IPv6: Can't replace route, no match found ===================================== [ BUG: bad unlock balance detected! ] 4.9.67-gf26d3c7 #106 Not tainted ------------------------------------- syz-executor1/10510 is trying to release lock ([ 67.263677] IPv6: Can't replace route, no match found mrt_lock) at: but there are no more locks to release! other info that might help us debug this: 2 locks held by syz-executor1/10510: #0: (&f->f_pos_lock){+.+.+.}, at: [] __fdget_pos+0x9f/0xc0 fs/file.c:781 #1: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: rfkill: input handler disabled CPU: 0 PID: 10510 Comm: syz-executor1 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d567f8e8 ffffffff81d906e9 ffffffff849ae8f8 ffff8801d1726000 ffffffff834dec54 ffffffff849ae8f8 ffff8801d1726888 ffff8801d567f918 ffffffff812353f4 dffffc0000000000 ffffffff849ae8f8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 rfkill: input handler enabled [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa83/0x1290 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. sock: process `syz-executor0' is using obsolete setsockopt SO_BSDCOMPAT 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 binder: 10802:10806 ERROR: BC_REGISTER_LOOPER called without request binder: 10802:10818 ERROR: BC_REGISTER_LOOPER called without request device gre0 entered promiscuous mode binder: 10960:10964 ERROR: BC_REGISTER_LOOPER called without request binder: 10960:10964 got transaction with invalid offsets ptr binder: 10960:10964 transaction failed 29201/-14, size 0-320 line 3158 binder: 10975:10978 got reply transaction with no transaction stack binder: 10975:10978 transaction failed 29201/-71, size 2-1144397507205 line 2923 binder: 10960:10982 got reply transaction with no transaction stack binder: 10960:10982 transaction failed 29201/-71, size 24-8 line 2923 binder: 10975:10990 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 10975:10990 got transaction to invalid handle binder: 10975:10990 transaction failed 29201/-22, size 64-32 line 3007 binder: send failed reply for transaction 113 to 10975:10990 binder: 10975:10978 ioctl c0306201 2000efd0 returned -14 binder: 10975:10990 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 10975:10990 BC_FREE_BUFFER u000000002000c000 matched unreturned buffer binder: BINDER_SET_CONTEXT_MGR already set binder: 10960:10982 ioctl 40046207 0 returned -16 binder_alloc: 10960: binder_alloc_buf, no vma binder: 10960:10995 transaction failed 29189/-3, size 0-320 line 3130 binder: 10975:10990 got reply transaction with no transaction stack binder: 10975:10990 transaction failed 29201/-71, size 2-1144397507205 line 2923 binder: BINDER_SET_CONTEXT_MGR already set binder: 10975:11009 ioctl 40046207 0 returned -16 binder: 10975:11009 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 10975:11009 got transaction to invalid handle binder: 10975:11009 transaction failed 29201/-22, size 64-32 line 3007 binder: 10975:11018 BC_INCREFS_DONE uffffffffffffffff no match binder: 10975:11018 got transaction to invalid handle binder: 10975:11018 transaction failed 29201/-22, size 40-16 line 3007 binder_alloc: 10975: binder_alloc_buf, no vma binder: 10975:11018 transaction failed 29189/-3, size 0-0 line 3130 device lo entered promiscuous mode device lo left promiscuous mode binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 device lo entered promiscuous mode device lo left promiscuous mode binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 keychord: invalid keycode count 0 nla_parse: 11 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. sg_write: data in/out 327644/32 bytes for SCSI command 0x4-- guessing data in; program syz-executor6 not setting count and/or reply_len properly binder: 11060:11070 ERROR: BC_REGISTER_LOOPER called without request binder: 11060:11070 ioctl c0306201 20008fd0 returned -11 binder_alloc: binder_alloc_mmap_handler: 11060 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 11060:11070 ioctl 40046207 0 returned -16 binder: 11060:11092 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 11060: binder_alloc_buf, no vma binder: 11060:11070 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 120 to 11060:11070 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 keychord: invalid keycode count 0 netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. IPVS: length: 24 != 8 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 11162 Comm: syz-executor7 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d59ff9a0 ffffffff81d906e9 ffff8801d59ffc80 0000000000000000 ffff8801c8ab8e90 ffff8801d59ffb70 ffff8801c8ab8d80 ffff8801d59ffb98 ffffffff8165e307 0000000000000282 ffff8801d59ffaf0 00000001cfe66067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_sigaltstack kernel/signal.c:3170 [inline] [] SyS_sigaltstack+0x6c/0x90 kernel/signal.c:3168 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 11186 Comm: syz-executor7 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a4fd79a0 ffffffff81d906e9 ffff8801a4fd7c80 0000000000000000 ffff8801c8ab9010 ffff8801a4fd7b70 ffff8801c8ab8f00 ffff8801a4fd7b98 ffffffff8165e307 ffff8801c94e4800 0000000000000000 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_sigaltstack kernel/signal.c:3170 [inline] [] SyS_sigaltstack+0x6c/0x90 kernel/signal.c:3168 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 11207:11216 ERROR: BC_REGISTER_LOOPER called without request binder: BINDER_SET_CONTEXT_MGR already set binder: 11207:11231 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 11207: binder_alloc_buf, no vma device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo left promiscuous mode binder: 11207:11216 ioctl 40046207 0 returned -16 binder: 11207:11257 got reply transaction with no transaction stack binder: 11207:11257 transaction failed 29201/-71, size 24-8 line 2923 sd 0:0:1:0: [sg0] tag#541 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#541 CDB: opcode=0xff (vendor) sd 0:0:1:0: [sg0] tag#541 CDB[00]: ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#541 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#541 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#541 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 binder: 11207:11231 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 device lo entered promiscuous mode qtaguid: iface_stat: create(lo): no inet dev binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 124, process died. sd 0:0:1:0: [sg0] tag#541 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#541 CDB: opcode=0xff (vendor) sd 0:0:1:0: [sg0] tag#541 CDB[00]: ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#541 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#541 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#541 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo left promiscuous mode device gre0 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `security'. IPv6: NLM_F_REPLACE set, but no existing node found! netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. IPVS: Creating netns size=2536 id=18 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket pig=11477 comm=syz-executor5 devpts: called with bogus options SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket pig=11477 comm=syz-executor5 devpts: called with bogus options pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads binder: BINDER_SET_CONTEXT_MGR already set binder: 11557:11561 ioctl 40046207 0 returned -16 binder: 11557:11561 transaction failed 29201/-22, size 0--1556441380301985772 line 3130 loop: Write error at byte offset 0, length 512. blk_update_request: I/O error, dev loop4, sector 0 Buffer I/O error on dev loop4, logical block 0, lost async page write binder: undelivered TRANSACTION_ERROR: 29201 binder: 11557:11578 transaction failed 29201/-22, size 0--1556441380301985772 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 11557:11561 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29201 device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode program syz-executor5 is using a deprecated SCSI ioctl, please convert it to SG_IO netlink: 11 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor7'. sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 program syz-executor5 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 binder: 11797:11799 ERROR: BC_REGISTER_LOOPER called without request device lo left promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 11797:11813 ioctl 40046207 0 returned -16 binder: 11797:11813 BC_ACQUIRE_DONE node 131 has no pending acquire request binder: 11797:11813 got reply transaction with no transaction stack binder: 11797:11813 transaction failed 29201/-71, size 48-40 line 2923 device lo entered promiscuous mode device lo left promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 11797:11849 ERROR: BC_REGISTER_LOOPER called without request binder: 11797:11813 ioctl 40046207 0 returned -16 binder_alloc: 11797: binder_alloc_buf, no vma binder: 11797:11841 transaction failed 29189/-3, size 0-0 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 11797:11853 ioctl 40046207 0 returned -16 binder: 11797:11841 BC_ACQUIRE_DONE u0000000000000000 no match binder: 11797:11841 got reply transaction with no transaction stack binder: 11797:11841 transaction failed 29201/-71, size 48-40 line 2923 netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. binder: undelivered TRANSACTION_ERROR: 29189 netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. binder: release 11797:11813 transaction 132 out, still active binder: undelivered TRANSACTION_COMPLETE binder: 11885:11888 ioctl c0086420 20ee6000 returned -22 binder: 11885:11888 got transaction to invalid handle binder: 11885:11888 transaction failed 29201/-22, size 104-40 line 3007 binder: 11885:11888 transaction failed 29189/-22, size 0-0 line 3007 : renamed from syz5 binder: 11885:11888 ioctl c0086420 20ee6000 returned -22 binder: 11885:11888 got transaction to invalid handle binder: 11885:11888 transaction failed 29201/-22, size 104-40 line 3007 binder: 11885:11888 transaction failed 29189/-22, size 0-0 line 3007 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=20076 sclass=netlink_xfrm_socket pig=11887 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=20076 sclass=netlink_xfrm_socket pig=11900 comm=syz-executor5 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 device syz4 entered promiscuous mode binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 132, target dead device gre0 entered promiscuous mode loop: Write error at byte offset 0, length 512. blk_update_request: I/O error, dev loop4, sector 0 Buffer I/O error on dev loop4, logical block 0, lost async page write loop: Write error at byte offset 0, length 512. blk_update_request: I/O error, dev loop4, sector 0 Buffer I/O error on dev loop4, logical block 0, lost async page write VFS: Dirty inode writeback failed for block device loop4 (err=-5). FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 12088 Comm: syz-executor0 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a759f8c0 ffffffff81d906e9 ffff8801a759fba0 0000000000000000 ffff8801c8ab9910 ffff8801a759fa90 ffff8801c8ab9800 ffff8801a759fab8 ffffffff8165e307 0000000000000000 ffff8801a759fa10 00000001d99e1067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 12075 Comm: syz-executor0 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d6b07710 ffffffff81d906e9 ffff8801d6b079f0 0000000000000000 ffff8801c8ab9910 ffff8801d6b078e0 ffff8801c8ab9800 ffff8801d6b07908 ffffffff8165e307 ffffffff84649700 ffff8801d6b07860 00000001d99e1067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_select fs/select.c:652 [inline] [] SyS_select+0x158/0x1e0 fs/select.c:634 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 1 PID: 12094 Comm: syz-executor0 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c8527830 ffffffff81d906e9 ffff8801c8527b10 0000000000000000 ffff8801c8ab9910 ffff8801c8527a00 ffff8801c8ab9800 ffff8801c8527a28 ffffffff8165e307 ffff8801c5238000 ffff8801c8527980 00000001d99e1067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_mq_timedreceive ipc/mqueue.c:1092 [inline] [] SyS_mq_timedreceive+0xcd/0xdb0 ipc/mqueue.c:1077 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device gre0 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. IPv6: NLM_F_REPLACE set, but no existing node found! netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. IPv6: NLM_F_REPLACE set, but no existing node found! IPVS: Creating netns size=2536 id=19 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=257 sclass=netlink_xfrm_socket pig=12399 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=257 sclass=netlink_xfrm_socket pig=12412 comm=syz-executor3 netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'. syz-executor2 (12457): /proc/12456/oom_adj is deprecated, please use /proc/12456/oom_score_adj instead. updating oom_score_adj for 12462 (syz-executor2) from 0 to 58 because it shares mm with 12456 (syz-executor2). Report if this is unexpected. IPVS: set_ctl: invalid protocol: 64680 1.136.255.255:16303 F netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'. pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. device gre0 entered promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. device gre0 left promiscuous mode device gre0 entered promiscuous mode