===================================== [ BUG: bad unlock balance detected! ] 4.9.67-gf26d3c7 #106 Not tainted ------------------------------------- syz-executor4/11329 is trying to release lock ([ 86.047329] binder: 11288:11336 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 11288:11336 BC_FREE_BUFFER uffffffffffffffff no match mrt_lock) at: but there are no more locks to release! other info that might help us debug this: binder: 11288:11336 got reply transaction with no transaction stack binder: 11288:11336 transaction failed 29201/-71, size 2-1144397507205 line 2923 binder: BINDER_SET_CONTEXT_MGR already set binder: 11288:11338 ioctl 40046207 0 returned -16 binder: 11288:11336 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 11288:11336 got transaction to invalid handle binder: 11288:11336 transaction failed 29201/-22, size 64-32 line 3007 1 lock held by syz-executor4/11329: #0: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 0 PID: 11329 Comm: syz-executor4 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a7d9f918 ffffffff81d906e9 ffffffff849ae8f8 ffff8801cf45c800 ffffffff834dec54 ffffffff849ae8f8 ffff8801cf45d088 ffff8801a7d9f948 ffffffff812353f4 dffffc0000000000 ffffffff849ae8f8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] traverse+0x3a7/0x900 fs/seq_file.c:148 [] seq_read+0x7ea/0x1290 fs/seq_file.c:195 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] __vfs_read+0x103/0x670 fs/read_write.c:452 [] vfs_read+0x11e/0x380 fs/read_write.c:475 [] SYSC_pread64 fs/read_write.c:629 [inline] [] SyS_pread64+0x13f/0x170 fs/read_write.c:616 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 11399:11412 ERROR: BC_REGISTER_LOOPER called without request binder: 11412 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 11399:11446 ioctl 40046207 0 returned -16 binder: 11399:11446 BC_ACQUIRE_DONE node 188 has no pending acquire request binder: 11399:11446 got reply transaction with no transaction stack binder: 11399:11446 transaction failed 29201/-71, size 48-40 line 2923 binder: BINDER_SET_CONTEXT_MGR already set binder: 11399:11446 ioctl 40046207 0 returned -16 binder: 11399:11482 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 11399: binder_alloc_buf, no vma binder: 11399:11460 transaction failed 29189/-3, size 0-0 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 11399:11482 ioctl 40046207 0 returned -16 binder: 11399:11486 BC_ACQUIRE_DONE u0000000000000000 no match binder: 11399:11486 got reply transaction with no transaction stack binder: 11399:11486 transaction failed 29201/-71, size 48-40 line 2923 binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 189 to 11399:11446 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 11539 Comm: syz-executor2 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cf54f6b0 ffffffff81d906e9 ffff8801cf54f990 0000000000000000 ffff8801c7645d90 ffff8801cf54f880 ffff8801c7645c80 ffff8801cf54f8a8 ffffffff8165e307 0000000000000046 ffff8801cf54f800 00000001d8947067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] inet_ioctl+0x117/0x1c0 net/ipv4/af_inet.c:908 [] sock_do_ioctl+0x65/0xb0 net/socket.c:892 [] sock_ioctl+0x2e0/0x3d0 net/socket.c:978 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 1 PID: 11553 Comm: syz-executor2 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d65676c0 ffffffff81d906e9 ffff8801d65679a0 0000000000000000 ffff8801c7645d90 ffff8801d6567890 ffff8801c7645c80 ffff8801d65678b8 ffffffff8165e307 1ffff1003acacedc ffff8801d6567810 00000001d8947067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] process_vm_rw+0x1bf/0x210 mm/process_vm_access.c:280 [] SYSC_process_vm_writev mm/process_vm_access.c:307 [inline] [] SyS_process_vm_writev+0x47/0x60 mm/process_vm_access.c:302 [] entry_SYSCALL_64_fastpath+0x23/0xc6 IPVS: Creating netns size=2536 id=21 sd 0:0:1:0: [sg0] tag#671 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK binder: BINDER_SET_CONTEXT_MGR already set binder: 11572:11578 ioctl 40046207 0 returned -16 sd 0:0:1:0: [sg0] tag#671 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#671 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#671 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#671 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#671 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 devpts: called with bogus options devpts: called with bogus options : renamed from syz2 netlink: 1 bytes leftover after parsing attributes in process `security'. IPv6: NLM_F_REPLACE set, but no existing node found! SELinux: unrecognized netlink message: protocol=0 nlmsg_type=56118 sclass=netlink_route_socket pig=11693 comm=syz-executor7 device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=56118 sclass=netlink_route_socket pig=11693 comm=syz-executor7 rfkill: input handler disabled rfkill: input handler enabled netlink: 11 bytes leftover after parsing attributes in process `syz-executor4'. device gre0 entered promiscuous mode cgroup: cgroup2: unknown option "p1TV籱P*(2鮓^b7Q>bV z+ͦVX{S*JZ :$aWAh(-CYQB-" cgroup: cgroup2: unknown option "p1TV籱P*(2鮓^b7Q>bV z+ͦVX{S*JZ :$aWAh(-CYQB-" device gre0 entered promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. binder: 11888:11889 ioctl 40046205 ffffffffffffff89 returned -22 binder: 11888:11889 Release 1 refcount change on invalid ref 4 ret -22 binder: 11888:11889 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 11888:11889 unknown command 0 binder: 11888:11889 ioctl c0306201 20000fd0 returned -22 binder: 11888:11889 ioctl c0306201 20001000 returned -11 netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. binder: 11888:11889 ioctl 40046205 ffffffffffffff89 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 11888:11889 ioctl 40046207 0 returned -16 binder: 11888:11904 unknown command 11014 binder: 11888:11904 ioctl c0306201 20000fd0 returned -22 binder: 11888:11904 ioctl c0306201 20001000 returned -11 syz-executor7 (11937): /proc/11930/oom_adj is deprecated, please use /proc/11930/oom_score_adj instead.