=====================================
[ BUG: bad unlock balance detected! ]
4.9.79-g71f1469 #25 Not tainted
-------------------------------------
syz-executor4/22167 is trying to release lock (mrt_lock) at:
[<ffffffff834e8ee4>] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553
but there are no more locks to release!

other info that might help us debug this:
2 locks held by syz-executor4/22167:
 #0:  (sb_writers#7){.+.+.+}, at: [<ffffffff81572e4f>] file_start_write include/linux/fs.h:2621 [inline]
 #0:  (sb_writers#7){.+.+.+}, at: [<ffffffff81572e4f>] do_sendfile+0x9ff/0xd30 fs/read_write.c:1400
 #1:  (&p->lock){+.+.+.}, at: [<ffffffff815e8b6d>] seq_read+0xdd/0x1290 fs/seq_file.c:178

stack backtrace:
CPU: 1 PID: 22167 Comm: syz-executor4 Not tainted 4.9.79-g71f1469 #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c98d72a8 ffffffff81d94829 ffffffff849b6cb8 ffff8801b642c800
 ffffffff834e8ee4 ffffffff849b6cb8 ffff8801b642d088 ffff8801c98d72d8
 ffffffff81237df4 dffffc0000000000 ffffffff849b6cb8 00000000ffffffff
Call Trace:
 [<ffffffff81d94829>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94829>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81237df4>] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398
 [<ffffffff812408c8>] __lock_release kernel/locking/lockdep.c:3540 [inline]
 [<ffffffff812408c8>] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775
 [<ffffffff838b2fda>] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline]
 [<ffffffff838b2fda>] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255
 [<ffffffff834e8ee4>] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553
 [<ffffffff815e9513>] seq_read+0xa83/0x1290 fs/seq_file.c:283
 [<ffffffff816c220f>] proc_reg_read+0xef/0x170 fs/proc/inode.c:202
 [<ffffffff8156cab1>] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714
 [<ffffffff81570920>] do_loop_readv_writev fs/read_write.c:880 [inline]
 [<ffffffff81570920>] do_readv_writev+0x520/0x750 fs/read_write.c:874
 [<ffffffff81570bd4>] vfs_readv+0x84/0xc0 fs/read_write.c:898
 [<ffffffff8160fd0f>] kernel_readv fs/splice.c:363 [inline]
 [<ffffffff8160fd0f>] default_file_splice_read+0x43f/0x7a0 fs/splice.c:435
 [<ffffffff8160ee0a>] do_splice_to+0x10a/0x160 fs/splice.c:899
 [<ffffffff8160f0ad>] splice_direct_to_actor+0x24d/0x800 fs/splice.c:971
 [<ffffffff8160f807>] do_splice_direct+0x1a7/0x270 fs/splice.c:1080
 [<ffffffff8157299b>] do_sendfile+0x54b/0xd30 fs/read_write.c:1401
 [<ffffffff815748f1>] SYSC_sendfile64 fs/read_write.c:1456 [inline]
 [<ffffffff815748f1>] SyS_sendfile64+0xd1/0x160 fs/read_write.c:1448
 [<ffffffff838b346e>] entry_SYSCALL_64_fastpath+0x29/0xe8
9pnet_virtio: no channels available for device ./file0
9pnet_virtio: no channels available for device ./file0
netlink: 16 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 16 bytes leftover after parsing attributes in process `syz-executor5'.
IPVS: Creating netns size=2536 id=20
TCP: request_sock_TCP: Possible SYN flooding on port 20010. Sending cookies.  Check SNMP counters.
device gre0 entered promiscuous mode
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
IPVS: Creating netns size=2536 id=21
pktgen: kernel_thread() failed for cpu 0
TCP: request_sock_TCP: Possible SYN flooding on port 20010. Sending cookies.  Check SNMP counters.
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
dummy0: renamed from gre0
netlink: 68 bytes leftover after parsing attributes in process `syz-executor5'.
audit_printk_skb: 1908 callbacks suppressed
audit: type=1400 audit(1517486292.384:12163): avc:  denied  { net_admin } for  pid=4135 comm="syz-executor4" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517486292.384:12164): avc:  denied  { net_admin } for  pid=4142 comm="syz-executor6" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517486292.394:12165): avc:  denied  { net_admin } for  pid=22574 comm="syz-executor5" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
netlink: 68 bytes leftover after parsing attributes in process `syz-executor5'.
audit: type=1400 audit(1517486292.394:12166): avc:  denied  { net_admin } for  pid=4128 comm="syz-executor7" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517486292.414:12167): avc:  denied  { net_admin } for  pid=4143 comm="syz-executor5" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517486292.414:12168): avc:  denied  { dac_override } for  pid=22590 comm="syz-executor2" capability=1  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517486292.554:12169): avc:  denied  { net_admin } for  pid=4135 comm="syz-executor4" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517486292.614:12170): avc:  denied  { dac_override } for  pid=19468 comm="syz-executor2" capability=1  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517486292.634:12171): avc:  denied  { net_admin } for  pid=4143 comm="syz-executor5" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517486292.634:12172): avc:  denied  { net_admin } for  pid=4135 comm="syz-executor4" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
SELinux: unrecognized netlink message: protocol=6 nlmsg_type=22785 sclass=netlink_xfrm_socket pig=22774 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=6 nlmsg_type=22785 sclass=netlink_xfrm_socket pig=22800 comm=syz-executor7
binder: 22954:22981 BC_DEAD_BINDER_DONE 0000000000000000 not found
SELinux: unrecognized netlink message: protocol=6 nlmsg_type=88 sclass=netlink_xfrm_socket pig=22987 comm=syz-executor2
binder: 22954:22998 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
SELinux: unrecognized netlink message: protocol=6 nlmsg_type=88 sclass=netlink_xfrm_socket pig=23006 comm=syz-executor2
netlink: 4 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor1'.
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=74 sclass=netlink_tcpdiag_socket pig=23154 comm=syz-executor4
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=74 sclass=netlink_tcpdiag_socket pig=23168 comm=syz-executor4
IPVS: Creating netns size=2536 id=22
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
binder_alloc: binder_alloc_mmap_handler: 23516 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 23516:23540 ioctl 40046207 0 returned -16
audit_printk_skb: 2114 callbacks suppressed
audit: type=1400 audit(1517486297.394:12877): avc:  denied  { dac_override } for  pid=23513 comm="syz-executor2" capability=1  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
binder: release 23516:23520 transaction 201 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 201, target dead
audit: type=1400 audit(1517486297.394:12878): avc:  denied  { net_admin } for  pid=4130 comm="syz-executor1" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517486297.404:12879): avc:  denied  { create } for  pid=23514 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
audit: type=1400 audit(1517486297.434:12880): avc:  denied  { net_admin } for  pid=4140 comm="syz-executor3" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517486297.444:12881): avc:  denied  { net_admin } for  pid=4143 comm="syz-executor5" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517486297.454:12882): avc:  denied  { net_admin } for  pid=4142 comm="syz-executor6" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517486297.454:12883): avc:  denied  { net_admin } for  pid=23572 comm="syz-executor6" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517486297.464:12884): avc:  denied  { net_admin } for  pid=23567 comm="syz-executor3" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517486297.464:12885): avc:  denied  { dac_override } for  pid=23558 comm="syz-executor1" capability=1  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517486297.464:12886): avc:  denied  { write } for  pid=23558 comm="syz-executor1" name="net" dev="proc" ino=39047 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1
device gre0 entered promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
binder: 23916:23919 ERROR: BC_REGISTER_LOOPER called without request
binder: 23916:23919 ERROR: BC_REGISTER_LOOPER called without request
binder: 23916:23929 ERROR: BC_REGISTER_LOOPER called without request