===================================== [ BUG: bad unlock balance detected! ] audit: type=1401 audit(1518342960.537:130): op=fscreate invalid_context=73797374656D5F753A6F626A6563745F723A617553FF01705F657865635F743A7330000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 4.9.80-g8a174b47 #31 Not tainted ------------------------------------- syz-executor0/19346 is trying to release lock (mrt_lock) at: [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 but there are no more locks to release! other info that might help us debug this: 2 locks held by syz-executor0/19346: #0: (sb_writers#7){.+.+.+}, at: [] file_start_write include/linux/fs.h:2621 [inline] #0: (sb_writers#7){.+.+.+}, at: [] do_sendfile+0x9ff/0xd30 fs/read_write.c:1400 #1: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 1 PID: 19346 Comm: syz-executor0 Not tainted 4.9.80-g8a174b47 #31 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d52b72a8 ffffffff81d94be9 ffffffff849b6cf8 ffff8801d51c8000 ffffffff834e8f44 ffffffff849b6cf8 ffff8801d51c8888 ffff8801d52b72d8 ffffffff81237e84 dffffc0000000000 ffffffff849b6cf8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa83/0x1290 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] kernel_readv fs/splice.c:363 [inline] [] default_file_splice_read+0x43f/0x7a0 fs/splice.c:435 [] do_splice_to+0x10a/0x160 fs/splice.c:899 [] splice_direct_to_actor+0x24d/0x800 fs/splice.c:971 [] do_splice_direct+0x1a7/0x270 fs/splice.c:1080 [] do_sendfile+0x54b/0xd30 fs/read_write.c:1401 [] SYSC_sendfile64 fs/read_write.c:1456 [inline] [] SyS_sendfile64+0xd1/0x160 fs/read_write.c:1448 [] entry_SYSCALL_64_fastpath+0x29/0xe8 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=38 sclass=netlink_tcpdiag_socket pig=19413 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=38 sclass=netlink_tcpdiag_socket pig=19425 comm=syz-executor7 binder: 19561:19567 transaction failed 29189/-22, size 80-16 line 3004 binder: undelivered TRANSACTION_ERROR: 29189 IPVS: Creating netns size=2536 id=13 binder: 19662:19671 BC_INCREFS_DONE u0000000020000000 no match binder: 19662:19671 got transaction to invalid handle binder: 19662:19671 transaction failed 29201/-22, size 80-24 line 3004 binder: 19662:19688 got new transaction with bad transaction stack, transaction 120 has target 19662:19671 binder: 19662:19688 transaction failed 29201/-71, size 0-0 line 3031 binder: BINDER_SET_CONTEXT_MGR already set binder: 19662:19671 ioctl 40046207 0 returned -16 binder_alloc: 19662: binder_alloc_buf, no vma binder: 19662:19688 transaction failed 29189/-3, size 0-0 line 3127 binder: 19662:19671 BC_FREE_BUFFER u0000000020000000 no match binder: 19662:19671 BC_INCREFS_DONE u0000000020000000 no match binder: 19662:19671 got transaction to invalid handle binder: 19662:19671 transaction failed 29201/-22, size 80-24 line 3004 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 19662:19671 transaction 120 in, still active binder: send failed reply for transaction 120 to 19662:19688 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: binder_alloc_mmap_handler: 19714 20000000-20002000 already mapped failed -16 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads IPVS: Creating netns size=2536 id=14 audit_printk_skb: 15 callbacks suppressed audit: type=1400 audit(1518342963.697:136): avc: denied { net_broadcast } for pid=19835 comm="syz-executor5" capability=11 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 binder: 19856:19858 ioctl 4b66 20fc6000 returned -22 binder: 19856:19858 transaction failed 29189/-22, size 734-16 line 3004 binder_alloc: binder_alloc_mmap_handler: 19856 20000000-20002000 already mapped failed -16 binder: 19856:19858 ioctl 4b66 20fc6000 returned -22 binder: undelivered TRANSACTION_ERROR: 29189 IPVS: Creating netns size=2536 id=15 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads binder: 19943:19949 tried to acquire reference to desc 0, got 1 instead binder: BINDER_SET_CONTEXT_MGR already set binder: 19943:19958 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 19943:19949 ioctl 40046207 0 returned -16 SELinux: Invalid class 85 SELinux: Invalid class 85 audit: type=1400 audit(1518342965.177:137): avc: denied { create } for pid=20065 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=1 device gre0 entered promiscuous mode binder: 20273:20290 BC_REQUEST_DEATH_NOTIFICATION death notification already set binder: 20273:20313 tried to acquire reference to desc 0, got 1 instead binder: 20273:20313 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 20273:20313 BC_REQUEST_DEATH_NOTIFICATION death notification already set IPVS: set_ctl: invalid protocol: 65286 0.0.0.0:60696 IPVS: set_ctl: invalid protocol: 65286 0.0.0.0:60696 l2tp_core: tunl 1: fd 20 wrong protocol, got 6, expected 17 l2tp_core: tunl 1: fd 24 wrong protocol, got 6, expected 17 IPVS: Creating netns size=2536 id=16 IPVS: Creating netns size=2536 id=17 audit: type=1400 audit(1518342967.697:138): avc: denied { ioctl } for pid=20787 comm="syz-executor1" path="socket:[42351]" dev="sockfs" ino=42351 ioctlcmd=0x8903 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1518342967.927:139): avc: denied { read } for pid=20853 comm="syz-executor5" path="socket:[42412]" dev="sockfs" ino=42412 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 TCP: request_sock_TCP: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. binder: 21095:21096 got transaction to invalid handle binder: 21095:21096 transaction failed 29201/-22, size 0-0 line 3004 binder: 21095:21104 got reply transaction with no transaction stack binder: 21095:21104 transaction failed 29201/-71, size 0-0 line 2920 binder_alloc: binder_alloc_mmap_handler: 21095 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 21095:21108 got transaction to invalid handle binder: 21095:21108 transaction failed 29201/-22, size 0-0 line 3004 binder: 21095:21104 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 netlink: 4 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor6'. device gre0 entered promiscuous mode binder_alloc: 21266: binder_alloc_buf, no vma binder: 21266:21289 transaction failed 29189/-3, size 0-0 line 3127 binder: 21266:21310 got reply transaction with no transaction stack binder: 21266:21310 transaction failed 29201/-71, size 112-8 line 2920 binder: BINDER_SET_CONTEXT_MGR already set binder: 21266:21289 ioctl 40046207 0 returned -16 binder_alloc: 21266: binder_alloc_buf, no vma binder: 21266:21315 transaction failed 29189/-3, size 0-0 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 21366:21369 got transaction with invalid handle, 0 binder: 21366:21369 transaction failed 29201/-22, size 64-8 line 3219 binder_alloc: binder_alloc_mmap_handler: 21366 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 21366:21369 ioctl 40046207 0 returned -16 binder_alloc: 21366: binder_alloc_buf, no vma binder: 21366:21369 transaction failed 29189/-3, size 64-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 audit: type=1401 audit(1518342969.947:140): op=fscreate invalid_context=AB386CD7F1D23B0E7314486494C8D560871ED875FA9F4BD1C737BBEF72516BB0515188578E35377114A5032BCA1FD79048BAF6FCEA050B306A2130F3EF3898E7A2C9319DB59FA5E20F9D38C3F33012C7C71EB9551427238F2BE00D61FE0D88D3762029B94B82FFD790B873D417A369EE0AE2541FE1292ACE2FE81B012DD99FE0C4F64E53CFEECAF728B2A6A1BBA7DF382C7F6CCB95E0EB387F9DCC34CE196C4749F95174566487114D2AEAAC6D220E4209BA8B4FC34696E5405949D5A6EAB09B1B5C82B9D3A4A71D8BB5A0F90F128EC34817D22AE2653EC323BEE642323E1766B34FA45F9CA42B3B42EE464668538DCD45E5D53E129CC210D72704D5D1702599E91C1B5570B9568BFF7DAD4F380DD314B7553CBCC79661E66420A02C32CE4EC4FAD5FE74766392CE7A9539E17771861BB684DD3FD48CE01AE5FAF3F5BB74A01F1C89B719D61419134F40D33291777E98753F69BB0B326BED4D579BB669337FBB15E9C0DB3BE3ECAC43C7AB574B695959253C9985D028E1AE2DBDC876E45798747D04CED0C284FC17D82735109657619A888E2DFBF5F1659CEBB208BB37EF60604AFCBF8026DF8581AE0F57D3F5920ACF9E467E0B28E9E780EBC5E2D45634CC56079A60E7320229B5DE5FF audit: type=1401 audit(1518342970.057:141): op=fscreate invalid_context=AB386CD7F1D23B0E7314486494C8D560871ED875FA9F4BD1C737BBEF72516BB0515188578E35377114A5032BCA1FD79048BAF6FCEA050B306A2130F3EF3898E7A2C9319DB59FA5E20F9D38C3F33012C7C71EB9551427238F2BE00D61FE0D88D3762029B94B82FFD790B873D417A369EE0AE2541FE1292ACE2FE81B012DD99FE0C4F64E53CFEECAF728B2A6A1BBA7DF382C7F6CCB95E0EB387F9DCC34CE196C4749F95174566487114D2AEAAC6D220E4209BA8B4FC34696E5405949D5A6EAB09B1B5C82B9D3A4A71D8BB5A0F90F128EC34817D22AE2653EC323BEE642323E1766B34FA45F9CA42B3B42EE464668538DCD45E5D53E129CC210D72704D5D1702599E91C1B5570B9568BFF7DAD4F380DD314B7553CBCC79661E66420A02C32CE4EC4FAD5FE74766392CE7A9539E17771861BB684DD3FD48CE01AE5FAF3F5BB74A01F1C89B719D61419134F40D33291777E98753F69BB0B326BED4D579BB669337FBB15E9C0DB3BE3ECAC43C7AB574B695959253C9985D028E1AE2DBDC876E45798747D04CED0C284FC17D82735109657619A888E2DFBF5F1659CEBB208BB37EF60604AFCBF8026DF8581AE0F57D3F5920ACF9E467E0B28E9E780EBC5E2D45634CC56079A60E7320229B5DE5FF netlink: 12 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor0'. FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 21636 Comm: syz-executor7 Not tainted 4.9.80-g8a174b47 #31 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c352f930 ffffffff81d94be9 ffff8801c352fc10 0000000000000000 ffff8801cf3df310 ffff8801c352fb00 ffff8801cf3df200 ffff8801c352fb28 ffffffff8166253a 0000000000000001 ffff8801c352fa80 00000001d8af9067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1055