Received: by 10.223.176.5 with SMTP id f5csp1099342wra; Wed, 7 Feb 2018 12:40:07 -0800 (PST) X-Google-Smtp-Source: AH8x227d6hWaTYDTtdY7ro/nxtppk0eXTA8QTjja1CoTTPU2Jg3qPHwWJyJy8tKx73RQx7QhsOKA X-Received: by 2002:a17:902:a711:: with SMTP id w17-v6mr6985186plq.299.1518036007587; Wed, 07 Feb 2018 12:40:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518036007; cv=none; d=google.com; s=arc-20160816; b=ylyEI0i4oUx7Nrrw3IsBUgZAuarp9zDEFKgfrKbo4nBmlZWx7ObIARPPuZ2XBh/7Jr ZZsFx+zsg4wz5Uhg3sL7S5RabcdtawvlC1KbsVHqU/l5iZYbia47MBsn50BSX9dY8nWm DnuLuPeB3KhswOuDh6IodAGDnDrhHtyJXbOI3o6ACKOa/5IUbaRBSsnnaNLyH9/obIOF lYQPXG/0BVuc9JI6ldQ/kpRs5NSkDhjA3ZMXSwuZkwBW2LysT0QWAYaIWRaxLdDCs9uV GiGnh59xxysGbo6gFzgzw7nZWmWQc11FL596wJXPDz24AkZW737WOj6nrTTfWzM+E/38 YHNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=o8IMEkSxoVlAaqDsuDtm14jdTZuAXhxVj0xEjWRW1Ps=; b=RPxJgfoJgGl+7mf6fWK9WucArqfXVBV2r4cQN9mKOpgEr4UFm+bKRRx47gB3v6C2Rl Md54vfaA3edweVONzuE5ZLsfNBOjmtRGLja4gxDp1BHZYy0Iin0ZlPUNEkQ2SsoXBtil EG35ZoFicIVYUaOeXyCvhLO/zzI1RAKPzEekPtWpMYL5rfjL5iuCqWW/YzpkNw/0luHX YUdTr+MRGT20lzs4IwWtd6Qk6ndEzRu6k/KZq2xBlWD40w2KywlDqwfjTxxZIHpZ0cSB XOD7a3/lKg7NRynXE/Azyvj0QenIaEnjcO2LuXDyvRn+dM7JCzonGF3mU+LAFIWt/wR2 dnlg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=hLKblo3H; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k1si1381777pgc.95.2018.02.07.12.39.53; Wed, 07 Feb 2018 12:40:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=hLKblo3H; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754695AbeBGUjN (ORCPT + 99 others); Wed, 7 Feb 2018 15:39:13 -0500 Received: from mail-pl0-f66.google.com ([209.85.160.66]:36774 "EHLO mail-pl0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754154AbeBGUjL (ORCPT ); Wed, 7 Feb 2018 15:39:11 -0500 Received: by mail-pl0-f66.google.com with SMTP id v3-v6so767778plg.3 for ; Wed, 07 Feb 2018 12:39:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=o8IMEkSxoVlAaqDsuDtm14jdTZuAXhxVj0xEjWRW1Ps=; b=hLKblo3Hu0AYApw83ie54azcSPdMJoJXH74/IIpd4xtY69mceW5BUh6qRznc/M/acL FZ02qPQCZBRgVPXi5Vz9SEWjBKr9X1hfsYYKiDhJC8QG8L8Swx2/hC8KW2oFP7vOKoom Nzm6WH1sN3/KMZ2Iotl06vN5e/MXDgFRjVFt2rvBIbnuPG1NlWRE1eVBWPmJopFo29CV NVbcq6mIcHJ6H4FiX4D22E2nDZWWcWKoOu2UNxGx6iQ2JLpxEVKFpoLyK2JD5z7y9J4o ykw5PG35YToUWpWGehkVweAi9G9X9WQpOfGHvWm7AzaiPoKNMvFSW0tUhtq777hJSgYd 2Wwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=o8IMEkSxoVlAaqDsuDtm14jdTZuAXhxVj0xEjWRW1Ps=; b=uLpaXpn4aZ8Luc1yLw5/+ydnFbuX4HbOsztnnEm+IRvPa1bzVjVo97d5DGiIIprAVG dcdN2fd88hNl7yXz2uTw8UQmbBJfLcjl/yTM015EKgbmKiFyWgHYc+Zngp6DnWyNPinu cgBV6EMj7WAvud4lJrxbju0qEeg4PbTD3nBiocUdG6gQvNmyUuIlCAaXfM1zR0FQfNeJ WUF2ylDqstGZfUoXo7jW6X8ct/zewElXlKWWSAwHeQ4A75CeySRIHNIbmCEDCvZ7sQ9z v0SmbnivrvFln4SvafS5aKeF91fAAR47xHVXPDRUGK65kXX266u6Ei5nLEBXonAm+fHw 1aPQ== X-Gm-Message-State: APf1xPDyFYbIyQyO3K6ijh3efcYQWoj3B0Sj98fHA9VbLIieZSe1Gt0v lrJijygv8/ZPh8KOwZoOaCLvDg== X-Received: by 2002:a17:902:8215:: with SMTP id x21-v6mr7241988pln.381.1518035951188; Wed, 07 Feb 2018 12:39:11 -0800 (PST) Received: from ava-linux2.mtv.corp.google.com ([2620:0:1000:1601:c21a:5723:1a47:e4a4]) by smtp.googlemail.com with ESMTPSA id t22sm6269267pfi.118.2018.02.07.12.39.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Feb 2018 12:39:10 -0800 (PST) From: Todd Kjos X-Google-Original-From: Todd Kjos To: tkjos@google.com, gregkh@linuxfoundation.org, arve@android.com, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, maco@google.com Cc: android-kernel-team@google.com, Todd Kjos Subject: [PATCH] ANDROID: binder: remove WARN() for redundant txn error Date: Wed, 7 Feb 2018 12:38:47 -0800 Message-Id: <20180207203847.228298-1-tkjos@google.com> X-Mailer: git-send-email 2.16.0.rc1.238.g530d649a79-goog Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org binder_send_failed_reply() is called when a synchronous transaction fails. It reports an error to the thread that is waiting for the completion. Given that the transaction is synchronous, there should never be more than 1 error response to that thread -- this was being asserted with a WARN(). However, when exercising the driver with syzbot tests, cases were observed where multiple "synchronous" requests were sent without waiting for responses, so it is possible that multiple errors would be reported to the thread. This testing was conducted with panic_on_warn set which forced the crash. This is easily reproduced by sending back-to-back "synchronous" transactions without checking for any response (eg, set read_size to 0): bwr.write_buffer = (uintptr_t)&bc1; bwr.write_size = sizeof(bc1); bwr.read_buffer = (uintptr_t)&br; bwr.read_size = 0; ioctl(fd, BINDER_WRITE_READ, &bwr); sleep(1); bwr2.write_buffer = (uintptr_t)&bc2; bwr2.write_size = sizeof(bc2); bwr2.read_buffer = (uintptr_t)&br; bwr2.read_size = 0; ioctl(fd, BINDER_WRITE_READ, &bwr2); sleep(1); The first transaction is sent to the servicemanager and the reply fails because no VMA is set up by this client. After binder_send_failed_reply() is called, the BINDER_WORK_RETURN_ERROR is sitting on the thread's todo list since the read_size was 0 and the client is not waiting for a response. The 2nd transaction is sent and the BINDER_WORK_RETURN_ERROR has not been consumed, so the thread's reply_error.cmd is still set (normally cleared when the BINDER_WORK_RETURN_ERROR is handled). Therefore when the servicemanager attempts to reply to the 2nd failed transaction, the error is already set and it triggers this warning. This is a user error since it is not waiting for the synchronous transaction to complete. If it ever does check, it will see an error. Changed the WARN() to a pr_warn(). Signed-off-by: Todd Kjos Reported-by: syzbot --- drivers/android/binder.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index a7ecfde66b7b..37289683939c 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -1933,8 +1933,14 @@ static void binder_send_failed_reply(struct binder_transaction *t, &target_thread->todo); wake_up_interruptible(&target_thread->wait); } else { - WARN(1, "Unexpected reply error: %u\n", - target_thread->reply_error.cmd); + /* + * Cannot get here for normal operation, but + * we can if multiple synchronous transactions + * are sent without blocking for responses. + * Just ignore the 2nd error in this case. + */ + pr_warn("Unexpected reply error: %u\n", + target_thread->reply_error.cmd); } binder_inner_proc_unlock(target_thread->proc); binder_thread_dec_tmpref(target_thread); -- 2.16.0.rc1.238.g530d649a79-goog