binder: 11487:11506 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 11487:11513 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 ===================================== [ BUG: bad unlock balance detected! ] 4.9.80-g20c8a00 #38 Not tainted ------------------------------------- syz-executor6/11532 is trying to release lock ([ 76.581494] binder: undelivered death notification, 0000000000000000 mrt_lock) at: but there are no more locks to release! other info that might help us debug this: 2 locks held by syz-executor6/11532: #0: (sb_writers#7){.+.+.+}, at: [] file_start_write include/linux/fs.h:2621 [inline] #0: (sb_writers#7){.+.+.+}, at: [] do_sendfile+0x9ff/0xd30 fs/read_write.c:1400 #1: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 0 PID: 11532 Comm: syz-executor6 Not tainted 4.9.80-g20c8a00 #38 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c0e7f238 ffffffff81d94b69 ffffffff849b6cf8 ffff8801c0c44800 ffffffff834e8f44 ffffffff849b6cf8 ffff8801c0c45088 ffff8801c0e7f268 ffffffff81237e04 dffffc0000000000 ffffffff849b6cf8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa83/0x1290 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] kernel_readv fs/splice.c:363 [inline] [] default_file_splice_read+0x43f/0x7a0 fs/splice.c:435 [] do_splice_to+0x10a/0x160 fs/splice.c:899 [] splice_direct_to_actor+0x24d/0x800 fs/splice.c:971 [] do_splice_direct+0x1a7/0x270 fs/splice.c:1080 [] do_sendfile+0x54b/0xd30 fs/read_write.c:1401 [] SYSC_sendfile64 fs/read_write.c:1456 [inline] [] SyS_sendfile64+0xd1/0x160 fs/read_write.c:1448 [] do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline] [] do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384 [] entry_SYSENTER_compat+0x74/0x83 arch/x86/entry/entry_64_compat.S:127 IPVS: Creating netns size=2536 id=13 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=11710 comm=syz-executor0 IPVS: Creating netns size=2536 id=14 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=11726 comm=syz-executor0 rfkill: input handler disabled rfkill: input handler enabled binder: BINDER_SET_CONTEXT_MGR already set binder: 11929:11948 ioctl 40046207 0 returned -16 binder_alloc: 11929: binder_alloc_buf, no vma binder: 11929:11948 transaction failed 29189/-3, size 0-0 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 11929:11938 transaction 86 out, still active binder: release 11929:11938 transaction 85 in, still active binder: undelivered TRANSACTION_COMPLETE binder: release 11929:11948 transaction 85 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 86, target dead binder: send failed reply for transaction 85, target dead IPv6: NLM_F_REPLACE set, but no existing node found! IPv6: NLM_F_REPLACE set, but no existing node found! netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. device syz4 left promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 12057:12076 ioctl 40046207 0 returned -16 binder: 12057:12076 Release 1 refcount change on invalid ref 0 ret -22 binder: 12057:12061 unknown command 0 binder: 12057:12061 ioctl c0306201 20007000 returned -22 SELinux: policydb magic number 0xeb64faa6 does not match expected magic number 0xf97cff8c binder: BINDER_SET_CONTEXT_MGR already set binder: 12071:12097 ioctl 40046207 0 returned -16 binder: 12071:12097 Acquire 1 refcount change on invalid ref 0 ret -22 SELinux: policydb magic number 0xeb64faa6 does not match expected magic number 0xf97cff8c binder: 12110:12111 Acquire 1 refcount change on invalid ref 0 ret -22 audit_printk_skb: 1845 callbacks suppressed audit: type=1400 audit(1518199626.278:3631): avc: denied { net_admin } for pid=3883 comm="syz-executor6" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518199626.278:3632): avc: denied { net_admin } for pid=3883 comm="syz-executor6" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518199626.278:3633): avc: denied { sys_admin } for pid=12123 comm="syz-executor2" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518199626.298:3634): avc: denied { create } for pid=12129 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1518199626.298:3635): avc: denied { dac_override } for pid=12122 comm="syz-executor5" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518199626.298:3636): avc: denied { create } for pid=12129 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1518199626.308:3637): avc: denied { sys_admin } for pid=3881 comm="syz-executor7" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518199626.308:3638): avc: denied { net_admin } for pid=3870 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518199626.328:3639): avc: denied { dac_override } for pid=3880 comm="syz-executor5" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518199626.328:3640): avc: denied { net_admin } for pid=3880 comm="syz-executor5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 device syz4 entered promiscuous mode device syz4 left promiscuous mode binder: 12238:12241 ioctl 5411 20007ffc returned -22 binder: 12238:12241 ioctl c0306201 20007000 returned -14 binder: 12238:12241 ioctl 5411 20007ffc returned -22 binder_alloc: binder_alloc_mmap_handler: 12238 20000000-20002000 already mapped failed -16 binder: 12258:12259 transaction failed 29189/-22, size 40-16 line 3004 binder: 12238:12252 ioctl c0306201 20007000 returned -14 binder: undelivered TRANSACTION_ERROR: 29189 binder: binder_mmap: 12266 20007000-20008000 bad vm_flags failed -1 binder: binder_mmap: 12266 20007000-20008000 bad vm_flags failed -1 9pnet_virtio: no channels available for device ./file0 binder: 12551:12571 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 12551:12562 Release 1 refcount change on invalid ref 0 ret -22 binder: 12690:12701 ioctl c0046209 20001000 returned -22 binder: 12690:12705 ioctl c0046209 20001000 returned -22 device eql entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=6432 sclass=netlink_route_socket pig=13041 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=6432 sclass=netlink_route_socket pig=13058 comm=syz-executor3 IPVS: Creating netns size=2536 id=15 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads blk_update_request: I/O error, dev loop0, sector 0 keychord: invalid keycode count 0 keychord: invalid keycode count 0 audit_printk_skb: 1619 callbacks suppressed audit: type=1400 audit(1518199631.288:4181): avc: denied { dac_override } for pid=13274 comm="syz-executor4" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518199631.288:4182): avc: denied { net_admin } for pid=13276 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518199631.298:4183): avc: denied { sys_admin } for pid=13271 comm="syz-executor5" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518199631.298:4184): avc: denied { dac_override } for pid=13271 comm="syz-executor5" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518199631.298:4185): avc: denied { net_admin } for pid=3871 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518199631.298:4186): avc: denied { net_admin } for pid=3871 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518199631.308:4187): avc: denied { net_admin } for pid=3871 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518199631.308:4188): avc: denied { net_admin } for pid=3883 comm="syz-executor6" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518199631.308:4189): avc: denied { net_admin } for pid=3883 comm="syz-executor6" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518199631.318:4190): avc: denied { net_admin } for pid=3869 comm="syz-executor2" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 IPVS: Creating netns size=2536 id=16 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads binder: 13490:13492 ERROR: BC_REGISTER_LOOPER called without request binder: BINDER_SET_CONTEXT_MGR already set binder: 13490:13492 ioctl 40046207 0 returned -16 binder: 13490:13522 ERROR: BC_REGISTER_LOOPER called without request binder: release 13490:13492 transaction 100 in, still active binder: send failed reply for transaction 100 to 13490:13512 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 Tx-ring is not supported.