Re: [syzbot] [kernel?] kernel BUG in binder_inc_ref_for_node
From: Hillf Danton
Date: Sat Jul 13 2024 - 09:21:31 EST
On Sat, 13 Jul 2024 03:25:20 -0700
> syzbot found the following issue on:
>
> HEAD commit: 82d01fe6ee52 Add linux-next specific files for 20240709
> git tree: linux-next
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a4869e980000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 82d01fe6ee52
--- x/drivers/android/binder.c
+++ y/drivers/android/binder.c
@@ -1131,6 +1131,7 @@ static struct binder_ref *binder_get_ref
struct binder_ref *ref;
struct rb_node *parent;
struct rb_node **p;
+ struct rb_node **p0, *pa0;
u32 desc;
retry:
@@ -1147,6 +1148,8 @@ retry:
else
return ref;
}
+ p0 = p;
+ pa0 = parent;
if (!new_ref)
return NULL;
@@ -1158,11 +1161,10 @@ retry:
new_ref->data.debug_id = atomic_inc_return(&binder_last_id);
new_ref->proc = proc;
new_ref->node = node;
- rb_link_node(&new_ref->rb_node_node, parent, p);
- rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node);
new_ref->data.desc = desc;
p = &proc->refs_by_desc.rb_node;
+ parent = NULL;
while (*p) {
parent = *p;
ref = rb_entry(parent, struct binder_ref, rb_node_desc);
@@ -1172,11 +1174,14 @@ retry:
else if (new_ref->data.desc > ref->data.desc)
p = &(*p)->rb_right;
else
- BUG();
+ return ref;
}
rb_link_node(&new_ref->rb_node_desc, parent, p);
rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc);
+ rb_link_node(&new_ref->rb_node_node, pa0, p0);
+ rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node);
+
binder_node_lock(node);
hlist_add_head(&new_ref->node_entry, &node->refs);
--