ci starts bisection 2025-01-11 13:09:15.508583412 +0000 UTC m=+34589.524002383
bisecting fixing commit since 3e5e6c9900c3d71895e8bdeacfb579462e98eba1
building syzkaller on f00eed24f2a1332b07fef1a353a439133978d97b
ensuring issue is reproducible on original commit 3e5e6c9900c3d71895e8bdeacfb579462e98eba1
testing commit 3e5e6c9900c3d71895e8bdeacfb579462e98eba1 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b52cba56f35b970c086f1551b357abef8e7c2423f2ff160c3b25020934440606
all runs: crashed: KASAN: slab-use-after-free Read in binder_release_work
representative crash: KASAN: slab-use-after-free Read in binder_release_work, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit 3e5e6c9900c3d71895e8bdeacfb579462e98eba1 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 25679ac8ef00b0c9a527592a520d9876e991fc079b3321558ea3647ed5c280bb
all runs: crashed: KASAN: slab-use-after-free Read in binder_release_work
representative crash: KASAN: slab-use-after-free Read in binder_release_work, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
kconfig minimization: base=4047 full=8193 leaves diff=2108
split chunks (needed=false): <2108>
split chunk #0 of len 2108 into 5 parts
testing without sub-chunk 1/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 3e5e6c9900c3d71895e8bdeacfb579462e98eba1 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 823ad7efb6de8b5a73f34d9cf6878f8d5c5c8009d05fe6ce200ba1e8dee83afa
all runs: OK
false negative chance: 0.000
testing without sub-chunk 2/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 3e5e6c9900c3d71895e8bdeacfb579462e98eba1 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 148cb279b4ee8a9989bdcbe0db0d89046b128cd610663232bf8bc8803896fd74
all runs: crashed: KASAN: slab-use-after-free Read in binder_release_work
representative crash: KASAN: slab-use-after-free Read in binder_release_work, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 3e5e6c9900c3d71895e8bdeacfb579462e98eba1 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 939e88fd387b986a0e30a9a60fde94f9f8ea4ad83a9cf35d7cd531f2bc94f760
all runs: crashed: KASAN: slab-use-after-free Read in binder_release_work
representative crash: KASAN: slab-use-after-free Read in binder_release_work, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit 3e5e6c9900c3d71895e8bdeacfb579462e98eba1 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: eaf99b8a289f5838667636a194f65b58352579ae3f757a57d8b962c8ff0a274f
all runs: crashed: KASAN: slab-use-after-free Read in binder_release_work
representative crash: KASAN: slab-use-after-free Read in binder_release_work, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 3e5e6c9900c3d71895e8bdeacfb579462e98eba1 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 7794369289a9a873f7d9bde2e9c70bd00ec779f88bcdac709c668c5ae8752399
all runs: crashed: KASAN: slab-use-after-free Read in binder_release_work
representative crash: KASAN: slab-use-after-free Read in binder_release_work, types: [KASAN]
the chunk can be dropped
minimized to 422 configs; suspects: [6LOWPAN 6LOWPAN_GHC_EXT_HDR_DEST 6LOWPAN_GHC_EXT_HDR_FRAG 6LOWPAN_GHC_EXT_HDR_HOP 6LOWPAN_GHC_EXT_HDR_ROUTE 6LOWPAN_GHC_ICMPV6 6LOWPAN_GHC_UDP 6LOWPAN_NHC 6LOWPAN_NHC_DEST 6LOWPAN_NHC_FRAGMENT 6LOWPAN_NHC_HOP 6LOWPAN_NHC_IPV6 6LOWPAN_NHC_MOBILITY 6LOWPAN_NHC_ROUTING 6LOWPAN_NHC_UDP 6PACK 842_COMPRESS 842_DECOMPRESS 9P_FSCACHE 9P_FS_POSIX_ACL 9P_FS_SECURITY ACORN_PARTITION ACORN_PARTITION_ADFS ACORN_PARTITION_CUMANA ACORN_PARTITION_EESOX ACORN_PARTITION_ICS ACORN_PARTITION_POWERTEC ACORN_PARTITION_RISCIX ACPI_NFIT ACPI_NHLT ACPI_PLATFORM_PROFILE ADFS_FS AFFS_FS AFS_FS AFS_FSCACHE AF_KCM AF_RXRPC AF_RXRPC_IPV6 AIX_PARTITION AMD_SFH_HID AMIGA_PARTITION ANDROID_BINDERFS ANDROID_BINDER_IPC ANON_VMA_NAME APERTURE_HELPERS APPLE_MFI_FASTCHARGE AR5523 ARCH_ENABLE_MEMORY_HOTREMOVE ARCH_ENABLE_THP_MIGRATION ARCH_SUPPORTS_HUGE_PFNMAP ARCH_SUPPORTS_PMD_PFNMAP ARCH_SUPPORTS_PUD_PFNMAP ARCH_SUPPORTS_RT ARCH_WANT_PMD_MKWRITE ASM_MODVERSIONS ASUS_TF103C_DOCK ASYNC_CORE ASYNC_MEMCPY ASYNC_PQ ASYNC_RAID6_RECOV ASYNC_TX_DMA ASYNC_XOR ATARI_PARTITION ATA_GENERIC ATA_OVER_ETH ATH10K ATH10K_CE ATH10K_LEDS ATH10K_PCI ATH10K_USB ATH11K ATH6KL ATH6KL_USB ATH9K ATH9K_AHB ATH9K_BTCOEX_SUPPORT ATH9K_CHANNEL_CONTEXT ATH9K_COMMON ATH9K_COMMON_DEBUG ATH9K_COMMON_SPECTRAL ATH9K_DEBUGFS ATH9K_DYNACK ATH9K_HTC ATH9K_HTC_DEBUGFS ATH9K_HW ATH9K_PCI ATH9K_PCOEM ATH9K_RFKILL ATH_COMMON ATM ATM_BR2684 ATM_CLIP ATM_DRIVERS ATM_LANE ATM_MPOA ATM_TCP AUXILIARY_BUS AX25 AX25_DAMA_SLAVE AX88796B_PHY BAREUDP BATMAN_ADV BATMAN_ADV_BATMAN_V BATMAN_ADV_BLA BATMAN_ADV_DAT BATMAN_ADV_MCAST BATMAN_ADV_NC BCACHE BCACHEFS_DEBUG BCACHEFS_ERASURE_CODING BCACHEFS_FS BCACHEFS_POSIX_ACL BCACHEFS_QUOTA BCACHEFS_SIX_OPTIMISTIC_SPIN BCMA BCMA_HOST_PCI_POSSIBLE BEFS_FS BFQ_CGROUP_DEBUG BFQ_GROUP_IOSCHED BFS_FS BIG_KEYS BLK_CGROUP_PUNT_BIO BLK_CGROUP_RWSTAT BLK_DEV_BSGLIB BLK_DEV_INTEGRITY BLK_DEV_NBD BLK_DEV_NULL_BLK BLK_DEV_NULL_BLK_FAULT_INJECTION BLK_DEV_NVME BLK_DEV_PMEM BLK_DEV_RAM BLK_DEV_RNBD BLK_DEV_RNBD_CLIENT BLK_DEV_THROTTLING BLK_DEV_ZONED BLK_ICQ BLK_INLINE_ENCRYPTION BLK_INLINE_ENCRYPTION_FALLBACK BLK_WBT BLK_WBT_MQ BONDING BOOT_VESA_SUPPORT BPF_EVENTS BPF_JIT BPF_JIT_ALWAYS_ON BPF_JIT_DEFAULT_ON BPF_LSM BPF_PRELOAD BPF_PRELOAD_UMD BPF_STREAM_PARSER BPF_SYSCALL BPQETHER BRIDGE BRIDGE_CFM BRIDGE_EBT_802_3 BRIDGE_EBT_AMONG BRIDGE_EBT_ARP BRIDGE_EBT_ARPREPLY BRIDGE_EBT_BROUTE BRIDGE_EBT_DNAT BRIDGE_EBT_IP BRIDGE_EBT_IP6 BRIDGE_EBT_LIMIT BRIDGE_EBT_LOG BRIDGE_EBT_MARK BRIDGE_EBT_MARK_T BRIDGE_EBT_NFLOG BRIDGE_EBT_PKTTYPE BRIDGE_EBT_REDIRECT BRIDGE_EBT_SNAT BRIDGE_EBT_STP BRIDGE_EBT_T_FILTER BRIDGE_EBT_T_NAT BRIDGE_EBT_VLAN BRIDGE_IGMP_SNOOPING BRIDGE_MRP BRIDGE_NF_EBTABLES BRIDGE_NF_EBTABLES_LEGACY BRIDGE_VLAN_FILTERING BSD_DISKLABEL BSD_PROCESS_ACCT_V3 BT BTRFS_ASSERT BTRFS_FS BTRFS_FS_POSIX_ACL BTRFS_FS_REF_VERIFY BTT BT_6LOWPAN BT_ATH3K BT_BCM BT_BNEP BT_BNEP_MC_FILTER BT_BNEP_PROTO_FILTER BT_BREDR BT_HCIBCM203X BT_HCIBFUSB BT_HCIBPA10X BT_HCIBTUSB BT_HCIBTUSB_AUTOSUSPEND BT_HCIBTUSB_BCM BT_HCIBTUSB_MTK BT_HCIBTUSB_POLL_SYNC BT_HCIBTUSB_RTL BT_HCIUART BT_HCIUART_3WIRE BT_HCIUART_AG6XX BT_HCIUART_BCSP BT_HCIUART_H4 BT_HCIUART_LL BT_HCIUART_MRVL BT_HCIUART_QCA BT_HCIUART_SERDEV BT_HCIVHCI BT_INTEL BT_LE BT_LEDS BT_LE_L2CAP_ECRED BT_MRVL BT_MRVL_SDIO BT_MSFTEXT BT_MTK BT_MTKSDIO BT_MTKUART BT_QCA BT_RFCOMM BT_RFCOMM_TTY BT_RTL CACHEFILES CAIF CAIF_DEBUG CAIF_DRIVERS CAIF_NETDEV CAIF_TTY CAIF_USB CAIF_VIRTIO CAN CAN_8DEV_USB CAN_BCM CAN_CALC_BITTIMING CAN_DEV CAN_EMS_USB CAN_ESD_USB CAN_ETAS_ES58X CAN_F81604 CAN_GS_USB CAN_GW CAN_IFI_CANFD CAN_ISOTP CAN_J1939 CAN_KVASER_USB CAN_MCBA_USB CAN_NETLINK CAN_PEAK_USB CAN_RAW CAN_RX_OFFLOAD CAN_SLCAN CAN_UCAN CAN_VCAN CAN_VXCAN CARL9170 CARL9170_HWRNG CARL9170_LEDS CARL9170_WPC CEC_CORE CEPH_FS CEPH_FSCACHE CEPH_FS_POSIX_ACL CEPH_LIB CEPH_LIB_USE_DNS_RESOLVER CFG80211 CFG80211_CRDA_SUPPORT CFG80211_DEBUGFS CFG80211_DEFAULT_PS CFG80211_REQUIRE_SIGNED_REGDB CFG80211_USE_KERNEL_REGDB_KEYS CFG80211_WEXT CFS_BANDWIDTH CGROUP_BPF CHARGER_ISP1704 CHR_DEV_ST CIFS CIFS_ALLOW_INSECURE_LEGACY CIFS_DEBUG CIFS_DFS_UPCALL CIFS_FSCACHE CIFS_POSIX CIFS_SMB_DIRECT CIFS_SWN_UPCALL CIFS_UPCALL CIFS_XATTR CLOSURES CLS_U32_MARK CLS_U32_PERF CMA CMA_SIZE_SEL_MAX CMDLINE_PARTITION COMEDI COMEDI_DT9812 COMEDI_NI_USB6501 COMEDI_USBDUX COMEDI_USBDUXFAST COMEDI_USBDUXSIGMA COMEDI_USB_DRIVERS COMEDI_VMK80XX COMPAT_NETLINK_MESSAGES COUNTER CRAMFS CRAMFS_BLOCKDEV CRAMFS_MTD CRC4 CRC64 CRC64_ROCKSOFT CRC7 CRC8 CRC_ITU_T CRC_T10DIF CRYPTO_842 CRYPTO_ADIANTUM CRYPTO_AEGIS128 CRYPTO_AEGIS128_AESNI_SSE2 CRYPTO_AES_NI_INTEL CRYPTO_AES_TI CRYPTO_ANSI_CPRNG CRYPTO_ANUBIS CRYPTO_ARC4 CRYPTO_ARCH_HAVE_LIB_BLAKE2S CRYPTO_ARCH_HAVE_LIB_CHACHA CRYPTO_ARCH_HAVE_LIB_CURVE25519 CRYPTO_ARCH_HAVE_LIB_POLY1305 CRYPTO_ARIA CRYPTO_ARIA_AESNI_AVX_X86_64 CRYPTO_BLAKE2B CRYPTO_BLAKE2S_X86 CRYPTO_BLOWFISH CRYPTO_BLOWFISH_COMMON CRYPTO_BLOWFISH_X86_64 CRYPTO_CAMELLIA CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 CRYPTO_CAMELLIA_AESNI_AVX_X86_64 CRYPTO_CAMELLIA_X86_64 CRYPTO_CAST5 CRYPTO_CAST5_AVX_X86_64 CRYPTO_CAST6 CRYPTO_CAST6_AVX_X86_64 CRYPTO_CAST_COMMON CRYPTO_CHACHA20POLY1305 CRYPTO_CHACHA20_X86_64 CRYPTO_CRC32 CRYPTO_CRC32C_INTEL CRYPTO_CRC32_PCLMUL CRYPTO_CRC64_ROCKSOFT CRYPTO_CRCT10DIF CRYPTO_CRCT10DIF_PCLMUL CRYPTO_CRYPTD CRYPTO_CURVE25519 CRYPTO_CURVE25519_X86 CRYPTO_DEFLATE CRYPTO_DES CRYPTO_DES3_EDE_X86_64 CRYPTO_DEV_CCP CRYPTO_DEV_CCP_DD CRYPTO_DEV_PADLOCK CRYPTO_DEV_PADLOCK_AES CRYPTO_DEV_PADLOCK_SHA CRYPTO_DEV_QAT CRYPTO_DEV_QAT_C3XXX CRYPTO_DEV_QAT_C3XXXVF CRYPTO_DEV_QAT_C62X CRYPTO_DEV_QAT_C62XVF CRYPTO_DEV_QAT_DH895xCC CRYPTO_DEV_QAT_DH895xCCVF CRYPTO_DEV_VIRTIO CRYPTO_DH CRYPTO_DRBG_CTR CRYPTO_DRBG_HASH CRYPTO_ECDH CRYPTO_ECRDSA CRYPTO_ENGINE CRYPTO_ESSIV CRYPTO_FCRYPT CRYPTO_GHASH_CLMUL_NI_INTEL CRYPTO_HCTR2 CRYPTO_KDF800108_CTR CRYPTO_KEYWRAP CRYPTO_KHAZAD CRYPTO_KPP CRYPTO_LIB_ARC4 CRYPTO_LIB_CHACHA CRYPTO_LIB_CHACHA20POLY1305 CRYPTO_LIB_CURVE25519 CRYPTO_LIB_CURVE25519_GENERIC CRYPTO_LIB_POLY1305 CRYPTO_LIB_POLY1305_GENERIC CRYPTO_LRW CRYPTO_LZ4 CRYPTO_LZ4HC CRYPTO_NHPOLY1305 CRYPTO_NHPOLY1305_AVX2 CRYPTO_NHPOLY1305_SSE2 CRYPTO_PCBC CRYPTO_PCRYPT CRYPTO_POLY1305 CRYPTO_POLY1305_X86_64 CRYPTO_POLYVAL CRYPTO_POLYVAL_CLMUL_NI CRYPTO_RMD160 CRYPTO_SEED CRYPTO_SERPENT CRYPTO_SERPENT_AVX2_X86_64 CRYPTO_SERPENT_AVX_X86_64 CRYPTO_SERPENT_SSE2_X86_64 CRYPTO_SHA1_SSSE3 CRYPTO_SHA256_SSSE3 CRYPTO_SHA512_SSSE3 CRYPTO_SIMD CRYPTO_SM3_AVX_X86_64 CRYPTO_SM4_AESNI_AVX2_X86_64 CRYPTO_SM4_AESNI_AVX_X86_64 CRYPTO_STREEBOG CRYPTO_TEA CRYPTO_TWOFISH CRYPTO_TWOFISH_AVX_X86_64 CRYPTO_TWOFISH_COMMON CRYPTO_TWOFISH_X86_64 CRYPTO_TWOFISH_X86_64_3WAY CRYPTO_USER CRYPTO_USER_API CRYPTO_USER_API_AEAD CRYPTO_USER_API_ENABLE_OBSOLETE CRYPTO_USER_API_HASH CRYPTO_USER_API_RNG CRYPTO_USER_API_SKCIPHER CRYPTO_VMAC CRYPTO_WP512 CRYPTO_XCTR CRYPTO_XXHASH CRYPTO_ZSTD CUSE CYPRESS_FIRMWARE DAMON DAMON_PADDR DAMON_RECLAIM DAMON_VADDR DAX DCA DCB DEFAULT_CODEL DEVICE_MIGRATION DEVICE_PRIVATE DEV_COREDUMP DEV_DAX DLN2_ADC DMABUF_HEAPS DMABUF_HEAPS_CMA DMABUF_HEAPS_SYSTEM DMABUF_MOVE_NOTIFY DMA_CMA DMA_ENGINE_RAID DM_AUDIT DM_BIO_PRISON DM_BUFIO DM_CACHE DM_CACHE_SMQ DM_CLONE DM_CRYPT DM_FLAKEY DM_INTEGRITY DM_MULTIPATH DM_MULTIPATH_QL DM_MULTIPATH_ST DM_PERSISTENT_DATA DM_RAID DM_SNAPSHOT DM_THIN_PROVISIONING DM_UEVENT DM_VERITY DM_VERITY_FEC DM_WRITECACHE DM_ZONED DRAGONRISE_FF DRM DRM_AUX_BRIDGE DRM_BOCHS DRM_BRIDGE DRM_BUDDY DRM_CIRRUS_QEMU DRM_DEBUG_MM DRM_DISPLAY_DP_AUX_BUS DRM_DISPLAY_DP_HELPER DRM_DISPLAY_HDCP_HELPER DRM_DISPLAY_HDMI_HELPER DRM_DISPLAY_HELPER DRM_FBDEV_EMULATION DRM_GEM_SHMEM_HELPER DRM_GM12U320 DRM_GUD DRM_I915 DRM_I915_CAPTURE_ERROR DRM_I915_COMPRESS_ERROR DRM_I915_USERPTR DRM_KMS_HELPER DRM_MIPI_DSI DRM_PANEL DRM_PANEL_BRIDGE DRM_PANEL_EDP DRM_PANEL_ORIENTATION_QUIRKS DRM_SIMPLEDRM DRM_TTM ENCRYPTED_KEYS FSCACHE FUSE_FS GPIOLIB HAMRADIO HID_DRAGONRISE IIO INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_RTRS_CLIENT IOSCHED_BFQ LIBNVDIMM MAC80211 MAC80211_DEBUGFS MAC80211_LEDS MEDIA_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MMC MTD NET_CLS_U32 NET_SCH_DEFAULT PARTITION_ADVANCED RFKILL SERIAL_DEV_BUS TLS TLS_DEVICE TRANSPARENT_HUGEPAGE TRUSTED_KEYS USB_GADGET USB_PHY VLAN_8021Q WANT_COMPAT_NETLINK_MESSAGES WEXT_CORE WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ATH X86_X32_ABI ZONE_DEVICE]
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing current HEAD 77a903cd8e5a91d120ee014c8f8eae74d6c5d0f6
testing commit 77a903cd8e5a91d120ee014c8f8eae74d6c5d0f6 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5455bffdd3ff005310f1ba587f794eb19c3ba22fa6e78104ed3874ca611acaab
all runs: OK
false negative chance: 0.000
# git bisect start 77a903cd8e5a91d120ee014c8f8eae74d6c5d0f6 3e5e6c9900c3d71895e8bdeacfb579462e98eba1
Bisecting: 7686 revisions left to test after this (roughly 13 steps)
[071b34dcf71523a559b6c39f5d21a268a9531b50] Merge tag 'sound-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
determine whether the revision contains the guilty commit
revision 3e5e6c9900c3d71895e8bdeacfb579462e98eba1 crashed and is reachable
testing commit 071b34dcf71523a559b6c39f5d21a268a9531b50 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c2cba5d17b889f04e3af084e4a4fffc3967ba346e73b92a80d4ddc9a2c74038a
all runs: crashed: KASAN: slab-use-after-free Read in binder_release_work
representative crash: KASAN: slab-use-after-free Read in binder_release_work, types: [KASAN]
# git bisect good 071b34dcf71523a559b6c39f5d21a268a9531b50
Bisecting: 3739 revisions left to test after this (roughly 12 steps)
[b50ecc5aca4d18f1f0c4942f5c797bc85edef144] Merge tag 'perf-tools-for-v6.13-2024-11-24' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools
determine whether the revision contains the guilty commit
revision 3e5e6c9900c3d71895e8bdeacfb579462e98eba1 crashed and is reachable
testing commit b50ecc5aca4d18f1f0c4942f5c797bc85edef144 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a9d4d4bc24005080ec0a9bec7ea7d0329acd8d61be7c5cb9f701a4576ed82599
all runs: crashed: KASAN: slab-use-after-free Read in binder_release_work
representative crash: KASAN: slab-use-after-free Read in binder_release_work, types: [KASAN]
# git bisect good b50ecc5aca4d18f1f0c4942f5c797bc85edef144
Bisecting: 1886 revisions left to test after this (roughly 11 steps)
[0e287d31b62bb53ad81d5e59778384a40f8b6f56] Merge tag 'rtc-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux
determine whether the revision contains the guilty commit
revision 3e5e6c9900c3d71895e8bdeacfb579462e98eba1 crashed and is reachable
testing commit 0e287d31b62bb53ad81d5e59778384a40f8b6f56 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 66c9679ac418cd0149d8d5966811c9cd9c96c2725a10474702d0400fab1a7406
all runs: OK
false negative chance: 0.000
# git bisect bad 0e287d31b62bb53ad81d5e59778384a40f8b6f56
Bisecting: 1012 revisions left to test after this (roughly 10 steps)
[e33a6d83e1786d5e310ae746c67f5f4e2f93ba35] Merge tag 'usb-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
determine whether the revision contains the guilty commit
revision 3e5e6c9900c3d71895e8bdeacfb579462e98eba1 crashed and is reachable
testing commit e33a6d83e1786d5e310ae746c67f5f4e2f93ba35 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: be87e408219912c2901b3f8efa9246d201e2392bf5d96a1cb54982f39a1c2317
all runs: crashed: KASAN: slab-use-after-free Read in binder_release_work
representative crash: KASAN: slab-use-after-free Read in binder_release_work, types: [KASAN]
# git bisect good e33a6d83e1786d5e310ae746c67f5f4e2f93ba35
Bisecting: 594 revisions left to test after this (roughly 9 steps)
[5a6c35258d10a4966f45ee48ae24a7d4dad303ce] mei: vsc: Fix typo "maintstepping" -> "mainstepping"
determine whether the revision contains the guilty commit
revision 3e5e6c9900c3d71895e8bdeacfb579462e98eba1 crashed and is reachable
testing commit 5a6c35258d10a4966f45ee48ae24a7d4dad303ce gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 574d5b5dcbbbf5881ee942debc1eb3d985b3c4843b0077a589cc8ae804d7ebd4
all runs: OK
false negative chance: 0.000
# git bisect bad 5a6c35258d10a4966f45ee48ae24a7d4dad303ce
Bisecting: 208 revisions left to test after this (roughly 8 steps)
[1346e2566a7bb3dd0e51d7a1487a9215abb42d93] Documentation: iio: Document ad7606 driver
determine whether the revision contains the guilty commit
checking the merge base 42f7652d3eb527d03665b09edac47f85fb600924
no existing result, test the revision
testing commit 42f7652d3eb527d03665b09edac47f85fb600924 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 672c2c33f89e9222ee4de2a00bb6118693e6041adbfe9134d65181f108b952df
all runs: crashed: KASAN: slab-use-after-free Read in binder_release_work
representative crash: KASAN: slab-use-after-free Read in binder_release_work, types: [KASAN]
testing commit 1346e2566a7bb3dd0e51d7a1487a9215abb42d93 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 48f4f859903cdc5629ee0ff7e7267095bbff7bffc16e557375a699be00cac92e
all runs: OK
false negative chance: 0.000
# git bisect bad 1346e2566a7bb3dd0e51d7a1487a9215abb42d93
Bisecting: 104 revisions left to test after this (roughly 7 steps)
[0d8f584dfa983bff8bcf8bd8b9646a626716bea1] iio: adc: qcom-spmi-adc5: Tidy up adc5_get_fw_data() error messages
determine whether the revision contains the guilty commit
checking the merge base 9852d85ec9d492ebef56dc5f229416c925758edc
no existing result, test the revision
testing commit 9852d85ec9d492ebef56dc5f229416c925758edc gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 641640ce60c0cabf425cb2ddec18c3f6ade012e8c995e16ce3e5b58424fb74a0
all runs: crashed: KASAN: slab-use-after-free Read in binder_release_work
representative crash: KASAN: slab-use-after-free Read in binder_release_work, types: [KASAN]
testing commit 0d8f584dfa983bff8bcf8bd8b9646a626716bea1 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5746e065d1839306d72ad237d9e4c588b0b2ed4b76e17655dffa4e1845db78f5
all runs: crashed: KASAN: slab-use-after-free Read in binder_release_work
representative crash: KASAN: slab-use-after-free Read in binder_release_work, types: [KASAN]
# git bisect good 0d8f584dfa983bff8bcf8bd8b9646a626716bea1
Bisecting: 54 revisions left to test after this (roughly 6 steps)
[57573ace0c1b142433dfe3d63ebf375269c80fc1] iio: imu: bmi270: Remove duplicated include in bmi270_i2c.c
determine whether the revision contains the guilty commit
revision 0d8f584dfa983bff8bcf8bd8b9646a626716bea1 crashed and is reachable
testing commit 57573ace0c1b142433dfe3d63ebf375269c80fc1 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d497764f6beae85bd38d6192d8469c9d1bcc97590aa4d0fdd9e589b3f5b92026
all runs: crashed: KASAN: slab-use-after-free Read in binder_release_work
representative crash: KASAN: slab-use-after-free Read in binder_release_work, types: [KASAN]
# git bisect good 57573ace0c1b142433dfe3d63ebf375269c80fc1
Bisecting: 27 revisions left to test after this (roughly 5 steps)
[ca7b844b91920573835ad11daaa30630ce112fe1] misc: keba: Add battery device
determine whether the revision contains the guilty commit
revision 9852d85ec9d492ebef56dc5f229416c925758edc crashed and is reachable
testing commit ca7b844b91920573835ad11daaa30630ce112fe1 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 90ee360dec8175823832488d01947c4dc574a349976e094fe7370125a110cbf0
all runs: OK
false negative chance: 0.000
# git bisect bad ca7b844b91920573835ad11daaa30630ce112fe1
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[830d7db744b42c693bf1db7e94db86d7efd91f0e] binder: fix BINDER_WORK_FROZEN_BINDER debug logs
determine whether the revision contains the guilty commit
revision 9852d85ec9d492ebef56dc5f229416c925758edc crashed and is reachable
testing commit 830d7db744b42c693bf1db7e94db86d7efd91f0e gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8b6bcc19d9faf5aa52cdb07dc72735f018b722aaafeec0505715be1de0f1831a
all runs: OK
false negative chance: 0.000
# git bisect bad 830d7db744b42c693bf1db7e94db86d7efd91f0e
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[3c5d8b819d27012264edd17e6ae7fffda382fe44] misc: apds990x: Fix missing pm_runtime_disable()
determine whether the revision contains the guilty commit
revision 9852d85ec9d492ebef56dc5f229416c925758edc crashed and is reachable
testing commit 3c5d8b819d27012264edd17e6ae7fffda382fe44 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e468a110993c69b86054019236feca0b48ba2bbe744017234ae1e80118da07e2
all runs: crashed: KASAN: slab-use-after-free Read in binder_release_work
representative crash: KASAN: slab-use-after-free Read in binder_release_work, types: [KASAN]
# git bisect good 3c5d8b819d27012264edd17e6ae7fffda382fe44
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[3b0889f95789aa90b0f1a6921d5d6b151f2e53ae] rpmb: Remove some useless locking
determine whether the revision contains the guilty commit
revision 9852d85ec9d492ebef56dc5f229416c925758edc crashed and is reachable
testing commit 3b0889f95789aa90b0f1a6921d5d6b151f2e53ae gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 4738d34050e9326fc715d8c0c69a1bcb1bca976307b14d12bac30db96b307990
all runs: crashed: KASAN: slab-use-after-free Read in binder_release_work
representative crash: KASAN: slab-use-after-free Read in binder_release_work, types: [KASAN]
# git bisect good 3b0889f95789aa90b0f1a6921d5d6b151f2e53ae
Bisecting: 1 revision left to test after this (roughly 1 step)
[011e69a1b23011c0db3af4b8293fdd4522cc97b0] binder: fix OOB in binder_add_freeze_work()
determine whether the revision contains the guilty commit
revision 9852d85ec9d492ebef56dc5f229416c925758edc crashed and is reachable
testing commit 011e69a1b23011c0db3af4b8293fdd4522cc97b0 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8e2879351d96517893a3bb8f11d023ea4adfdac7734cdfdc38beb7b105d2632c
all runs: crashed: KASAN: slab-use-after-free Read in binder_release_work
representative crash: KASAN: slab-use-after-free Read in binder_release_work, types: [KASAN]
# git bisect good 011e69a1b23011c0db3af4b8293fdd4522cc97b0
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[7e20434cbca814cb91a0a261ca0106815ef48e5f] binder: fix freeze UAF in binder_release_work()
determine whether the revision contains the guilty commit
revision 3b0889f95789aa90b0f1a6921d5d6b151f2e53ae crashed and is reachable
testing commit 7e20434cbca814cb91a0a261ca0106815ef48e5f gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a562e4bb580f36e1a2f841e51d62e2ba505715f8764368946b621c4222fc4f30
all runs: OK
false negative chance: 0.000
# git bisect bad 7e20434cbca814cb91a0a261ca0106815ef48e5f
7e20434cbca814cb91a0a261ca0106815ef48e5f is the first bad commit
commit 7e20434cbca814cb91a0a261ca0106815ef48e5f
Author: Carlos Llamas <cmllamas@google.com>
Date: Thu Sep 26 23:36:14 2024 +0000
binder: fix freeze UAF in binder_release_work()
When a binder reference is cleaned up, any freeze work queued in the
associated process should also be removed. Otherwise, the reference is
freed while its ref->freeze.work is still queued in proc->work leading
to a use-after-free issue as shown by the following KASAN report:
==================================================================
BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0
Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211
CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22
Hardware name: linux,dummy-virt (DT)
Workqueue: events binder_deferred_func
Call trace:
binder_release_work+0x398/0x3d0
binder_deferred_func+0xb60/0x109c
process_one_work+0x51c/0xbd4
worker_thread+0x608/0xee8
Allocated by task 703:
__kmalloc_cache_noprof+0x130/0x280
binder_thread_write+0xdb4/0x42a0
binder_ioctl+0x18f0/0x25ac
__arm64_sys_ioctl+0x124/0x190
invoke_syscall+0x6c/0x254
Freed by task 211:
kfree+0xc4/0x230
binder_deferred_func+0xae8/0x109c
process_one_work+0x51c/0xbd4
worker_thread+0x608/0xee8
==================================================================
This commit fixes the issue by ensuring any queued freeze work is removed
when cleaning up a binder reference.
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Acked-by: Todd Kjos <tkjos@android.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-4-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/android/binder.c | 6 ++++++
1 file changed, 6 insertions(+)
accumulated error probability: 0.00
culprit signature: a562e4bb580f36e1a2f841e51d62e2ba505715f8764368946b621c4222fc4f30
parent signature: 8e2879351d96517893a3bb8f11d023ea4adfdac7734cdfdc38beb7b105d2632c
revisions tested: 24, total time: 9h35m15.302088779s (build: 6h12m55.331088659s, test: 3h0m36.020114423s)
first good commit: 7e20434cbca814cb91a0a261ca0106815ef48e5f binder: fix freeze UAF in binder_release_work()
recipients (to): ["aliceryhl@google.com" "cmllamas@google.com" "gregkh@linuxfoundation.org" "tkjos@android.com"]
recipients (cc): []