kernel BUG in binder_alloc_deferred_release

[Hui Guo]

Hi Kernel Maintainers,
we found a crash "kernel BUG in binder_alloc_deferred_release" (it
seems a bug in
drivers/android/binder_alloc.c) in upstream:
This bug seems to have been triggered before and fixed, but it can
still be triggered now.


HEAD Commit: 9852d85ec9d492ebef56dc5f229416c925758edc(tag 'v6.12-rc1')
kernel config: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/6.12.config

console output:
https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/9852d85ec9d492ebef56dc5f229416c925758edc/ff31cdc13bb8c6774ccf08dc80809804c2afca4d/log0
repro report: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/9852d85ec9d492ebef56dc5f229416c925758edc/ff31cdc13bb8c6774ccf08dc80809804c2afca4d/repro.report
syz reproducer:
https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/9852d85ec9d492ebef56dc5f229416c925758edc/ff31cdc13bb8c6774ccf08dc80809804c2afca4d/repro.prog
c reproducer: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/9852d85ec9d492ebef56dc5f229416c925758edc/ff31cdc13bb8c6774ccf08dc80809804c2afca4d/repro.cprog


Please let me know if there is anything I can help.
Best,
Hui Guo

This is the crash log I got by reproducing the bug based on the above
environment，
I have piped this log through decode_stacktrace.sh for better
understand the cause of the bug.
================================================================================
2024/10/13 01:47:52 parsed 1 programs
root@syzkaller:~# ./syz-execprog
/data/ghui/docker_data/workdir/upstream/ghui_syzkaller_upstream_linux_v6.11_3_upstream/crashes/ff31cdc13bb8c6774ccf08dc80809804c2afca4d/repro.pg
[ 192.759218][ T1331] ieee802154 phy0 wpan0: encryption failed: -22
[ 192.760941][ T1331] ieee802154 phy1 wpan1: encryption failed: -22
[ 193.852410][T10982] Adding 124996k swap on ./swap-file. Priority:0
extents:1 across:124996k
[ 194.963864][ T8462] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 194.964921][ T8462] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 194.966160][ T8462] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 194.967171][ T8462] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 194.968160][ T8462] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 194.969268][ T8462] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 195.032829][ T64] wlan0: Created IBSS using preconfigured BSSID
50:50:50:50:50:50
[ 195.033922][ T64] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 195.035791][ T58] wlan1: Created IBSS using preconfigured BSSID
50:50:50:50:50:50
[ 195.036719][T11007] chnl_net:caif_netlink_parms(): no params data found
[ 195.036895][ T58] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 195.054761][T11007] bridge0: port 1(bridge_slave_0) entered blocking state
[ 195.055659][T11007] bridge0: port 1(bridge_slave_0) entered disabled state
[ 195.056539][T11007] bridge_slave_0: entered allmulticast mode
[ 195.057395][T11007] bridge_slave_0: entered promiscuous mode
[ 195.058310][T11007] bridge0: port 2(bridge_slave_1) entered blocking state
[ 195.059247][T11007] bridge0: port 2(bridge_slave_1) entered disabled state
[ 195.060148][T11007] bridge_slave_1: entered allmulticast mode
[ 195.061150][T11007] bridge_slave_1: entered promiscuous mode
[ 195.067586][T11007] bond0: (slave bond_slave_0): Enslaving as an
active interface with an up link
[ 195.069248][T11007] bond0: (slave bond_slave_1): Enslaving as an
active interface with an up link
[ 195.075434][T11007] team0: Port device team_slave_0 added
[ 195.076398][T11007] team0: Port device team_slave_1 added
[ 195.081710][T11007] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 195.082631][T11007] batman_adv: batadv0: The MTU of interface
batadv_slave_0 is too small (1500) to handle the transport of
batman-adv packets. Packets going over this inter.
[ 195.085913][T11007] batman_adv: batadv0: Not using interface
batadv_slave_0 (retrying later): interface not active
[ 195.087436][T11007] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 195.088343][T11007] batman_adv: batadv0: The MTU of interface
batadv_slave_1 is too small (1500) to handle the transport of
batman-adv packets. Packets going over this inter.
[ 195.091832][T11007] batman_adv: batadv0: Not using interface
batadv_slave_1 (retrying later): interface not active
[ 195.099719][T11007] hsr_slave_0: entered promiscuous mode
[ 195.100699][T11007] hsr_slave_1: entered promiscuous mode
[ 195.123720][T11007] netdevsim netdevsim5 netdevsim0: renamed from eth0
[ 195.125065][T11007] netdevsim netdevsim5 netdevsim1: renamed from eth1
[ 195.126308][T11007] netdevsim netdevsim5 netdevsim2: renamed from eth2
[ 195.127564][T11007] netdevsim netdevsim5 netdevsim3: renamed from eth3
[ 195.133923][T11007] bridge0: port 2(bridge_slave_1) entered blocking state
[ 195.134876][T11007] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 195.135840][T11007] bridge0: port 1(bridge_slave_0) entered blocking state
[ 195.136762][T11007] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 195.143016][T11007] 8021q: adding VLAN 0 to HW filter on device bond0
[ 195.145225][ T120] bridge0: port 1(bridge_slave_0) entered disabled state
[ 195.146438][ T120] bridge0: port 2(bridge_slave_1) entered disabled state
[ 195.149103][T11007] 8021q: adding VLAN 0 to HW filter on device team0
[ 195.151119][ T2565] bridge0: port 1(bridge_slave_0) entered blocking state
[ 195.152048][ T2565] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 195.153737][ T2565] bridge0: port 2(bridge_slave_1) entered blocking state
[ 195.154627][ T2565] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 195.174758][T11007] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 195.196944][T11007] veth0_vlan: entered promiscuous mode
[ 195.198374][T11007] veth1_vlan: entered promiscuous mode
[ 195.201965][T11007] veth0_macvtap: entered promiscuous mode
[ 195.203128][T11007] veth1_macvtap: entered promiscuous mode
[ 195.205343][T11007] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 195.207346][T11007] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 195.208989][T11007] netdevsim netdevsim5 netdevsim0: set [1, 0] type
2 family 0 port 6081 - 0
[ 195.210145][T11007] netdevsim netdevsim5 netdevsim1: set [1, 0] type
2 family 0 port 6081 - 0
[ 195.211297][T11007] netdevsim netdevsim5 netdevsim2: set [1, 0] type
2 family 0 port 6081 - 0
[ 195.212454][T11007] netdevsim netdevsim5 netdevsim3: set [1, 0] type
2 family 0 port 6081 - 0
2024/10/13 01:47:57 executed programs: 0
[ 195.296225][ T8462] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 195.297345][ T8462] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 195.298341][ T8462] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 195.299689][ T8462] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 195.300884][ T8462] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 195.301922][ T8462] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 195.324278][T12398] chnl_net:caif_netlink_parms(): no params data found
[ 195.346760][T12398] bridge0: port 1(bridge_slave_0) entered blocking state
[ 195.348487][T12398] bridge0: port 1(bridge_slave_0) entered disabled state
[ 195.350195][T12398] bridge_slave_0: entered allmulticast mode
[ 195.351707][T12398] bridge_slave_0: entered promiscuous mode
[ 195.353382][T12398] bridge0: port 2(bridge_slave_1) entered blocking state
[ 195.354876][T12398] bridge0: port 2(bridge_slave_1) entered disabled state
[ 195.356344][T12398] bridge_slave_1: entered allmulticast mode
[ 195.357846][T12398] bridge_slave_1: entered promiscuous mode
[ 195.365927][T12398] bond0: (slave bond_slave_0): Enslaving as an
active interface with an up link
[ 195.368413][T12398] bond0: (slave bond_slave_1): Enslaving as an
active interface with an up link
[ 195.375016][T12398] team0: Port device team_slave_0 added
[ 195.375945][T12398] team0: Port device team_slave_1 added
[ 195.380224][T12398] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 195.381137][T12398] batman_adv: batadv0: The MTU of interface
batadv_slave_0 is too small (1500) to handle the transport of
batman-adv packets. Packets going over this inter.
[ 195.384351][T12398] batman_adv: batadv0: Not using interface
batadv_slave_0 (retrying later): interface not active
[ 195.385766][T12398] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 195.386648][T12398] batman_adv: batadv0: The MTU of interface
batadv_slave_1 is too small (1500) to handle the transport of
batman-adv packets. Packets going over this inter.
[ 195.389878][T12398] batman_adv: batadv0: Not using interface
batadv_slave_1 (retrying later): interface not active
[ 195.395573][T12398] hsr_slave_0: entered promiscuous mode
[ 195.396340][T12398] hsr_slave_1: entered promiscuous mode
[ 195.397057][T12398] debugfs: Directory 'hsr0' with parent 'hsr'
already present!
[ 195.397905][T12398] Cannot create hsr debugfs directory
[ 196.052170][T12398] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 196.053474][T12398] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 196.054690][T12398] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 196.055933][T12398] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 196.068366][T12398] 8021q: adding VLAN 0 to HW filter on device bond0
[ 196.070649][T12398] 8021q: adding VLAN 0 to HW filter on device team0
[ 196.072163][ T120] bridge0: port 1(bridge_slave_0) entered blocking state
[ 196.073063][ T120] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 196.074915][T13028] bridge0: port 2(bridge_slave_1) entered blocking state
[ 196.075858][T13028] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 196.096752][T12398] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 196.102091][T12398] veth0_vlan: entered promiscuous mode
[ 196.103529][T12398] veth1_vlan: entered promiscuous mode
[ 196.106919][T12398] veth0_macvtap: entered promiscuous mode
[ 196.108089][T12398] veth1_macvtap: entered promiscuous mode
[ 196.110056][T12398] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
[ 196.111378][T12398] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 196.112809][T12398] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 196.114725][T12398] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
[ 196.116099][T12398] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 196.117515][T12398] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 196.119427][T12398] netdevsim netdevsim0 netdevsim0: set [1, 0] type
2 family 0 port 6081 - 0
[ 196.120550][T12398] netdevsim netdevsim0 netdevsim1: set [1, 0] type
2 family 0 port 6081 - 0
[ 196.121647][T12398] netdevsim netdevsim0 netdevsim2: set [1, 0] type
2 family 0 port 6081 - 0
[ 196.122751][T12398] netdevsim netdevsim0 netdevsim3: set [1, 0] type
2 family 0 port 6081 - 0
[ 196.199683][ T120] wlan0: Created IBSS using preconfigured BSSID
50:50:50:50:50:50
[ 196.200795][ T120] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 196.204740][ T2565] wlan1: Created IBSS using preconfigured BSSID
50:50:50:50:50:50
[ 196.206663][ T2565] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 196.213519][T13446] FAULT_INJECTION: forcing a failure.
[ 196.213519][T13446] name fail_usercopy, interval 1, probability 0,
space 0, times 0
[ 196.215262][T13446] CPU: 1 UID: 0 PID: 13446 Comm: syz.0.15 Not
tainted 6.12.0-rc1 #5
[ 196.216313][T13446] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.15.0-1 04/01/2014
[ 196.217531][T13446] Call Trace:
[ 196.217975][T13446] <TASK>
[196.218375][T13446] dump_stack_lvl
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/dump_stack.c:123)
[196.218998][T13446] dump_stack
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/dump_stack.c:130)
[196.219556][T13446] should_fail_ex
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/fault-inject.c:53
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/fault-inject.c:154)
[196.220201][T13446] should_fail
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/fault-inject.c:165)
[196.220761][T13446] should_fail_usercopy
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/fault-inject-usercopy.c:38)
[196.221429][T13446] _copy_to_user
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/./include/linux/uaccess.h:184
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/usercopy.c:26)
[196.222024][T13446] simple_read_from_buffer
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/libfs.c:1125)
[196.222749][T13446] proc_fail_nth_read
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/proc/base.c:1481)
[196.223431][T13446] ? rw_verify_area
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/read_write.c:475)
[196.224072][T13446] vfs_read
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/read_write.c:567)
[196.224639][T13446] ? __pfx_proc_fail_nth_read
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/proc/base.c:1471)
[196.225399][T13446] ? __sanitizer_cov_trace_const_cmp1
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/kcov.c:302)
[196.226251][T13446] ? fput
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/file_table.c:503)
[196.226786][T13446] ? fdget_pos
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/file.c:1190)
[196.227380][T13446] ksys_read
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/read_write.c:713)
[196.227954][T13446] __x64_sys_read
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/read_write.c:720)
[196.228558][T13446] x64_sys_call
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/entry/syscall_64.c:36)
[196.229192][T13446] do_syscall_64
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/entry/common.c:52
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/entry/common.c:83)
[196.229788][T13446] entry_SYSCALL_64_after_hwframe
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/entry/entry_64.S:130)
[ 196.230584][T13446] RIP: 0033:0x7f491599b02c
[ 196.231175][T13446] Code: ec 28 48 89 54 24 18 48 89 74 24 10 89 7c
24 08 e8 39 03 03 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24
08 31 c0 0f 05 <48> 3d 00 f0 ff ff 78
All code
========
0: ec in (%dx),%al
1: 28 48 89 sub %cl,-0x77(%rax)
4: 54 push %rsp
5: 24 18 and $0x18,%al
7: 48 89 74 24 10 mov %rsi,0x10(%rsp)
c: 89 7c 24 08 mov %edi,0x8(%rsp)
10: e8 39 03 03 00 call 0x3034e
15: 48 8b 54 24 18 mov 0x18(%rsp),%rdx
1a: 48 8b 74 24 10 mov 0x10(%rsp),%rsi
1f: 41 89 c0 mov %eax,%r8d
22: 8b 7c 24 08 mov 0x8(%rsp),%edi
26: 31 c0 xor %eax,%eax
28: 0f 05 syscall
2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
30: 78 .byte 0x78

Code starting with the faulting instruction
===========================================
0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
6: 78 .byte 0x78
[ 196.233702][T13446] RSP: 002b:00007f491683af90 EFLAGS: 00000246
ORIG_RAX: 0000000000000000
[ 196.234802][T13446] RAX: ffffffffffffffda RBX: 00007f4915b65f80 RCX:
00007f491599b02c
[ 196.235850][T13446] RDX: 000000000000000f RSI: 00007f491683b020 RDI:
0000000000000004
[ 196.236895][T13446] RBP: 00007f491683b010 R08: 0000000000000000 R09:
0000000000000000
[ 196.237927][T13446] R10: 0000000000000011 R11: 0000000000000246 R12:
0000000000000002
[ 196.238973][T13446] R13: 0000000000000000 R14: 00007f4915b65f80 R15:
00007f491681b000
[ 196.240020][T13446] </TASK>