===================================== [ BUG: bad unlock balance detected! ] 4.9.67-gf26d3c7 #106 Not tainted ------------------------------------- syz-executor6/32331 is trying to release lock ([ 170.367674] binder: 32356:32357 got transaction to invalid handle binder: 32356:32357 transaction failed 29201/-22, size 24-16 line 3007 binder: 32356:32362 Release 1 refcount change on invalid ref 0 ret -22 binder: 32356:32362 got transaction to invalid handle binder: 32356:32362 transaction failed 29201/-22, size 24-16 line 3007 mrt_lock) at: but there are no more locks to release! other info that might help us debug this: 1 lock held by syz-executor6/32331: #0: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 1 PID: 32331 Comm: syz-executor6 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff880170c878e8 ffffffff81d906e9 ffffffff849ae8f8 ffff8801c83f4800 ffffffff834dec54 ffffffff849ae8f8 ffff8801c83f5088 ffff880170c87918 ffffffff812353f4 dffffc0000000000 ffffffff849ae8f8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa83/0x1290 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 netlink: 17 bytes leftover after parsing attributes in process `syz-executor7'. @: renamed from syz4 IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev IPv6: Can't replace route, no match found IPv6: Can't replace route, no match found sg_write: data in/out 327644/32 bytes for SCSI command 0x4-- guessing data in; program syz-executor5 not setting count and/or reply_len properly FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 330 Comm: syz-executor1 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c50774e0 ffffffff81d906e9 ffff8801c50777c0 0000000000000000 ffff8801a25d7010 ffff8801c50776b0 ffff8801a25d6f00 ffff8801c50776d8 ffffffff8165e307 ffff880102408040 ffff8801c5077630 00000001d1b6f067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] generic_perform_write+0x1dc/0x500 mm/filemap.c:2731 [] __generic_file_write_iter+0x348/0x570 mm/filemap.c:2866 [] generic_file_write_iter+0x2d5/0x600 mm/filemap.c:2894 [] new_sync_write fs/read_write.c:499 [inline] [] __vfs_write+0x4bf/0x680 fs/read_write.c:512 [] vfs_write+0x189/0x530 fs/read_write.c:560 [] SYSC_write fs/read_write.c:607 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:599 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 330 Comm: syz-executor1 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c50774e0 ffffffff81d906e9 ffff8801c50777c0 0000000000000000 ffff8801da338290 ffff8801c50776b0 ffff8801da338180 ffff8801c50776d8 ffffffff8165e307 ffff8801da163d80 ffff8801c5077630 00000001c8c3d067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] generic_perform_write+0x1dc/0x500 mm/filemap.c:2731 [] __generic_file_write_iter+0x348/0x570 mm/filemap.c:2866 [] generic_file_write_iter+0x2d5/0x600 mm/filemap.c:2894 [] new_sync_write fs/read_write.c:499 [inline] [] __vfs_write+0x4bf/0x680 fs/read_write.c:512 [] vfs_write+0x189/0x530 fs/read_write.c:560 [] SYSC_write fs/read_write.c:607 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:599 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device gre0 entered promiscuous mode binder: 534:537 got reply transaction with no transaction stack SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=549 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=6 sclass=netlink_audit_socket pig=549 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=554 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=6 sclass=netlink_audit_socket pig=549 comm=syz-executor5 binder: 534:550 ioctl c0306201 20000fd0 returned -14 binder_alloc: 534: binder_alloc_buf, no vma binder: 534:550 transaction failed 29189/-3, size 0-0 line 3130 binder: 534:550 ioctl c018620b 2000bfe8 returned -14 binder: undelivered TRANSACTION_ERROR: 29189 device gre0 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): gre0: link is not ready binder: 534:577 got reply transaction with no transaction stack binder: 534:577 transaction failed 29201/-71, size 24-16 line 2923 binder: undelivered TRANSACTION_ERROR: 29201 binder: 534:592 got reply transaction with no transaction stack binder: 534:592 transaction failed 29201/-71, size 0-8 line 2923 binder: BINDER_SET_CONTEXT_MGR already set binder: 534:550 ioctl 40046207 0 returned -16 binder_alloc: 534: binder_alloc_buf, no vma binder: 534:577 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: 534:537 transaction failed 29201/-71, size 0-8 line 2923 binder: 534:550 got reply transaction with no transaction stack binder: 534:550 transaction failed 29201/-71, size 24-16 line 2923 binder: undelivered TRANSACTION_ERROR: 29201 PF_BRIDGE: RTM_SETLINK with unknown ifindex PF_BRIDGE: RTM_SETLINK with unknown ifindex SELinux: unrecognized netlink message: protocol=0 nlmsg_type=63367 sclass=netlink_route_socket pig=670 comm=syz-executor6 nla_parse: 12 callbacks suppressed netlink: 6 bytes leftover after parsing attributes in process `syz-executor1'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=702 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=63367 sclass=netlink_route_socket pig=670 comm=syz-executor6 device ±BÞÓ*mqÐx”o‡3{© entered promiscuous mode device ±BÞÓ*mqÐx”o‡3{© left promiscuous mode device ±BÞÓ*mqÐx”o‡3{© entered promiscuous mode device ±BÞÓ*mqÐx”o‡3{© left promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. IPVS: Creating netns size=2536 id=37 netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. IPv6: Can't replace route, no match found IPv6: Can't replace route, no match found netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. binder: 895:896 ioctl 2403 ffff returned -22 updating oom_score_adj for 905 (syz-executor2) from 0 to 0 because it shares mm with 900 (syz-executor2). Report if this is unexpected. device lo left promiscuous mode binder: 895:910 ioctl 8004e500 20005000 returned -22 binder: 895:910 ioctl 401845ef 20004000 returned -22 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 886 Comm: syz-executor5 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a3287990 ffffffff81d906e9 ffff8801a3287c70 0000000000000000 ffff8801a25d7190 ffff8801a3287b60 ffff8801a25d7080 ffff8801a3287b88 ffffffff8165e307 0000000000000000 ffff8801a3287ae0 00000001b9ea4067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 911 Comm: syz-executor5 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d5c2f6c0 ffffffff81d906e9 ffff8801d5c2f9a0 0000000000000000 ffff8801a25d7190 ffff8801d5c2f890 ffff8801a25d7080 ffff8801d5c2f8b8 ffffffff8165e307 1ffff1003ab85edc ffff8801d5c2f810 00000001b9ea4067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] process_vm_rw+0x1bf/0x210 mm/process_vm_access.c:280 [] SYSC_process_vm_writev mm/process_vm_access.c:307 [inline] [] SyS_process_vm_writev+0x47/0x60 mm/process_vm_access.c:302 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 902 Comm: syz-executor5 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c74df6b0 ffffffff81d906e9 ffff8801c74df990 0000000000000000 ffff8801a25d7190 ffff8801c74df880 ffff8801a25d7080 ffff8801c74df8a8 ffffffff8165e307 ffff88021fffd017 ffff8801c74df800 00000001b9ea4067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] inet_ioctl+0x117/0x1c0 net/ipv4/af_inet.c:908 [] sock_do_ioctl+0x65/0xb0 net/socket.c:892 [] sock_ioctl+0x2e0/0x3d0 net/socket.c:978 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device lo entered promiscuous mode device lo left promiscuous mode binder: 895:947 ioctl 2403 ffff returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 895:947 ioctl 40046207 0 returned -16 binder: 895:947 ioctl 8004e500 20005000 returned -22 binder: 895:947 ioctl 401845ef 20004000 returned -22 binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: 1049:1050 Release 1 refcount change on invalid ref 2 ret -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 1049:1071 Release 1 refcount change on invalid ref 2 ret -22 binder: 1049:1050 ioctl 40046207 0 returned -16 binder: 1177:1178 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: 1177:1178 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 1177:1178 got transaction to invalid handle binder: 1177:1178 transaction failed 29201/-22, size 24-16 line 3007 binder: 1177:1188 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 1177:1178 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 device lo entered promiscuous mode binder: 1177:1188 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 1177:1188 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 1177:1188 Release 1 refcount change on invalid ref 0 ret -22 binder: 1177:1188 got transaction to invalid handle binder: 1177:1188 transaction failed 29201/-22, size 24-16 line 3007 IPVS: Creating netns size=2536 id=38 binder: 1370:1372 ERROR: BC_REGISTER_LOOPER called without request binder: 1370:1372 ioctl c0306201 20008fd0 returned -11 binder: BINDER_SET_CONTEXT_MGR already set binder: 1370:1372 ioctl 40046207 0 returned -16 binder: 1370:1383 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 1370: binder_alloc_buf, no vma binder: 1370:1372 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 391 to 1370:1372 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'. IPVS: Creating netns size=2536 id=39 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads sg_write: data in/out 327644/32 bytes for SCSI command 0x4-- guessing data in; program syz-executor2 not setting count and/or reply_len properly binder: 1564:1566 got transaction with too large buffer binder: 1564:1566 transaction failed 29201/-22, size 80-16 line 3289 binder_alloc: binder_alloc_mmap_handler: 1564 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 1564:1566 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29201 IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready binder: 1599:1615 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 1599:1615 transaction failed 29189/-22, size 24-0 line 3007 binder: 1599:1621 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 1599:1615 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 1599:1621 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 1599:1621 Release 1 refcount change on invalid ref 0 ret -22 binder: 1599:1621 transaction failed 29189/-22, size 24-0 line 3007 @: renamed from syz7 netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. blk_update_request: I/O error, dev loop0, sector 0 blk_update_request: I/O error, dev loop0, sector 255 blk_update_request: I/O error, dev loop0, sector 0 blk_update_request: I/O error, dev loop0, sector 255 IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. binder: 1880:1881 transaction failed 29189/-22, size 72-32 line 3007 netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. binder: 1880:1894 transaction failed 29189/-22, size 72-32 line 3007 netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. sg_write: data in/out 327644/27195 bytes for SCSI command 0x0-- guessing data in; program syz-executor0 not setting count and/or reply_len properly binder: 2264:2267 ERROR: BC_REGISTER_LOOPER called without request binder: 2267 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set