syzbot

keychord: invalid keycode count 0

=====================================
[ BUG: bad unlock balance detected! ]
binder: 2614:2617 BC_ACQUIRE_DONE node 285 has no pending acquire request
4.9.70-g9542d2a #109 Not tainted
-------------------------------------
syz-executor6/2620 is trying to release lock ([  136.794724] binder: BINDER_SET_CONTEXT_MGR already set
binder: 2614:2636 ioctl 40046207 0 returned -16
binder_alloc: 2614: binder_alloc_buf, no vma
binder: 2614:2617 transaction failed 29189/-3, size 80-16 line 3130
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 2614:2617 transaction 286 out, still active
binder: unexpected work type, 4, not freed
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 286, target dead
mrt_lock) at:
but there are no more locks to release!

other info that might help us debug this:
1 lock held by syz-executor6/2620:
 #0:  (&p->lock){+.+.+.}, at: [<ffffffff815e4f1d>] seq_read+0xdd/0x1290 fs/seq_file.c:178

stack backtrace:
CPU: 0 PID: 2620 Comm: syz-executor6 Not tainted 4.9.70-g9542d2a #109
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c4c17948 ffffffff81d90a29 ffffffff849ae9f8 ffff8801bbad1800
 ffffffff834df9b4 ffffffff849ae9f8 ffff8801bbad2088 ffff8801c4c17978
 ffffffff81235404 dffffc0000000000 ffffffff849ae9f8 00000000ffffffff
Call Trace:
 [<ffffffff81d90a29>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90a29>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81235404>] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398
 [<ffffffff8123ded8>] __lock_release kernel/locking/lockdep.c:3540 [inline]
 [<ffffffff8123ded8>] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775
 [<ffffffff838a9f8a>] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline]
 [<ffffffff838a9f8a>] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255
 [<ffffffff834df9b4>] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553
 [<ffffffff815e58c3>] seq_read+0xa83/0x1290 fs/seq_file.c:283
 [<ffffffff816be57f>] proc_reg_read+0xef/0x170 fs/proc/inode.c:202
 [<ffffffff81568ef1>] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714
 [<ffffffff8156cd60>] do_loop_readv_writev fs/read_write.c:880 [inline]
 [<ffffffff8156cd60>] do_readv_writev+0x520/0x750 fs/read_write.c:874
 [<ffffffff8156d014>] vfs_readv+0x84/0xc0 fs/read_write.c:898
 [<ffffffff8156d3b5>] do_preadv+0x115/0x1a0 fs/read_write.c:975
 [<ffffffff81570690>] SYSC_preadv fs/read_write.c:1025 [inline]
 [<ffffffff81570690>] SyS_preadv+0x30/0x40 fs/read_write.c:1020
 [<ffffffff838aa405>] entry_SYSCALL_64_fastpath+0x23/0xc6
keychord: invalid keycode count 0
IPVS: Creating netns size=2536 id=16
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 2660 Comm: syz-executor7 Not tainted 4.9.70-g9542d2a #109
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c4c17990 ffffffff81d90a29 ffff8801c4c17c70 0000000000000000
 ffff8801d6ab6e90 ffff8801c4c17b60 ffff8801d6ab6d80 ffff8801c4c17b88
 ffffffff8165e557 ffff8801d0fd4800 ffff8801c4c17ae0 00000001d842a067
Call Trace:
 [<ffffffff81d90a29>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90a29>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165e557>] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cd781>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cd781>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cd781>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cd781>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd452>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddbf7>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838ab5d8>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff838aa405>] entry_SYSCALL_64_fastpath+0x23/0xc6
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 2671 Comm: syz-executor7 Not tainted 4.9.70-g9542d2a #109
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d1207990 ffffffff81d90a29 ffff8801d1207c70 0000000000000000
 ffff8801b8b46110 ffff8801d1207b60 ffff8801b8b46000 ffff8801d1207b88
 ffffffff8165e557 ffff8801b7008000 ffff8801d1207ae0 00000001d842a067
Call Trace:
 [<ffffffff81d90a29>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90a29>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165e557>] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cd781>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cd781>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cd781>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cd781>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd452>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddbf7>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838ab5d8>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff838aa405>] entry_SYSCALL_64_fastpath+0x23/0xc6
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=33 sclass=netlink_audit_socket pig=2715 comm=syz-executor2
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=33 sclass=netlink_audit_socket pig=2715 comm=syz-executor2
IPVS: Creating netns size=2536 id=17
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
netlink: 2 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 2 bytes leftover after parsing attributes in process `syz-executor1'.
binder: 2832:2834 transaction failed 29189/-22, size 0-0 line 3007
netlink: 21 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 21 bytes leftover after parsing attributes in process `syz-executor3'.
binder: 2832:2834 transaction failed 29189/-22, size 0-0 line 3007
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
netlink: 9 bytes leftover after parsing attributes in process `+'.
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
binder: 2952:2955 unknown command 0
binder: 2952:2955 ioctl c0306201 20000fd0 returned -22
binder: 2952:2959 unknown command 0
binder: 2952:2959 ioctl c0306201 20000fd0 returned -22
netlink: 9 bytes leftover after parsing attributes in process `+'.
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
netlink: 9 bytes leftover after parsing attributes in process `+'.
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
netlink: 9 bytes leftover after parsing attributes in process `+'.
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
audit: type=1400 audit(1513623729.737:75): avc:  denied  { dac_read_search } for  pid=3050 comm="syz-executor1" capability=2  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
netlink: 9 bytes leftover after parsing attributes in process `+'.
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
netlink: 9 bytes leftover after parsing attributes in process `+'.
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
device gre0 entered promiscuous mode
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
keychord: keycode 16224 out of range
keychord: keycode 16224 out of range
tmpfs: No value for mount option ''
device gre0 entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=9822 sclass=netlink_route_socket pig=4336 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=9822 sclass=netlink_route_socket pig=4336 comm=syz-executor5
binder_alloc: binder_alloc_mmap_handler: 4535 20000000-20002000 already mapped failed -16
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=28128 sclass=netlink_route_socket pig=4881 comm=syz-executor4
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=28128 sclass=netlink_route_socket pig=4897 comm=syz-executor4
nla_parse: 113 callbacks suppressed
netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'.
net_ratelimit: 115 callbacks suppressed
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.