===================================== [ BUG: bad unlock balance detected! ] 4.9.80-g550c01d #29 Not tainted ------------------------------------- syz-executor6/7056 is trying to release lock (mrt_lock) at: [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 but there are no more locks to release! other info that might help us debug this: 2 locks held by syz-executor6/7056: #0: (&f->f_pos_lock){+.+.+.}, at: [] __fdget_pos+0x9f/0xc0 fs/file.c:781 #1: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 0 PID: 7056 Comm: syz-executor6 Not tainted 4.9.80-g550c01d #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c5d578e8 ffffffff81d94b69 ffffffff849b6cf8 ffff8801ce571800 ffffffff834e8ee4 ffffffff849b6cf8 ffff8801ce572088 ffff8801c5d57918 ffffffff81237e04 dffffc0000000000 ffffffff849b6cf8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa83/0x1290 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x29/0xe8 binder: BINDER_SET_CONTEXT_MGR already set binder: 7093:7125 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7129:7130 ioctl 40046207 0 returned -16 binder: 7129:7130 ERROR: BC_REGISTER_LOOPER called without request binder: 7129:7130 ioctl c0306201 20008fd0 returned -14 binder_alloc: 7093: binder_alloc_buf, no vma binder: 7129:7130 transaction failed 29189/-3, size 0-0 line 3127 binder: 7129:7130 got reply transaction with no transaction stack binder: 7129:7130 transaction failed 29201/-71, size 0-0 line 2920 binder: BINDER_SET_CONTEXT_MGR already set binder: 7129:7132 ioctl 40046207 0 returned -16 binder: 7129:7130 ERROR: BC_REGISTER_LOOPER called without request binder: 7129:7130 ioctl c0306201 20008fd0 returned -14 binder_alloc: 7093: binder_alloc_buf, no vma binder: 7129:7132 transaction failed 29189/-3, size 0-0 line 3127 binder: undelivered TRANSACTION_ERROR: 29201 binder_alloc: 7093: binder_alloc_buf, no vma binder: 7093:7137 transaction failed 29189/-3, size 0-0 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7093:7103 transaction 12 in, still active binder: send failed reply for transaction 12 to 7093:7125 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 7207 Comm: syz-executor3 Not tainted 4.9.80-g550c01d #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cc9ef840 ffffffff81d94b69 ffff8801cc9efb20 0000000000000000 ffff8801bdc6ad10 ffff8801cc9efa10 ffff8801bdc6ac00 ffff8801cc9efa38 ffffffff816624ba ffffffff838b2c38 ffff8801cc9ef990 00000001d3697067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1055 [] SYSC_fsetxattr fs/xattr.c:504 [inline] [] SyS_fsetxattr+0x130/0x190 fs/xattr.c:493 [] entry_SYSCALL_64_fastpath+0x29/0xe8 CPU: 1 PID: 7228 Comm: syz-executor3 Not tainted 4.9.80-g550c01d #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdb0f8f0 ffffffff81d94b69 ffff8801cdb0fbd0 0000000000000000 ffff8801bdc6ad10 ffff8801cdb0fac0 ffff8801bdc6ac00 ffff8801cdb0fae8 ffffffff816624ba 0000000000000000 ffff8801cdb0fa40 00000001d3697067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1055 [] entry_SYSCALL_64_fastpath+0x29/0xe8 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 7207 Comm: syz-executor3 Not tainted 4.9.80-g550c01d #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cc9ef840 ffffffff81d94b69 ffff8801cc9efb20 0000000000000000 ffff8801d06aed10 ffff8801cc9efa10 ffff8801d06aec00 ffff8801cc9efa38 ffffffff816624ba ffff8801cd51b000 0000000000000000 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1055 [] SYSC_fsetxattr fs/xattr.c:504 [inline] [] SyS_fsetxattr+0x130/0x190 fs/xattr.c:493 [] entry_SYSCALL_64_fastpath+0x29/0xe8 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 7207 Comm: syz-executor3 Not tainted 4.9.80-g550c01d #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cc9ef810 ffffffff81d94b69 ffff8801cc9efaf0 0000000000000000 ffff8801d06aed10 ffff8801cc9ef9e0 ffff8801d06aec00 ffff8801cc9efa08 ffffffff816624ba ffff880100000002 ffffffff00000094 0044002200000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1055 [] copy_from_user arch/x86/include/asm/uaccess.h:702 [inline] [] setxattr+0x153/0x290 fs/xattr.c:440 [] SYSC_fsetxattr fs/xattr.c:504 [inline] [] SyS_fsetxattr+0x130/0x190 fs/xattr.c:493 [] entry_SYSCALL_64_fastpath+0x29/0xe8 CPU: 1 PID: 7228 Comm: syz-executor3 Not tainted 4.9.80-g550c01d #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdb0f8f0 ffffffff81d94b69 ffff8801cdb0fbd0 0000000000000000 ffff8801d06aed10 ffff8801cdb0fac0 ffff8801d06aec00 ffff8801cdb0fae8 ffffffff816624ba ffff8801cc333000 0000000000000000 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1055 [] entry_SYSCALL_64_fastpath+0x29/0xe8 binder: 7352:7362 ioctl 8933 20a0cfd8 returned -22 binder: 7352:7362 got transaction with invalid number of fds (-4) binder: 7352:7362 transaction failed 29201/-22, size 72-16 line 3269 audit: type=1400 audit(1517985560.292:27): avc: denied { execute } for pid=7376 comm="syz-executor3" dev="pipefs" ino=19874 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1 binder: 7352:7386 ioctl d1 207d5000 returned -22 mip6: mip6_destopt_init_state: spi is not 0: 3640918016 mip6: mip6_destopt_init_state: spi is not 0: 3640918016 binder_alloc: binder_alloc_mmap_handler: 7352 20000000-20002000 already mapped failed -16 binder: 7352:7405 ioctl 8933 20a0cfd8 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 7352:7405 ioctl 40046207 0 returned -16 binder_alloc: 7352: binder_alloc_buf, no vma binder: 7352:7386 transaction failed 29189/-3, size 72-16 line 3127 binder: 7352:7386 ioctl d1 207d5000 returned -22 IPVS: Creating netns size=2536 id=11 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads binder: 7432:7440 transaction failed 29189/-22, size 56-5 line 3004 device syz5 left promiscuous mode device syz5 entered promiscuous mode device syz5 left promiscuous mode audit: type=1400 audit(1517985561.692:28): avc: denied { dac_override } for pid=7550 comm="syz-executor1" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517985561.692:29): avc: denied { net_admin } for pid=3899 comm="syz-executor2" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517985561.722:30): avc: denied { net_raw } for pid=7550 comm="syz-executor1" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 device eql entered promiscuous mode audit_printk_skb: 12 callbacks suppressed audit: type=1400 audit(1517985562.032:35): avc: denied { net_raw } for pid=7650 comm="syz-executor4" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 binder: 7710:7714 ioctl 541b 20c95ffc returned -22 binder: 7710:7725 ioctl 541b 20c95ffc returned -22 audit: type=1400 audit(1517985562.342:36): avc: denied { create } for pid=7745 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1517985562.522:37): avc: denied { net_admin } for pid=7787 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517985562.542:38): avc: denied { dac_override } for pid=7784 comm="syz-executor1" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517985562.592:39): avc: denied { net_admin } for pid=3889 comm="syz-executor4" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517985562.692:40): avc: denied { create } for pid=7855 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1517985562.722:41): avc: denied { setopt } for pid=7855 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1517985562.722:42): avc: denied { ioctl } for pid=7855 comm="syz-executor6" path="socket:[19331]" dev="sockfs" ino=19331 ioctlcmd=0x4525 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1517985562.722:43): avc: denied { write } for pid=7855 comm="syz-executor6" path="socket:[19331]" dev="sockfs" ino=19331 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. audit: type=1400 audit(1517985562.812:44): avc: denied { getopt } for pid=7855 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: 7953:7956 ioctl c0306201 20007fd0 returned -14 binder: 7953:7963 ioctl c0306201 20004000 returned -14 binder: 7953:7956 ioctl c0306201 20007fd0 returned -14 binder: 8154:8155 ioctl 80047437 20018ffc returned -22 binder: 8154:8155 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000066646185 != 0000000000000000 binder: 8154:8155 ioctl 80047437 20018ffc returned -22 binder: 8172:8181 transaction failed 29189/-22, size 0-0 line 3004 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: binder_alloc_mmap_handler: 8172 20000000-20002000 already mapped failed -16 binder: 8172:8205 ioctl 40046207 0 returned -16 binder: release 8172:8181 transaction 27 in, still active binder: send failed reply for transaction 27 to 8172:8205 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 SELinux: policydb magic number 0xafc8fe25 does not match expected magic number 0xf97cff8c SELinux: policydb magic number 0xafc8fe25 does not match expected magic number 0xf97cff8c sock: sock_set_timeout: `syz-executor4' (pid 8334) tries to set negative timeout sock: sock_set_timeout: `syz-executor4' (pid 8334) tries to set negative timeout IPv4: Oversized IP packet from 127.0.0.1 binder: release 8544:8546 transaction 29 out, still active binder: undelivered TRANSACTION_COMPLETE binder: 8544:8546 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: binder_alloc_mmap_handler: 8544 20000000-20002000 already mapped failed -16 binder_alloc: 8544: binder_alloc_buf, no vma binder: BINDER_SET_CONTEXT_MGR already set binder: 8544:8546 ioctl 40046207 0 returned -16 binder: 8544:8555 transaction failed 29189/-3, size 0-0 line 3127 binder: 8544:8570 ERROR: BC_REGISTER_LOOPER called without request binder: undelivered TRANSACTION_ERROR: 29189 binder: release 8544:8546 transaction 29 in, still active binder: send failed reply for transaction 29, target dead IPVS: Creating netns size=2536 id=12 9pnet_virtio: no channels available for device ./file0