bisecting cause commit starting from 1a9df9e29c2afecf6e3089442d429b377279ca3c building syzkaller on f94f56fe6b1c892eb8cddc28e24e0290c68de003 testing commit 1a9df9e29c2afecf6e3089442d429b377279ca3c with gcc (GCC) 8.1.0 all runs: crashed: kernel BUG at drivers/android/binder_alloc.c:LINE! testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 1a9df9e29c2afecf6e3089442d429b377279ca3c v5.0 Bisecting: 6315 revisions left to test after this (roughly 13 steps) [67e79a6dc2664a3ef85113440e60f7aaca3c7815] Merge tag 'tty-5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit 67e79a6dc2664a3ef85113440e60f7aaca3c7815 with gcc (GCC) 8.1.0 all runs: crashed: kernel BUG at drivers/android/binder_alloc.c:LINE! # git bisect bad 67e79a6dc2664a3ef85113440e60f7aaca3c7815 Bisecting: 3111 revisions left to test after this (roughly 12 steps) [eac616557050737a8d6ef6fe0322d0980ff0ffde] x86: Deprecate a.out support testing commit eac616557050737a8d6ef6fe0322d0980ff0ffde with gcc (GCC) 8.1.0 all runs: OK # git bisect good eac616557050737a8d6ef6fe0322d0980ff0ffde Bisecting: 1570 revisions left to test after this (roughly 11 steps) [64b1b217f1a20f15dbedf47e49a25a0b5ee3d53b] Merge tag 'armsoc-newsoc' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 64b1b217f1a20f15dbedf47e49a25a0b5ee3d53b with gcc (GCC) 8.1.0 all runs: OK # git bisect good 64b1b217f1a20f15dbedf47e49a25a0b5ee3d53b Bisecting: 719 revisions left to test after this (roughly 10 steps) [da2577fe63f865cd9dc785a42c29c0071f567a35] Merge tag 'sound-5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit da2577fe63f865cd9dc785a42c29c0071f567a35 with gcc (GCC) 8.1.0 all runs: OK # git bisect good da2577fe63f865cd9dc785a42c29c0071f567a35 Bisecting: 373 revisions left to test after this (roughly 9 steps) [1f08c4a54b7cb62ed6450808c37d06c907f1a2dd] staging: mt7621-dma: remove license boilerplate text testing commit 1f08c4a54b7cb62ed6450808c37d06c907f1a2dd with gcc (GCC) 8.1.0 all runs: OK # git bisect good 1f08c4a54b7cb62ed6450808c37d06c907f1a2dd Bisecting: 192 revisions left to test after this (roughly 8 steps) [b39e557b7762498c7038ccd49dbdee88b2d00043] misc/habanalabs: adjust Kconfig to fix build errors testing commit b39e557b7762498c7038ccd49dbdee88b2d00043 with gcc (GCC) 8.1.0 all runs: crashed: kernel BUG at drivers/android/binder_alloc.c:LINE! # git bisect bad b39e557b7762498c7038ccd49dbdee88b2d00043 Bisecting: 90 revisions left to test after this (roughly 7 steps) [c2bc02f8828d2efef2852249ce61acb8967d4f4a] coresight: Use of_node_name_eq for node name comparisons testing commit c2bc02f8828d2efef2852249ce61acb8967d4f4a with gcc (GCC) 8.1.0 all runs: OK # git bisect good c2bc02f8828d2efef2852249ce61acb8967d4f4a Bisecting: 45 revisions left to test after this (roughly 6 steps) [3013bf62b67aef921bc2e9ba10e639a022002d02] binder: reduce mmap_sem write-side lock testing commit 3013bf62b67aef921bc2e9ba10e639a022002d02 with gcc (GCC) 8.1.0 all runs: crashed: kernel BUG at drivers/android/binder_alloc.c:LINE! # git bisect bad 3013bf62b67aef921bc2e9ba10e639a022002d02 Bisecting: 22 revisions left to test after this (roughly 5 steps) [bde4a19fc04f5f46298c86b1acb7a4af1d5f138d] binder: use userspace pointer as base of buffer space testing commit bde4a19fc04f5f46298c86b1acb7a4af1d5f138d with gcc (GCC) 8.1.0 all runs: crashed: kernel BUG at drivers/android/binder_alloc.c:LINE! # git bisect bad bde4a19fc04f5f46298c86b1acb7a4af1d5f138d Bisecting: 10 revisions left to test after this (roughly 4 steps) [36e738bdab536c0bdfa16e999fa66a3b9b776e5d] misc: dt-bindings: Add Qualcomm Fastrpc bindings testing commit 36e738bdab536c0bdfa16e999fa66a3b9b776e5d with gcc (GCC) 8.1.0 all runs: OK # git bisect good 36e738bdab536c0bdfa16e999fa66a3b9b776e5d Bisecting: 5 revisions left to test after this (roughly 3 steps) [1a7c3d9bb7a926e88d5f57643e75ad1abfc55013] binder: create userspace-to-binder-buffer copy function testing commit 1a7c3d9bb7a926e88d5f57643e75ad1abfc55013 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in batadv_mcast_mla_tt_retract run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 1a7c3d9bb7a926e88d5f57643e75ad1abfc55013 Bisecting: 2 revisions left to test after this (roughly 1 step) [c68cfb718c8f97b7f7a50ed66be5feb42d0c8988] misc: fastrpc: Add support for context Invoke method testing commit c68cfb718c8f97b7f7a50ed66be5feb42d0c8988 with gcc (GCC) 8.1.0 all runs: basic kernel testing failed: timed out # git bisect skip c68cfb718c8f97b7f7a50ed66be5feb42d0c8988 Bisecting: 2 revisions left to test after this (roughly 1 step) [d73f71c7c6ee1583c08c214c8f7b20d841490b36] misc: fastrpc: Add support for create remote init process testing commit d73f71c7c6ee1583c08c214c8f7b20d841490b36 with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: timed out run #1: basic kernel testing failed: timed out run #2: basic kernel testing failed: timed out run #3: basic kernel testing failed: timed out run #4: basic kernel testing failed: timed out run #5: basic kernel testing failed: timed out run #6: basic kernel testing failed: timed out run #7: basic kernel testing failed: timed out run #8: basic kernel testing failed: timed out run #9: OK # git bisect skip d73f71c7c6ee1583c08c214c8f7b20d841490b36 Bisecting: 2 revisions left to test after this (roughly 1 step) [6cffd79504ce040f460831030d3069fa1c99bb71] misc: fastrpc: Add support for dmabuf exporter testing commit 6cffd79504ce040f460831030d3069fa1c99bb71 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 6cffd79504ce040f460831030d3069fa1c99bb71 1a7c3d9bb7a926e88d5f57643e75ad1abfc55013 is the first bad commit commit 1a7c3d9bb7a926e88d5f57643e75ad1abfc55013 Author: Todd Kjos Date: Fri Feb 8 10:35:14 2019 -0800 binder: create userspace-to-binder-buffer copy function The binder driver uses a vm_area to map the per-process binder buffer space. For 32-bit android devices, this is now taking too much vmalloc space. This patch removes the use of vm_area when copying the transaction data from the sender to the buffer space. Instead of using copy_from_user() for multi-page copies, it now uses binder_alloc_copy_user_to_buffer() which uses kmap() and kunmap() to map each page, and uses copy_from_user() for copying to that page. Signed-off-by: Todd Kjos Signed-off-by: Greg Kroah-Hartman :040000 040000 623cd82aa1cef8a8b24c096ca0dc8056ca06b4f8 8ca6889b7019c500c248731f8664ded5e5ba50cc M drivers revisions tested: 16, total time: 4h12m50.893910508s (build: 1h39m10.951231596s, test: 2h27m1.979950273s) first bad commit: 1a7c3d9bb7a926e88d5f57643e75ad1abfc55013 binder: create userspace-to-binder-buffer copy function cc: ["arve@android.com" "christian@brauner.io" "devel@driverdev.osuosl.org" "gregkh@linuxfoundation.org" "joel@joelfernandes.org" "linux-kernel@vger.kernel.org" "maco@android.com" "tkjos@android.com" "tkjos@google.com"] crash: WARNING in batadv_mcast_mla_tt_retract team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves WARNING: CPU: 0 PID: 7 at net/batman-adv/multicast.c:337 batadv_mcast_mla_tt_retract+0x312/0x520 net/batman-adv/multicast.c:353 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.0.0-rc6+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_mcast_mla_update Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 panic+0x212/0x41d kernel/panic.c:214 __warn.cold.8+0x1b/0x36 kernel/panic.c:571 report_bug+0x1a4/0x200 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 RIP: 0010:batadv_mcast_mla_tt_retract+0x312/0x520 net/batman-adv/multicast.c:337 Code: e8 43 6a 25 fb 48 85 db 49 89 dc 0f 85 a8 fd ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 49 8d 74 24 10 e9 17 ff ff ff <0f> 0b e9 34 fd ff ff 48 89 75 b0 44 89 55 b8 44 89 45 c0 48 89 45 RSP: 0018:ffff8880a988fac8 EFLAGS: 00010202 RAX: 0000000000000121 RBX: ffff8880a988fd30 RCX: 1ffff1101530ed46 RDX: 1ffff11010cd5c94 RSI: ffff8880a988fc30 RDI: ffff8880866ae4a0 RBP: ffff8880a988fb20 R08: ffff8880a988fc70 R09: 0000000000000003 R10: ffffed1015d45bcf R11: ffff8880aea2de7b R12: ffff8880866ae4a0 R13: ffff8880a988fc30 R14: 0000000000000000 R15: ffff8880a988fc70 __batadv_mcast_mla_update net/batman-adv/multicast.c:635 [inline] batadv_mcast_mla_update+0x456/0x2110 net/batman-adv/multicast.c:661 process_one_work+0x835/0x16b0 kernel/workqueue.c:2173 worker_thread+0x85/0xb60 kernel/workqueue.c:2319 kthread+0x327/0x3f0 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 Kernel Offset: disabled Rebooting in 86400 seconds..