Re: [syzbot] [kernel?] KASAN: slab-use-after-free Write in binder_remove_device

From: Carlos Llamas
Date: Sat May 24 2025 - 13:41:10 EST


On Sat, May 24, 2025 at 05:07:27AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 176e917e010c Add linux-next specific files for 20250523
> git tree: linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1399a170580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e7902c752bef748
> dashboard link: https://syzkaller.appspot.com/bug?extid=4af454407ec393de51d6
> compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=108b55f4580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1145e5f4580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/5f7692c642fa/disk-176e917e.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/057a442d42d0/vmlinux-176e917e.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/8f8ebdb4dd96/bzImage-176e917e.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+4af454407ec393de51d6@xxxxxxxxxxxxxxxxxxxxxxxxx
>

Oh, I know what is happening here. I believe these would be the steps:

1. There are multiple devices in binder_devices.
2. 'binder_proc' of device X dies but its release is deferred.
3. binderfs is unmounted, decrements device X and waits.
4. 'binder_proc' is released, kfree's the device without removing it
from the binder_devices list first. Leaves dangling pointers.
5. umount continues, releases next devices but list is corrupted.

This should fix the problem...

#syz test

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 8d9c5f436fca..6be0f7ac7213 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -5246,6 +5246,7 @@ static void binder_free_proc(struct binder_proc *proc)
__func__, proc->outstanding_txns);
device = container_of(proc->context, struct binder_device, context);
if (refcount_dec_and_test(&device->ref)) {
+ binder_remove_device(device);
kfree(proc->context->name);
kfree(device);
}