder: BINDER_SET_CONTEXT_MGR already set
binder: 3893:3894 ioctl 40046207 0 returned -16
binder: 3893:3894 ERROR: BC_REGISTER_LOOPER called without request
00 00 00 41 5c 41 [   28.080169] binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3893:3895 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
5d 41 5e 5d c3 e8 09 4e 61 fe 0f 0b e8 02 4e 61 fe 0f 0b e8 [   28.107300] binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3893:3896 transaction failed 29189/-3, size 0-0 line 3127
fb 4d 61 fe <0f> 0b [   28.123577] binder: BINDER_SET_CONTEXT_MGR already set
binder: 3897:3898 ioctl 40046207 0 returned -16
binder: 3897:3898 ERROR: BC_REGISTER_LOOPER called without request
e8 f4 4d 61 fe 0f 0b [   28.146194] binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3897:3899 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
e8 dd 80 7e fe e9 1c ff ff ff e8 f3 
RIP  [<ffffffff82d565e5>] binder_pop_transaction_ilocked+0x145/0x190 drivers/android/binder.c:2006
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3897:3900 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 3901:3902 ioctl 40046207 0 returned -16
binder: 3901:3902 ERROR: BC_REGISTER_LOOPER called without request
 RSP <ffff8801d951fa80>
binder_alloc: 3822: binder_alloc_buf, no vma
binder: 3901:3903 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
---[ end trace b5562e39ac31520f ]---

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/03/06 12:32 https://android.googlesource.com/kernel/common android-4.9 b324a701539e aef0b792 .config console log report syz ci-android-49-kasan-gce-386
2018/07/07 02:25 https://android.googlesource.com/kernel/common android-4.9 03c70feafdb2 9636bc93 .config console log report ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.