===================================== [ BUG: bad unlock balance detected! ] 4.9.70-g9542d2a #109 Not tainted ------------------------------------- syz-executor7/8889 is trying to release lock ([ 43.518507] netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route mrt_lock) at: but there are no more locks to release! other info that might help us debug this: 2 locks held by syz-executor7/8889: #0: (&f->f_pos_lock){+.+.+.}, at: [] __fdget_pos+0x9f/0xc0 fs/file.c:781 #1: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 1 PID: 8889 Comm: syz-executor7 Not tainted 4.9.70-g9542d2a #109 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d8e3f8e8 ffffffff81d90a29 ffffffff849ae9f8 ffff8801d8e30000 ffffffff834df9b4 ffffffff849ae9f8 ffff8801d8e30888 ffff8801d8e3f918 ffffffff81235404 dffffc0000000000 ffffffff849ae9f8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa83/0x1290 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 8931:8934 got transaction with invalid offsets size, 4 binder: 8931:8934 transaction failed 29201/-22, size 0-4 line 3166 binder: 8931:8934 ioctl c0306201 20007000 returned -14 binder: undelivered TRANSACTION_ERROR: 29201 binder_alloc: 8931: binder_alloc_buf, no vma binder: 8931:8951 transaction failed 29189/-3, size 0-4 line 3130 binder: 8962:8971 got transaction with invalid parent offset or type binder: 8962:8971 transaction failed 29201/-22, size 32-8 line 3253 binder_alloc: binder_alloc_mmap_handler: 8962 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8962:8971 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29201 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor2/9008 binder: 9003:9015 got transaction with invalid parent offset or type binder: 9003:9015 transaction failed 29201/-22, size 32-8 line 3253 binder: undelivered TRANSACTION_ERROR: 29201 device gre0 entered promiscuous mode caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 9008 Comm: syz-executor2 Not tainted 4.9.70-g9542d2a #109 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d809f6d8 ffffffff81d90a29 0000000000000001 ffffffff83c17800 ffffffff83f42ec0 ffff8801d8090000 0000000000000003 ffff8801d809f718 ffffffff81df79f4 ffff8801d809f730 ffffffff83f42ec0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2002 [] SYSC_sendmsg net/socket.c:2013 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2009 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device sit0 entered promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 9067 Comm: Not tainted 4.9.70-g9542d2a #109 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c34f7880 ffffffff81d90a29 ffff8801c34f7b60 0000000000000000 ffff8801ce1d7a90 ffff8801c34f7a50 ffff8801ce1d7980 ffff8801c34f7a78 ffffffff8165e557 ffff8801db221418 ffff8801c34f79d0 00000001d9a8b067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_prctl kernel/sys.c:2285 [inline] [] SyS_prctl+0x45a/0x14a0 kernel/sys.c:2224 [] entry_SYSCALL_64_fastpath+0x23/0xc6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9113 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9115 comm=syz-executor5 device syz7 entered promiscuous mode audit: type=1400 audit(1513690920.649:40): avc: denied { create } for pid=9330 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 audit: type=1400 audit(1513690920.689:41): avc: denied { write } for pid=9330 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 audit: type=1400 audit(1513690920.709:42): avc: denied { read } for pid=9330 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 device gre0 entered promiscuous mode TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. binder: 9671:9677 BC_FREE_BUFFER u0000000020000000 matched unreturned buffer binder: 9671:9677 got new transaction with bad transaction stack, transaction 67 has target 9671:0 binder: 9671:9677 transaction failed 29201/-71, size 0-0 line 3034 TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. binder: BINDER_SET_CONTEXT_MGR already set binder: 9671:9677 ioctl 40046207 0 returned -16 binder_alloc: 9671: binder_alloc_buf, no vma binder: 9671:9688 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 9671:9677 transaction 67 out, still active binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 67, target dead netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=48821 sclass=netlink_route_socket pig=10100 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=48821 sclass=netlink_route_socket pig=10108 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=55994 sclass=netlink_route_socket pig=10188 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=55994 sclass=netlink_route_socket pig=10200 comm=syz-executor5 TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=23397 sclass=netlink_route_socket pig=10245 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=23397 sclass=netlink_route_socket pig=10245 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=121 sclass=netlink_route_socket pig=10250 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=121 sclass=netlink_route_socket pig=10252 comm=syz-executor5 TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. SELinux: unrecognized netlink message: protocol=4 nlmsg_type=32 sclass=netlink_tcpdiag_socket pig=10692 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=32 sclass=netlink_tcpdiag_socket pig=10697 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=27935 sclass=netlink_route_socket pig=10828 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=27935 sclass=netlink_route_socket pig=10836 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=11097 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=56497 sclass=netlink_route_socket pig=11148 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=56497 sclass=netlink_route_socket pig=11158 comm=syz-executor5 TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. audit: type=1400 audit(1513690926.919:43): avc: denied { create } for pid=11344 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. binder: 11908:11912 ioctl c0306201 20382000 returned -11 binder: BINDER_SET_CONTEXT_MGR already set binder: 11908:11914 ioctl 40046207 0 returned -16 TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies. Check SNMP counters.