device gre0 entered promiscuous mode ===================================== [ BUG: bad unlock balance detected! ] 4.9.67-gf26d3c7 #106 Not tainted ------------------------------------- syz-executor3/11108 is trying to release lock ([ 77.583672] netlink: 11 bytes leftover after parsing attributes in process `syz-executor4'. mrt_lock) at: but there are no more locks to release! other info that might help us debug this: 1 lock held by syz-executor3/11108: #0: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 1 PID: 11108 Comm: syz-executor3 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdf578e8 ffffffff81d906e9 ffffffff849ae8f8 ffff8801a1f13000 ffffffff834dec54 ffffffff849ae8f8 ffff8801a1f13888 ffff8801cdf57918 ffffffff812353f4 dffffc0000000000 ffffffff849ae8f8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa83/0x1290 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. IPv6: NLM_F_REPLACE set, but no existing node found! netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. IPv6: NLM_F_REPLACE set, but no existing node found! 9pnet_virtio: no channels available for device HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. IPVS: Creating netns size=2536 id=21 9pnet_virtio: no channels available for device HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. binder: 11463:11465 ioctl 40046205 0 returned -22 binder: 11463:11465 ERROR: BC_REGISTER_LOOPER called without request binder: 11463:11465 ioctl c0306201 20008fd0 returned -11 binder: 11463:11465 got transaction to invalid handle binder: 11463:11465 transaction failed 29201/-22, size 0-8 line 3007 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=24 sclass=netlink_tcpdiag_socket pig=11474 comm=syz-executor5 binder: 11463:11465 got reply transaction with bad transaction stack, transaction 140 has target 11463:0 binder: 11463:11465 transaction failed 29201/-71, size 24-8 line 2938 binder: release 11463:11465 transaction 140 out, still active binder: undelivered TRANSACTION_ERROR: 29201 binder: 11463:11465 BC_FREE_BUFFER u0000000000000000 no match binder: 11463:11465 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 11463:11465 got transaction to invalid handle binder: 11463:11496 ioctl 40046205 6 returned -22 binder: 11463:11497 ioctl 40046205 0 returned -22 binder: 11463:11465 transaction failed 29201/-22, size 72-8 line 3007 binder: send failed reply for transaction 140, target dead binder: 11463:11496 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 11463: binder_alloc_buf size 536870912 failed, no address space binder_alloc: allocated: 0 (num: 0 largest: 0), free: 8192 (num: 1 largest: 8192) binder: 11463:11497 unknown command 0 binder: 11463:11497 ioctl c0306201 20002fd0 returned -22 binder: 11463:11496 BC_FREE_BUFFER u0000000000000000 no match binder: 11463:11465 transaction failed 29201/-28, size 536870912-0 line 3130 binder: 11463:11496 IncRefs 0 refcount change on invalid ref 1 ret -22 device gre0 entered promiscuous mode binder: 11463:11496 got transaction to invalid handle binder: 11463:11496 transaction failed 29201/-22, size 72-8 line 3007 binder: 11463:11496 ioctl c0306201 20005fd0 returned -14 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 11549 Comm: syz-executor2 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a42078e0 ffffffff81d906e9 ffff8801a4207bc0 0000000000000000 ffff8801d2361490 ffff8801a4207ab0 ffff8801d2361380 ffff8801a4207ad8 ffffffff8165e307 ffff8801d95a4800 ffff8801a4207a30 00000001cf41d067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] strndup_user+0x28/0xb0 mm/util.c:160 [] SYSC_request_key security/keys/keyctl.c:186 [inline] [] SyS_request_key+0xd6/0x2d0 security/keys/keyctl.c:158 [] entry_SYSCALL_64_fastpath+0x23/0xc6 tc_dump_action: action bad kind device gre0 entered promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. IPv6: NLM_F_REPLACE set, but no existing node found! device gre0 entered promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. IPv6: NLM_F_REPLACE set, but no existing node found! SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=11805 comm=syz-executor2 sg_write: data in/out 196569/89 bytes for SCSI command 0x4e-- guessing data in; program syz-executor2 not setting count and/or reply_len properly IPVS: Creating netns size=2536 id=22 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads sock: process `syz-executor7' is using obsolete setsockopt SO_BSDCOMPAT netlink: 72 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 72 bytes leftover after parsing attributes in process `syz-executor2'. FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 11996 Comm: syz-executor3 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cf507710 ffffffff81d906e9 ffff8801cf5079f0 0000000000000000 ffff8801d2361c10 ffff8801cf5078e0 ffff8801d2361b00 ffff8801cf507908 ffffffff8165e307 ffffffff84649700 ffff8801cf507860 00000001da0e6067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_select fs/select.c:652 [inline] [] SyS_select+0x158/0x1e0 fs/select.c:634 [] entry_SYSCALL_64_fastpath+0x23/0xc6 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 CPU: 0 PID: 12041 Comm: syz-executor3 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cf127830 ffffffff81d906e9 ffff8801cf127b10 0000000000000000 ffff8801d2361c10 ffff8801cf127a00 ffff8801d2361b00 ffff8801cf127a28 ffffffff8165e307 ffff8801db221400 ffff8801cf127980 00000001da0e6067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_mq_timedreceive ipc/mqueue.c:1092 [inline] [] SyS_mq_timedreceive+0xcd/0xdb0 ipc/mqueue.c:1077 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 1 PID: 12015 Comm: syz-executor3 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d110f8c0 ffffffff81d906e9 ffff8801d110fba0 0000000000000000 ffff8801d2361c10 ffff8801d110fa90 ffff8801d2361b00 ffff8801d110fab8 ffffffff8165e307 ffff8801c94d4800 0000000000000000 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 0 PID: 12031 Comm: syz-executor3 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d192f980 ffffffff81d906e9 ffff8801d192fc60 0000000000000000 ffff8801d2361c10 ffff8801d192fb50 ffff8801d2361b00 ffff8801d192fb78 ffffffff8165e307 ffffffff00000002 ffff880100000014 0000000000000044 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. device gre0 entered promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. device gre0 left promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. device gre0 entered promiscuous mode device gre0 left promiscuous mode tmpfs: No value for mount option 'bYXS[^\ҥ!j9Ԗ^m)D9@ !/KpGz]#aTi[yGJYVҰL/k!n9 GdA2$gIxWi^U$,2' tmpfs: No value for mount option 'bYXS[^\ҥ!j9Ԗ^m)D9@ !/KpGz]#aTi[yGJYVҰL/k!n9 GdA2$gIxWi^U$,2' 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 binder: 12229:12230 got new transaction with bad transaction stack, transaction 150 has target 12229:0 binder: 12229:12230 transaction failed 29201/-71, size 0-0 line 3034 device gre0 entered promiscuous mode binder: release 12229:12230 transaction 150 out, still active binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 150, target dead netlink: 11 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor4'. IPVS: Creating netns size=2536 id=23 device gre0 entered promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 12405 Comm: syz-executor0 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cb1175d0 ffffffff81d906e9 ffff8801cb1178b0 0000000000000000 ffff8801d2361f10 ffff8801cb1177a0 ffff8801d2361e00 ffff8801cb1177c8 ffffffff8165e307 0000000041b58ab3 ffff8801cb117720 00000001d039a067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 0 PID: 12413 Comm: syz-executor0 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cafdf850 ffffffff81d906e9 ffff8801cafdfb30 0000000000000000 ffff8801d2361f10 ffff8801cafdfa20 ffff8801d2361e00 ffff8801cafdfa48 ffffffff8165e307 0000000000000000 ffff8801cafdf9a0 00000001d039a067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] do_fcntl fs/fcntl.c:284 [inline] [] SYSC_fcntl fs/fcntl.c:372 [inline] [] SyS_fcntl+0x81c/0xc70 fs/fcntl.c:357 [] entry_SYSCALL_64_fastpath+0x23/0xc6 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device gre0 left promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 12503 Comm: syz-executor1 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d124f840 ffffffff81d906e9 ffff8801d124fb20 0000000000000000 ffff8801c682ed10 ffff8801d124fa10 ffff8801c682ec00 ffff8801d124fa38 ffffffff8165e307 ffffffff838a9178 ffff8801d124f990 00000001cd195067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_fsetxattr fs/xattr.c:504 [inline] [] SyS_fsetxattr+0x130/0x190 fs/xattr.c:493 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 12560:12564 ioctl 40046205 0 returned -22 binder: 12560:12564 ERROR: BC_REGISTER_LOOPER called without request binder: 12564 RLIMIT_NICE not set binder: 12560:12564 ioctl 540f 20009000 returned -22 binder: 12560:12564 BC_FREE_BUFFER u00000000ffffffff no match binder_alloc: 12560: binder_alloc_buf, no vma binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 154, process died. sd 0:0:1:0: [sg0] tag#107 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#107 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#107 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#107 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#107 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#107 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 binder: 12560:12577 ioctl 40046205 5 returned -22 binder: 12560:12577 ioctl 40046205 0 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 12560:12600 ioctl 40046207 0 returned -16 binder: 12560:12577 ERROR: BC_REGISTER_LOOPER called without request binder: 12560:12618 ioctl 540f 20009000 returned -22 binder: 12560:12617 BC_FREE_BUFFER u0000000000000000 no match binder: 12560:12564 transaction failed 29189/-3, size 72-8 line 3130 binder_alloc: 12560: binder_alloc_buf, no vma binder: 12560:12600 transaction failed 29189/-3, size 0-0 line 3130 binder_alloc: 12560: binder_alloc_buf, no vma binder: 12560:12617 transaction failed 29189/-3, size 72-8 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. binder: 12634:12640 got transaction with invalid parent offset or type binder: 12634:12640 transaction failed 29201/-22, size 80-16 line 3315 netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. binder_alloc: binder_alloc_mmap_handler: 12634 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 12634:12691 ioctl 40046207 0 returned -16 binder_alloc: 12634: binder_alloc_buf, no vma binder: 12634:12683 transaction failed 29189/-3, size 80-16 line 3130 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189