bisecting fixing commit since 9cb1fd0efd195590b828b9b865421ad345a4a145 building syzkaller on 8ca3b7d2bb7672b5608051fab4b825fdbbf2356a testing commit 9cb1fd0efd195590b828b9b865421ad345a4a145 with gcc (GCC) 8.1.0 kernel signature: d6ca504501fba96e3d710ff2c32e5b13304e6f3d92a02ea5b93fa21e26696965 all runs: crashed: WARNING in binder_transaction_buffer_release testing current HEAD 47ec5303d73ea344e84f46660fff693c57641386 testing commit 47ec5303d73ea344e84f46660fff693c57641386 with gcc (GCC) 8.1.0 kernel signature: f255f4aadd9b1641050078678332a8548ce36c2f81f725ccb71afc1179a9a804 all runs: OK # git bisect start 47ec5303d73ea344e84f46660fff693c57641386 9cb1fd0efd195590b828b9b865421ad345a4a145 Bisecting: 13021 revisions left to test after this (roughly 14 steps) [bc139119a1708ae3db1ebb379630f286e28d06e8] net: ethernet: ti: ale: fix allmulti for nu type ale testing commit bc139119a1708ae3db1ebb379630f286e28d06e8 with gcc (GCC) 8.1.0 kernel signature: 18e35297c55160118651043939c180c5fde1e9bad61eca1b19c908ab8bbe103e all runs: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks # git bisect skip bc139119a1708ae3db1ebb379630f286e28d06e8 Bisecting: 13021 revisions left to test after this (roughly 14 steps) [8930449628f7f66a0d368ff9eb92146f7f424431] Merge branch 'hinic-add-some-ethtool-ops-support' testing commit 8930449628f7f66a0d368ff9eb92146f7f424431 with gcc (GCC) 8.1.0 kernel signature: c98c446fe69a0d8311dbafac25a35589ffe81974ab6b150d74fe5ffd9e9b88cd all runs: crashed: WARNING in binder_transaction_buffer_release # git bisect good 8930449628f7f66a0d368ff9eb92146f7f424431 Bisecting: 4896 revisions left to test after this (roughly 12 steps) [4834ce9d8e074bb7ae197632e0708219b9f389b5] Merge tag 'linux-kselftest-5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest testing commit 4834ce9d8e074bb7ae197632e0708219b9f389b5 with gcc (GCC) 8.1.0 kernel signature: ebed47a2640626e0219cc5abec0bd7e19b260c94a98fc1b25bba4591b72db3fc all runs: crashed: WARNING in binder_transaction_buffer_release # git bisect good 4834ce9d8e074bb7ae197632e0708219b9f389b5 Bisecting: 1972 revisions left to test after this (roughly 11 steps) [8186749621ed6b8fc42644c399e8c755a2b6f630] Merge tag 'drm-next-2020-08-06' of git://anongit.freedesktop.org/drm/drm testing commit 8186749621ed6b8fc42644c399e8c755a2b6f630 with gcc (GCC) 8.1.0 kernel signature: 770f91663bb27d1f2a81ba2910e77ab2d6963e3a63068994065aa035729761b7 all runs: OK # git bisect bad 8186749621ed6b8fc42644c399e8c755a2b6f630 Bisecting: 1461 revisions left to test after this (roughly 11 steps) [659fb5f154c3434c90a34586f3b7aa1c39cf6062] drm/nouveau: fix multiple instances of reference count leaks testing commit 659fb5f154c3434c90a34586f3b7aa1c39cf6062 with gcc (GCC) 8.1.0 kernel signature: ff1157d1240774391d05d8ce3035f176631c5f1eb79c6ac924a3ce7206fa51bd all runs: crashed: WARNING in binder_transaction_buffer_release # git bisect good 659fb5f154c3434c90a34586f3b7aa1c39cf6062 Bisecting: 616 revisions left to test after this (roughly 10 steps) [ecfd7940b8641da6e41ca94eba36876dc2ba827b] Merge tag 'usb-5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit ecfd7940b8641da6e41ca94eba36876dc2ba827b with gcc (GCC) 8.1.0 kernel signature: 772bc0d4558379ef52405e7e8deffa7fcbba070f34f9bbb881d1fdcbe752f6b2 all runs: OK # git bisect bad ecfd7940b8641da6e41ca94eba36876dc2ba827b Bisecting: 379 revisions left to test after this (roughly 9 steps) [1785d116124fc33f2c265243f3f59da3dc2a2576] Merge tag 'char-misc-5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 1785d116124fc33f2c265243f3f59da3dc2a2576 with gcc (GCC) 8.1.0 kernel signature: 7142143e213c42013701777bb100ee15096d2b964e01749421c9c63a065b7fb0 all runs: OK # git bisect bad 1785d116124fc33f2c265243f3f59da3dc2a2576 Bisecting: 225 revisions left to test after this (roughly 8 steps) [1859a772e2744da8d4ddb987e010541e312adf69] Merge tag 'phy-for-5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy into char-misc-next testing commit 1859a772e2744da8d4ddb987e010541e312adf69 with gcc (GCC) 8.1.0 kernel signature: 8f1c41ca94cffaa9df47dd21c024206eb64d657d42b44d1d3adfa4d584aee183 run #0: crashed: WARNING in binder_transaction_buffer_release run #1: crashed: WARNING in binder_transaction_buffer_release run #2: crashed: WARNING in binder_transaction_buffer_release run #3: crashed: WARNING in binder_transaction_buffer_release run #4: crashed: WARNING in binder_transaction_buffer_release run #5: crashed: WARNING in binder_transaction_buffer_release run #6: crashed: WARNING in binder_transaction_buffer_release run #7: crashed: WARNING in binder_transaction_buffer_release run #8: crashed: WARNING in binder_transaction_buffer_release run #9: boot failed: can't ssh into the instance # git bisect good 1859a772e2744da8d4ddb987e010541e312adf69 Bisecting: 112 revisions left to test after this (roughly 7 steps) [64d452b3560b7a55277c8d9ef0a8635e62136580] nvme-loop: set ctrl state connecting after init testing commit 64d452b3560b7a55277c8d9ef0a8635e62136580 with gcc (GCC) 8.1.0 kernel signature: 6830ca794fefe326c23218d10d08f4eae274be188b64562e333779698ba53328 all runs: crashed: WARNING in binder_transaction_buffer_release # git bisect good 64d452b3560b7a55277c8d9ef0a8635e62136580 Bisecting: 47 revisions left to test after this (roughly 6 steps) [860e73b49cd933c708e3e1e1e07cdea81b6acd1c] Merge tag 'misc-habanalabs-next-2020-07-24' of git://people.freedesktop.org/~gabbayo/linux into char-misc-next testing commit 860e73b49cd933c708e3e1e1e07cdea81b6acd1c with gcc (GCC) 8.1.0 kernel signature: 4d62479ef5162ee599c3d40bcda36d51663c2d87bcb0c76116b694a448e57247 all runs: crashed: WARNING in binder_transaction_buffer_release # git bisect good 860e73b49cd933c708e3e1e1e07cdea81b6acd1c Bisecting: 23 revisions left to test after this (roughly 5 steps) [b7194ba1e19fe029e7f6cc2db017a3001dc03086] nvmem: update Kconfig description testing commit b7194ba1e19fe029e7f6cc2db017a3001dc03086 with gcc (GCC) 8.1.0 kernel signature: 02d7ce42ead086d685fcd7dbe7a68bec6acb3f8ac2ea65b71c2571206761e75b run #0: OK run #1: OK run #2: OK run #3: OK run #4: boot failed: can't ssh into the instance run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad b7194ba1e19fe029e7f6cc2db017a3001dc03086 Bisecting: 11 revisions left to test after this (roughly 4 steps) [7e84522cd089c6ef3e6adc7f1c9a5b2f705ccd9b] drivers: android: Fix the SPDX comment style testing commit 7e84522cd089c6ef3e6adc7f1c9a5b2f705ccd9b with gcc (GCC) 8.1.0 kernel signature: ffb3584896922e157531199e3e41f2bb7289cd28d85c547b36dc99eb532ee3ec all runs: OK # git bisect bad 7e84522cd089c6ef3e6adc7f1c9a5b2f705ccd9b Bisecting: 5 revisions left to test after this (roughly 3 steps) [37b8b73f641cc151a58eef8b9a73dac2f273146e] greybus: Use fallthrough pseudo-keyword testing commit 37b8b73f641cc151a58eef8b9a73dac2f273146e with gcc (GCC) 8.1.0 kernel signature: baaa3fbc15997ff3e301a6360c25d338450fc39cde764dc2a5cd29455452556d all runs: crashed: WARNING in binder_transaction_buffer_release # git bisect good 37b8b73f641cc151a58eef8b9a73dac2f273146e Bisecting: 2 revisions left to test after this (roughly 2 steps) [72b93c79dbbe261371abb1bf3cf7302cfe31e8d9] drivers: android: Remove the use of else after return testing commit 72b93c79dbbe261371abb1bf3cf7302cfe31e8d9 with gcc (GCC) 8.1.0 kernel signature: f3ec3767e61a7bdecf17954620cb36e5a884e55db38f1d9d3294e276a143a25b all runs: OK # git bisect bad 72b93c79dbbe261371abb1bf3cf7302cfe31e8d9 Bisecting: 1 revision left to test after this (roughly 1 step) [4b836a1426cb0f1ef2a6e211d7e553221594f8fc] binder: Prevent context manager from incrementing ref 0 testing commit 4b836a1426cb0f1ef2a6e211d7e553221594f8fc with gcc (GCC) 8.1.0 kernel signature: 51f7a95664ff122971d9477c81cabadbc291e1bb251d77a58dec19e215255231 all runs: OK # git bisect bad 4b836a1426cb0f1ef2a6e211d7e553221594f8fc 4b836a1426cb0f1ef2a6e211d7e553221594f8fc is the first bad commit commit 4b836a1426cb0f1ef2a6e211d7e553221594f8fc Author: Jann Horn Date: Mon Jul 27 14:04:24 2020 +0200 binder: Prevent context manager from incrementing ref 0 Binder is designed such that a binder_proc never has references to itself. If this rule is violated, memory corruption can occur when a process sends a transaction to itself; see e.g. . There is a remaining edgecase through which such a transaction-to-self can still occur from the context of a task with BINDER_SET_CONTEXT_MGR access: - task A opens /dev/binder twice, creating binder_proc instances P1 and P2 - P1 becomes context manager - P2 calls ACQUIRE on the magic handle 0, allocating index 0 in its handle table - P1 dies (by closing the /dev/binder fd and waiting a bit) - P2 becomes context manager - P2 calls ACQUIRE on the magic handle 0, allocating index 1 in its handle table [this triggers a warning: "binder: 1974:1974 tried to acquire reference to desc 0, got 1 instead"] - task B opens /dev/binder once, creating binder_proc instance P3 - P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way transaction) - P2 receives the handle and uses it to call P3 (two-way transaction) - P3 calls P2 (via magic handle 0) (two-way transaction) - P2 calls P2 (via handle 1) (two-way transaction) And then, if P2 does *NOT* accept the incoming transaction work, but instead closes the binder fd, we get a crash. Solve it by preventing the context manager from using ACQUIRE on ref 0. There shouldn't be any legitimate reason for the context manager to do that. Additionally, print a warning if someone manages to find another way to trigger a transaction-to-self bug in the future. Cc: stable@vger.kernel.org Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") Acked-by: Todd Kjos Signed-off-by: Jann Horn Reviewed-by: Martijn Coenen Link: https://lore.kernel.org/r/20200727120424.1627555-1-jannh@google.com Signed-off-by: Greg Kroah-Hartman drivers/android/binder.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) culprit signature: 51f7a95664ff122971d9477c81cabadbc291e1bb251d77a58dec19e215255231 parent signature: baaa3fbc15997ff3e301a6360c25d338450fc39cde764dc2a5cd29455452556d revisions tested: 17, total time: 3h28m30.252653158s (build: 1h25m34.049283383s, test: 2h1m20.497990395s) first good commit: 4b836a1426cb0f1ef2a6e211d7e553221594f8fc binder: Prevent context manager from incrementing ref 0 recipients (to): ["gregkh@linuxfoundation.org" "jannh@google.com" "maco@android.com" "tkjos@google.com"] recipients (cc): []