kernel BUG at drivers/android/binder_alloc.c:LINE! (4)

From: syzbot
Date: Tue Jun 18 2019 - 06:52:16 EST


Hello,

syzbot found the following crash on:

HEAD commit: 9e0babf2 Linux 5.2-rc5
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=159e6121a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d16883d6c7f0d717
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae18325f96190606754
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1119e431a00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f028c9a00000

The bug was bisected to:

commit bde4a19fc04f5f46298c86b1acb7a4af1d5f138d
Author: Todd Kjos <tkjos@xxxxxxxxxxx>
Date: Fri Feb 8 18:35:20 2019 +0000

binder: use userspace pointer as base of buffer space

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=177250c9a00000
final crash: https://syzkaller.appspot.com/x/report.txt?x=14f250c9a00000
console output: https://syzkaller.appspot.com/x/log.txt?x=10f250c9a00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3ae18325f96190606754@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: bde4a19fc04f ("binder: use userspace pointer as base of buffer space")

------------[ cut here ]------------
kernel BUG at drivers/android/binder_alloc.c:1130!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8920 Comm: syz-executor933 Not tainted 5.2.0-rc5 #54
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 drivers/android/binder_alloc.c:1130
Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 bf 9d 1c fc 4c 89 e6 4c 89 ef e8 d4 9e 1c fc 4d 39 e5 76 07 e8 aa 9d 1c fc <0f> 0b e8 a3 9d 1c fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 b1
RSP: 0018:ffff88808b91f4e0 EFLAGS: 00010293
RAX: ffff88809296c200 RBX: 0000000020001000 RCX: ffffffff855423cf
RDX: 0000000000000000 RSI: ffffffff855423b6 RDI: 0000000000000006
RBP: ffff88808b91f560 R08: ffff88809296c200 R09: 0000000000000008
R10: ffffed1011723f15 R11: ffff88808b91f8af R12: 0000000000000078
R13: 0000000000000008 R14: 00000000000000e8 R15: 0000000000000000
FS: 00005555556e5940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000008bd57000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
binder_alloc_copy_from_buffer+0x37/0x42 drivers/android/binder_alloc.c:1176
binder_validate_ptr+0xcc/0x1d0 drivers/android/binder.c:2124
binder_transaction+0x2c9c/0x6620 drivers/android/binder.c:3308
binder_thread_write+0x64a/0x2820 drivers/android/binder.c:3794
binder_ioctl_write_read drivers/android/binder.c:4827 [inline]
binder_ioctl+0x102f/0x1833 drivers/android/binder.c:5004
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696
ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x444a29
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffcbcd0fc28 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffcbcd0fc30 RCX: 0000000000444a29
RDX: 0000000020000440 RSI: 00000000c0306201 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000401310
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402730
R13: 00000000004027c0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 3626e6aef2ad2274 ]---
RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 drivers/android/binder_alloc.c:1130
Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 bf 9d 1c fc 4c 89 e6 4c 89 ef e8 d4 9e 1c fc 4d 39 e5 76 07 e8 aa 9d 1c fc <0f> 0b e8 a3 9d 1c fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 b1
RSP: 0018:ffff88808b91f4e0 EFLAGS: 00010293
RAX: ffff88809296c200 RBX: 0000000020001000 RCX: ffffffff855423cf
RDX: 0000000000000000 RSI: ffffffff855423b6 RDI: 0000000000000006
RBP: ffff88808b91f560 R08: ffff88809296c200 R09: 0000000000000008
R10: ffffed1011723f15 R11: ffff88808b91f8af R12: 0000000000000078
R13: 0000000000000008 R14: 00000000000000e8 R15: 0000000000000000
FS: 00005555556e5940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000008bd57000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxxx

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches