keychord: invalid keycode count 0 ===================================== [ BUG: bad unlock balance detected! ] binder: 2614:2617 BC_ACQUIRE_DONE node 285 has no pending acquire request 4.9.70-g9542d2a #109 Not tainted ------------------------------------- syz-executor6/2620 is trying to release lock ([ 136.794724] binder: BINDER_SET_CONTEXT_MGR already set binder: 2614:2636 ioctl 40046207 0 returned -16 binder_alloc: 2614: binder_alloc_buf, no vma binder: 2614:2617 transaction failed 29189/-3, size 80-16 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 2614:2617 transaction 286 out, still active binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 286, target dead mrt_lock) at: but there are no more locks to release! other info that might help us debug this: 1 lock held by syz-executor6/2620: #0: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 0 PID: 2620 Comm: syz-executor6 Not tainted 4.9.70-g9542d2a #109 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c4c17948 ffffffff81d90a29 ffffffff849ae9f8 ffff8801bbad1800 ffffffff834df9b4 ffffffff849ae9f8 ffff8801bbad2088 ffff8801c4c17978 ffffffff81235404 dffffc0000000000 ffffffff849ae9f8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa83/0x1290 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_preadv+0x115/0x1a0 fs/read_write.c:975 [] SYSC_preadv fs/read_write.c:1025 [inline] [] SyS_preadv+0x30/0x40 fs/read_write.c:1020 [] entry_SYSCALL_64_fastpath+0x23/0xc6 keychord: invalid keycode count 0 IPVS: Creating netns size=2536 id=16 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 2660 Comm: syz-executor7 Not tainted 4.9.70-g9542d2a #109 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c4c17990 ffffffff81d90a29 ffff8801c4c17c70 0000000000000000 ffff8801d6ab6e90 ffff8801c4c17b60 ffff8801d6ab6d80 ffff8801c4c17b88 ffffffff8165e557 ffff8801d0fd4800 ffff8801c4c17ae0 00000001d842a067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 2671 Comm: syz-executor7 Not tainted 4.9.70-g9542d2a #109 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d1207990 ffffffff81d90a29 ffff8801d1207c70 0000000000000000 ffff8801b8b46110 ffff8801d1207b60 ffff8801b8b46000 ffff8801d1207b88 ffffffff8165e557 ffff8801b7008000 ffff8801d1207ae0 00000001d842a067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads SELinux: unrecognized netlink message: protocol=9 nlmsg_type=33 sclass=netlink_audit_socket pig=2715 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=33 sclass=netlink_audit_socket pig=2715 comm=syz-executor2 IPVS: Creating netns size=2536 id=17 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads netlink: 2 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor1'. binder: 2832:2834 transaction failed 29189/-22, size 0-0 line 3007 netlink: 21 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 21 bytes leftover after parsing attributes in process `syz-executor3'. binder: 2832:2834 transaction failed 29189/-22, size 0-0 line 3007 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 netlink: 9 bytes leftover after parsing attributes in process `+'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. binder: 2952:2955 unknown command 0 binder: 2952:2955 ioctl c0306201 20000fd0 returned -22 binder: 2952:2959 unknown command 0 binder: 2952:2959 ioctl c0306201 20000fd0 returned -22 netlink: 9 bytes leftover after parsing attributes in process `+'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. netlink: 9 bytes leftover after parsing attributes in process `+'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. netlink: 9 bytes leftover after parsing attributes in process `+'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. audit: type=1400 audit(1513623729.737:75): avc: denied { dac_read_search } for pid=3050 comm="syz-executor1" capability=2 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 netlink: 9 bytes leftover after parsing attributes in process `+'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. netlink: 9 bytes leftover after parsing attributes in process `+'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. device gre0 entered promiscuous mode A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. keychord: keycode 16224 out of range keychord: keycode 16224 out of range tmpfs: No value for mount option ' ' device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=9822 sclass=netlink_route_socket pig=4336 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=9822 sclass=netlink_route_socket pig=4336 comm=syz-executor5 binder_alloc: binder_alloc_mmap_handler: 4535 20000000-20002000 already mapped failed -16 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=28128 sclass=netlink_route_socket pig=4881 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=28128 sclass=netlink_route_socket pig=4897 comm=syz-executor4 nla_parse: 113 callbacks suppressed netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'. net_ratelimit: 115 callbacks suppressed A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.