=====================================
[ BUG: bad unlock balance detected! ]
4.9.80-g20c8a00 #30 Not tainted
-------------------------------------
syz-executor2/9470 is trying to release lock (mrt_lock) at:
[<ffffffff834e8f44>] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553
but there are no more locks to release!

other info that might help us debug this:
1 lock held by syz-executor2/9470:
 #0:  (&p->lock){+.+.+.}, at: [<ffffffff815e8e5d>] seq_read+0xdd/0x1290 fs/seq_file.c:178

stack backtrace:
CPU: 1 PID: 9470 Comm: syz-executor2 Not tainted 4.9.80-g20c8a00 #30
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d4ea7918 ffffffff81d94b69 ffffffff849b6cf8 ffff8801d51f9800
 ffffffff834e8f44 ffffffff849b6cf8 ffff8801d51fa088 ffff8801d4ea7948
 ffffffff81237e04 dffffc0000000000 ffffffff849b6cf8 00000000ffffffff
Call Trace:
 [<ffffffff81d94b69>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94b69>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81237e04>] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398
 [<ffffffff812408d8>] __lock_release kernel/locking/lockdep.c:3540 [inline]
 [<ffffffff812408d8>] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775
 [<ffffffff838b303a>] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline]
 [<ffffffff838b303a>] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255
 [<ffffffff834e8f44>] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553
 [<ffffffff815e5e17>] traverse+0x3a7/0x900 fs/seq_file.c:148
 [<ffffffff815e956a>] seq_read+0x7ea/0x1290 fs/seq_file.c:195
 [<ffffffff816c24ff>] proc_reg_read+0xef/0x170 fs/proc/inode.c:202
 [<ffffffff8156c043>] __vfs_read+0x103/0x670 fs/read_write.c:452
 [<ffffffff8156fdde>] vfs_read+0x11e/0x380 fs/read_write.c:475
 [<ffffffff81573ecf>] SYSC_pread64 fs/read_write.c:629 [inline]
 [<ffffffff81573ecf>] SyS_pread64+0x13f/0x170 fs/read_write.c:616
 [<ffffffff838b34ee>] entry_SYSCALL_64_fastpath+0x29/0xe8
binder: 9504:9506 ioctl 541b 20000ffc returned -22
binder: 9504:9506 ERROR: BC_REGISTER_LOOPER called without request
binder: 9504:9506 ioctl 541b 20000ffc returned -22
binder_alloc: binder_alloc_mmap_handler: 9504 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9504:9506 ioctl 40046207 0 returned -16
binder: 9504:9542 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 9504: binder_alloc_buf, no vma
binder: 9504:9542 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_COMPLETE
device gre0 entered promiscuous mode
binder: 9574:9583 ioctl c0306201 20007fd0 returned -11
binder: 9574:9583 transaction failed 29189/-22, size 0-0 line 3004
binder: undelivered transaction 55, process died.
binder: undelivered TRANSACTION_ERROR: 29189
IPVS: Creating netns size=2536 id=11
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
IPv4: Oversized IP packet from 127.0.0.1
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 9946 Comm: syz-executor6 Not tainted 4.9.80-g20c8a00 #30
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801b25df970 ffffffff81d94b69 ffff8801b25dfc50 0000000000000000
 ffff8801cbce3490 ffff8801b25dfb40 ffff8801cbce3380 ffff8801b25dfb68
 ffffffff816624ba ffff8801b25df9d8 ffff8801b25dfac0 00000001c4e5d067
Call Trace:
 [<ffffffff81d94b69>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94b69>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff816624ba>] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323
 [<ffffffff814d0da1>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814d0da1>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814d0da1>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814d0da1>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810de642>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407
 [<ffffffff810dede7>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470
 [<ffffffff838b4848>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1055
 [<ffffffff838b34ee>] entry_SYSCALL_64_fastpath+0x29/0xe8
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
audit: type=1400 audit(1518054883.197:36): avc:  denied  { listen } for  pid=10640 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
net_ratelimit: 33 callbacks suppressed
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
device eql entered promiscuous mode