===================================== binder: 9246:9272 transaction failed 29189/-22, size 0-0 line 3007 [ BUG: bad unlock balance detected! ] 4.9.68-gfb66dc2 #107 Not tainted ------------------------------------- syz-executor0/9270 is trying to release lock ([ 51.116708] binder: 9246:9272 BC_ACQUIRE_DONE node 46 has no pending acquire request binder: 9246:9272 got reply transaction with no transaction stack binder: 9246:9272 transaction failed 29201/-71, size 48-40 line 2923 binder: 9246:9272 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 9246: binder_alloc_buf, no vma binder: 9246:9256 transaction failed 29189/-3, size 0-0 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 9246:9256 ioctl 40046207 0 returned -16 binder: 9246:9272 BC_ACQUIRE_DONE u0000000000000000 no match binder: 9246:9272 got reply transaction with no transaction stack binder: 9246:9272 transaction failed 29201/-71, size 48-40 line 2923 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 mrt_lock) at: but there are no more locks to release! other info that might help us debug this: 1 lock held by syz-executor0/9270: #0: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 1 PID: 9270 Comm: syz-executor0 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d118f8e8 ffffffff81d90889 ffffffff849ae9f8 ffff8801d9320000 ffffffff834dfc54 ffffffff849ae9f8 ffff8801d9320888 ffff8801d118f918 ffffffff812353f4 dffffc0000000000 ffffffff849ae9f8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa83/0x1290 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 audit: type=1400 audit(1513210959.170:45): avc: denied { setopt } for pid=9309 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 sock: process `syz-executor2' is using obsolete setsockopt SO_BSDCOMPAT device gre0 entered promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 73 bytes leftover after parsing attributes in process `syz-executor6'. binder: 9445:9451 got transaction with invalid offset (0, min 0 max 0) or object. binder: 9445:9451 transaction failed 29201/-22, size 0-8 line 3193 binder: 9445:9451 got transaction with too large buffer binder: 9445:9451 transaction failed 29201/-22, size 40-16 line 3289 binder_alloc: binder_alloc_mmap_handler: 9445 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9445:9451 ioctl 40046207 0 returned -16 binder_alloc: 9445: binder_alloc_buf, no vma binder: 9445:9451 transaction failed 29189/-3, size 0-8 line 3130 binder_alloc: 9445: binder_alloc_buf, no vma binder: 9445:9451 transaction failed 29189/-3, size 40-16 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 netlink: 73 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. binder: 9489:9492 ioctl 40286608 5 returned -22 binder: 9489:9492 ioctl 40046205 3 returned -22 binder: 9489:9492 ERROR: BC_REGISTER_LOOPER called without request binder: 9489:9492 ioctl c0306201 204edfd0 returned -11 binder: 9489:9492 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 9489:9492 got reply transaction with no transaction stack binder: 9489:9492 transaction failed 29201/-71, size 32-8 line 2923 binder: 9489:9492 ioctl 40046205 ffffffffa223e81f returned -22 binder: 9489:9492 DecRefs 0 refcount change on invalid ref 1 ret -22 binder: 9489:9492 BC_INCREFS_DONE node 57 has no pending increfs request binder: 9489:9492 ioctl c0306201 2000efd0 returned -11 binder: 9489:9492 ioctl 40286608 5 returned -22 binder: 9489:9494 ioctl 40046205 3 returned -22 sock: process `syz-executor5' is using obsolete setsockopt SO_BSDCOMPAT binder: BINDER_SET_CONTEXT_MGR already set binder: 9489:9492 ioctl 40046207 0 returned -16 binder: 9489:9494 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 9489:9492 got reply transaction with no transaction stack binder: 9489:9492 transaction failed 29201/-71, size 32-8 line 2923 binder: 9489:9494 ioctl 40046205 ffffffffa223e81f returned -22 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 device gre0 entered promiscuous mode netlink: 17 bytes leftover after parsing attributes in process `syz-executor0'. audit: type=1400 audit(1513210960.510:46): avc: denied { dyntransition } for pid=9734 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0,c1 tclass=process permissive=1 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 9721 Comm: syz-executor5 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cf43f9a0 ffffffff81d90889 ffff8801cf43fc80 0000000000000000 ffff8801d01efa90 ffff8801cf43fb70 ffff8801d01ef980 ffff8801cf43fb98 ffffffff8165e497 0000000000000282 ffff8801cf43faf0 00000001d0f94067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_sigaltstack kernel/signal.c:3170 [inline] [] SyS_sigaltstack+0x6c/0x90 kernel/signal.c:3168 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 9790 Comm: syz-executor5 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d5ca79a0 ffffffff81d90889 ffff8801d5ca7c80 0000000000000000 ffff8801d01efd90 ffff8801d5ca7b70 ffff8801d01efc80 ffff8801d5ca7b98 ffffffff8165e497 ffff8801d5d0c800 0000000000000000 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_sigaltstack kernel/signal.c:3170 [inline] [] SyS_sigaltstack+0x6c/0x90 kernel/signal.c:3168 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 9868:9872 ERROR: BC_REGISTER_LOOPER called without request binder: 9868:9889 transaction failed 29189/-22, size 0-0 line 3007 netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. binder: 9868:9872 BC_ACQUIRE_DONE node 61 has no pending acquire request netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. binder: 9868:9872 got reply transaction with no transaction stack binder: 9868:9872 transaction failed 29201/-71, size 48-40 line 2923 binder: 9868:9889 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 9868: binder_alloc_buf, no vma binder: 9868:9872 transaction failed 29189/-3, size 0-0 line 3130 audit: type=1400 audit(1513210961.370:47): avc: denied { ioctl } for pid=9920 comm="syz-executor6" path="socket:[21330]" dev="sockfs" ino=21330 ioctlcmd=0x660b scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1513210961.380:48): avc: denied { bind } for pid=9920 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1513210961.380:49): avc: denied { getopt } for pid=9920 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder: 9868:9889 ioctl 40046207 0 returned -16 binder: 9868:9928 BC_ACQUIRE_DONE u0000000000000000 no match binder: 9868:9928 got reply transaction with no transaction stack binder: 9868:9928 transaction failed 29201/-71, size 48-40 line 2923 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 netlink: 64 bytes leftover after parsing attributes in process `syz-executor3'. binder: 10000:10003 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 10000:10003 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 binder: 10000:10003 BC_FREE_BUFFER u0000000000000000 no match binder: 10000:10003 got transaction to invalid handle binder: 10000:10003 transaction failed 29201/-22, size 88-16 line 3007 binder: BINDER_SET_CONTEXT_MGR already set binder: 10000:10021 ioctl 40046207 0 returned -16 binder: 10000:10003 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 10000:10003 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 binder: 10000:10003 BC_FREE_BUFFER u0000000000000000 no match binder: 10000:10003 got transaction to invalid handle binder: 10000:10003 transaction failed 29201/-22, size 88-16 line 3007 binder_alloc: 10000: binder_alloc_buf, no vma binder: 10000:10037 transaction failed 29189/-3, size 0-0 line 3130 device gre0 entered promiscuous mode binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 69, process died. device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=10193 comm=syz-executor7 Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=10193 comm=syz-executor7 Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. device gre0 entered promiscuous mode A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. binder_alloc: binder_alloc_mmap_handler: 10284 20000000-20002000 already mapped failed -16 device lo entered promiscuous mode qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev