Re: WARNING in binder_send_failed_reply

[Eric Biggers]

On Tue, Dec 26, 2017 at 02:20:01PM -0800, syzbot wrote:
> syzkaller has found reproducer for the following crash on
> 0e08c463db387a2adcb0243b15ab868a73f87807
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
> 
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by:
> 
> It will help syzbot understand when the bug is fixed.
> 
> binder: undelivered TRANSACTION_COMPLETE
> binder: undelivered TRANSACTION_ERROR: 29189
> binder: send failed reply for transaction 844 to 4059:4061
> [ cut here ]
> Unexpected reply error: 29189
> WARNING: CPU: 0 PID: 1409 at drivers/android/binder.c:1998
> binder_send_failed_reply+0x13b/0x390 drivers/android/binder.c:1997
> Kernel panic - not syncing: panic_on_warn set ...
> 
> CPU: 0 PID: 1409 Comm: kworker/0:2 Not tainted 4.15.0-rc4-next-20171221+ #78
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: events binder_deferred_func
> Call Trace:
>  __dump_stack lib/dump_stack.c:17 [inline]
>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>  panic+0x1e4/0x41c kernel/panic.c:183
>  __warn+0x1dc/0x200 kernel/panic.c:547
>  report_bug+0x211/0x2d0 lib/bug.c:184
>  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
>  fixup_bug arch/x86/kernel/traps.c:246 [inline]
>  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
>  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
>  invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1079
> RIP: 0010:binder_send_failed_reply+0x13b/0x390 drivers/android/binder.c:1997
> RSP: 0018:8801d3887128 EFLAGS: 00010286
> RAX: dc08 RBX: 8801c2fbce00 RCX: 8159f9ce
> RDX:  RSI: 11003a70c91d RDI: 0293
> RBP: 8801d3887150 R08: 11003a710db8 R09: 
> R10: 8801d3886fa0 R11:  R12: 8801bf73a840
> R13: 7205 R14: 7205 R15: 0fdb
>  binder_cleanup_transaction+0xd2/0x140 drivers/android/binder.c:2035
>  binder_release_work+0x340/0x490 drivers/android/binder.c:4198
>  binder_deferred_release drivers/android/binder.c:4951 [inline]
>  binder_deferred_func+0xe42/0x1340 drivers/android/binder.c:4996
>  process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2112
>  worker_thread+0x223/0x1990 kernel/workqueue.c:2246
>  kthread+0x33c/0x400 kernel/kthread.c:238
>  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524
> Dumping ftrace buffer:
>(ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
> 

syzbot is no longer hitting this because the WARN() was removed by commit
e46a3b3ba7509c:

#syz fix: ANDROID: binder: remove WARN() for redundant txn error

- Eric

Re: WARNING in binder_send_failed_reply

[Dmitry Vyukov]

On Fri, Dec 1, 2017 at 5:27 PM, syzbot

wrote:
> Hello,
>
> syzkaller hit the following crash on
> b0a84f19a5161418d4360cd57603e94ed489915e
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
>
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
>
> binder: undelivered TRANSACTION_ERROR: 29189
> binder: send failed reply for transaction 52 to 3164:3165
> binder: send failed reply for transaction 54 to 3164:3165
> [ cut here ]
> Unexpected reply error: 29189
> WARNING: CPU: 0 PID: 24 at drivers/android/binder.c:1924
> binder_send_failed_reply+0x13b/0x350 drivers/android/binder.c:1923
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3172:3177 ioctl 40046207 0 returned -16
> binder_alloc: 3172: binder_alloc_buf, no vma
> binder: 3172:3180 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3174:3179 ioctl 40046207 0 returned -16
> binder_alloc: 3174: binder_alloc_buf, no vma
> binder: 3174:3182 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3167:3178 ioctl 40046207 0 returned -16
> binder_alloc: 3167: binder_alloc_buf, no vma
> binder: 3167:3181 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3168:3169 ioctl 40046207 0 returned -16
> binder_alloc: 3168: binder_alloc_buf, no vma
> binder: 3168:3170 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3171:3183 ioctl 40046207 0 returned -16
> binder_alloc: 3171: binder_alloc_buf, no vma
> binder: 3171:3184 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3190:3193 ioctl 40046207 0 returned -16
> binder_alloc: 3171: binder_alloc_buf, no vma
> binder: 3190:3193 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3186:3194 ioctl 40046207 0 returned -16
> binder_alloc: 3174: binder_alloc_buf, no vma
> binder: 3186:3194 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3188:3192 ioctl 40046207 0 returned -16
> binder_alloc: 3168: binder_alloc_buf, no vma
> binder: 3188:3192 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3190:3193 ioctl 40046207 0 returned -16
> binder_alloc: 3171: binder_alloc_buf, no vma
> binder: 3190:3195 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3186:3194 ioctl 40046207 0 returned -16
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3188:3192 ioctl 40046207 0 returned -16
> binder_alloc: 3174: binder_alloc_buf, no vma
> binder: 3186:3196 transaction failed 29189/-3, size 0-0 line 2870
> binder_alloc: 3168: binder_alloc_buf, no vma
> binder: 3188:3197 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3175:3199 ioctl 40046207 0 returned -16
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3176:3198 ioctl 40046207 0 returned -16
> binder_alloc: 3175: binder_alloc_buf, no vma
> binder: 3175:3201 transaction failed 29189/-3, size 0-0 line 2870
> binder_alloc: 3176: binder_alloc_buf, no vma
> binder: 3176:3200 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3189:3205 ioctl 40046207 0 returned -16
> binder_alloc: 3167: binder_alloc_buf, no vma
> binder: 3189:3205 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3187:3206 ioctl 40046207 0 returned -16
> binder_alloc: 3172: binder_alloc_buf, no vma
> binder: 3187:3206 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3208:3211 ioctl 40046207 0 returned -16
> binder_alloc: 3176: binder_alloc_buf, no vma
> binder: 3208:3211 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3189:3205 ioctl 40046207 0 returned -16
> binder_alloc: 3167: binder_alloc_buf, no vma
> binder: 3189:3207 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3209:3212 ioctl 40046207 0 returned -16
> binder_alloc: 3175: binder_alloc_buf, no vma
> binder: 3209:3212 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3173:3185 ioctl 40046207 0 returned -16
> binder_alloc: 3173: binder_alloc_buf, no vma
> binder: 3173:3191 transaction failed 29189/-3, size 0-0 line 2870
> binder: BINDER_SET_CONTEXT_MGR already set
> binder: 3209:3212 ioctl 40046207 0 returned -16
> binder_alloc: 3175: binder_alloc_buf, no vma
> binder: 3209:3215 transaction failed 29189/-3, size 0-0 line 2870
> binder: B