[<ffffffff8116978c>] SyS_rt_tgsigqueueinfo+0x2c/0x40 kernel/signal.c:3010
 [<ffffffff838b346e>] entry_SYSCALL_64_fastpath+0x29/0xe8

=====================================
[ BUG: bad unlock balance detected! ]
4.9.79-g71f1469 #25 Not tainted
-------------------------------------
syz-executor0/9109 is trying to release lock (mrt_lock) at:
[<ffffffff834e8ee4>] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553
but there are no more locks to release!

other info that might help us debug this:
2 locks held by syz-executor0/9109:
 #0:  (sb_writers#7){.+.+.+}, at: [<ffffffff81572e4f>] file_start_write include/linux/fs.h:2621 [inline]
 #0:  (sb_writers#7){.+.+.+}, at: [<ffffffff81572e4f>] do_sendfile+0x9ff/0xd30 fs/read_write.c:1400
 #1:  (&p->lock){+.+.+.}, at: [<ffffffff815e8b6d>] seq_read+0xdd/0x1290 fs/seq_file.c:178

stack backtrace:
CPU: 1 PID: 9109 Comm: syz-executor0 Not tainted 4.9.79-g71f1469 #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d880f2a8 ffffffff81d94829 ffffffff849b6cb8 ffff8801d3fb8000
 ffffffff834e8ee4 ffffffff849b6cb8 ffff8801d3fb8888 ffff8801d880f2d8
 ffffffff81237df4 dffffc0000000000 ffffffff849b6cb8 00000000ffffffff
Call Trace:
 [<ffffffff81d94829>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94829>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81237df4>] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398
 [<ffffffff812408c8>] __lock_release kernel/locking/lockdep.c:3540 [inline]
 [<ffffffff812408c8>] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775
 [<ffffffff838b2fda>] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline]
 [<ffffffff838b2fda>] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255
 [<ffffffff834e8ee4>] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553
 [<ffffffff815e9513>] seq_read+0xa83/0x1290 fs/seq_file.c:283
 [<ffffffff816c220f>] proc_reg_read+0xef/0x170 fs/proc/inode.c:202
 [<ffffffff8156cab1>] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714
 [<ffffffff81570920>] do_loop_readv_writev fs/read_write.c:880 [inline]
 [<ffffffff81570920>] do_readv_writev+0x520/0x750 fs/read_write.c:874
 [<ffffffff81570bd4>] vfs_readv+0x84/0xc0 fs/read_write.c:898
 [<ffffffff8160fd0f>] kernel_readv fs/splice.c:363 [inline]
 [<ffffffff8160fd0f>] default_file_splice_read+0x43f/0x7a0 fs/splice.c:435
 [<ffffffff8160ee0a>] do_splice_to+0x10a/0x160 fs/splice.c:899
 [<ffffffff8160f0ad>] splice_direct_to_actor+0x24d/0x800 fs/splice.c:971
 [<ffffffff8160f807>] do_splice_direct+0x1a7/0x270 fs/splice.c:1080
 [<ffffffff8157299b>] do_sendfile+0x54b/0xd30 fs/read_write.c:1401
 [<ffffffff815748f1>] SYSC_sendfile64 fs/read_write.c:1456 [inline]
 [<ffffffff815748f1>] SyS_sendfile64+0xd1/0x160 fs/read_write.c:1448
 [<ffffffff838b346e>] entry_SYSCALL_64_fastpath+0x29/0xe8
binder_alloc: binder_alloc_mmap_handler: 9080 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9080:9118 ioctl 40046207 0 returned -16
binder_alloc: 9080: binder_alloc_buf, no vma
binder: 9080:9118 transaction failed 29189/-3, size 24-8 line 3127
binder: 9080:9090 transaction failed 29201/-22, size 24-8 line 3206
binder: 9155:9156 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: binder_alloc_mmap_handler: 9155 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9155:9162 ioctl 40046207 0 returned -16
netlink: 64 bytes leftover after parsing attributes in process `syz-executor5'.
binder_alloc: 9155: binder_alloc_buf, no vma
binder: 9155:9162 transaction failed 29189/-3, size 0-0 line 3127
netlink: 64 bytes leftover after parsing attributes in process `syz-executor5'.
IPv6: ADDRCONF(NETDEV_CHANGE): syz4: link becomes ready
device gre0 entered promiscuous mode
audit: type=1400 audit(1517461411.721:42): avc:  denied  { sys_ptrace } for  pid=4131 comm="syz-executor7" capability=19  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
rfkill: input handler disabled
rfkill: input handler enabled
sg_write: data in/out 1969188161/36 bytes for SCSI command 0x6e-- guessing data in;
   program syz-executor6 not setting count and/or reply_len properly
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 9904 Comm: syz-executor4 Not tainted 4.9.79-g71f1469 #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d3a0f8a0 ffffffff81d94829 ffff8801d3a0fb80 0000000000000000
 ffff8801b5b91310 ffff8801d3a0fa70 ffff8801b5b91200 ffff8801d3a0fa98
 ffffffff816621ca ffff8801afd7e000 ffff8801d3a0f9f0 00000001bae1d067
Call Trace:
 [<ffffffff81d94829>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94829>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff816621ca>] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323
 [<ffffffff814d0d91>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814d0d91>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814d0d91>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814d0d91>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810de642>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407
 [<ffffffff810dede7>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470
 [<ffffffff838b47c8>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1055
 [<ffffffff838b346e>] entry_SYSCALL_64_fastpath+0x29/0xe8
binder: 9930:9931 got new transaction with bad transaction stack, transaction 35 has target 9930:0
binder: 9930:9931 transaction failed 29201/-71, size 0-0 line 3031
mmap: syz-executor3 (9951): VmData 18391040 exceed data ulimit 155. Update limits or use boot option ignore_rlimit_data.
binder: release 9930:9931 transaction 35 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: send failed reply for transaction 35, target dead
binder: 9930:9952 got new transaction with bad transaction stack, transaction 38 has target 9930:0
binder: 9930:9952 transaction failed 29201/-71, size 0-0 line 3031
binder: release 9930:9952 transaction 38 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: send failed reply for transaction 38, target dead
binder_alloc: 10018: binder_alloc_buf size 32482251202978096 failed, no address space
binder_alloc: allocated: 0 (num: 0 largest: 0), free: 8192 (num: 1 largest: 8192)
binder: 10018:10019 transaction failed 29201/-28, size 32482251202978095-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29201
binder_alloc: 10018: binder_alloc_buf size 32482251202978096 failed, no address space
audit: type=1400 audit(1517461413.341:43): avc:  denied  { dyntransition } for  pid=10045 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0,c1 tclass=process permissive=1
binder_alloc: allocated: 0 (num: 0 largest: 0), free: 8192 (num: 1 largest: 8192)
binder: 10018:10019 transaction failed 29201/-28, size 32482251202978095-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29201
binder: 10071:10073 ERROR: BC_REGISTER_LOOPER called without request
audit: type=1400 audit(1517461413.431:44): avc:  denied  { transfer } for  pid=10071 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1
binder: 10071:10073 ioctl c0306201 2000efd0 returned -14
binder: 10071:10073 ERROR: BC_REGISTER_LOOPER called without request
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 46, process died.
binder: 10138:10141 ERROR: BC_REGISTER_LOOPER called without request
netlink: 9 bytes leftover after parsing attributes in process `+'.
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
binder_alloc: 10138: binder_alloc_buf size -128 failed, no address space
binder: 10159:10164 ioctl c0306201 20005fd0 returned -14
netlink: 9 bytes leftover after parsing attributes in process `syz-executor3'.
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
binder: 10159:10167 ioctl c0306201 20005fd0 returned -14
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10138:10155 ioctl 40046207 0 returned -16
binder_alloc: allocated: 8 (num: 1 largest: 8), free: 8184 (num: 1 largest: 8184)
binder: 10138:10141 transaction failed 29201/-28, size 32--167 line 3127
binder: send failed reply for transaction 50 to 10138:10155
binder: 10138:10141 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 10138: binder_alloc_buf, no vma
binder: 10138:10141 transaction failed 29189/-3, size 0-0 line 3127
binder: 10138:10155 got reply transaction with no transaction stack
binder: 10138:10155 transaction failed 29201/-71, size 32--167 line 2920
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
netlink: 12 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor6'.
sock: process `syz-executor4' is using obsolete getsockopt SO_BSDCOMPAT
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
netlink: 37 bytes leftover after parsing attributes in process `syz-executor2'.
Modules linked in:
CPU: 0 PID: 10440 Comm: syz-executor5 Not tainted 4.9.79-g71f1469 #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801cfbbe000 task.stack: ffff8801ba1b8000
RIP: 0010:[<ffffffff8144ee71>]  [<ffffffff8144ee71>] __read_once_size include/linux/compiler.h:243 [inline]
RIP: 0010:[<ffffffff8144ee71>]  [<ffffffff8144ee71>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
RIP: 0010:[<ffffffff8144ee71>]  [<ffffffff8144ee71>] page_ref_count include/linux/page_ref.h:66 [inline]
RIP: 0010:[<ffffffff8144ee71>]  [<ffffffff8144ee71>] put_page_testzero include/linux/mm.h:450 [inline]
RIP: 0010:[<ffffffff8144ee71>]  [<ffffffff8144ee71>] __free_pages+0x21/0x80 mm/page_alloc.c:3897
RSP: 0018:ffff8801ba1bfab0  EFLAGS: 00010a07
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 10468 Comm: syz-executor2 Not tainted 4.9.79-g71f1469 #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cff7f670 ffffffff81d94829 ffff8801cff7f950 0000000000000000
 ffff8801b5b91a90 ffff8801cff7f840 ffff8801b5b91980 ffff8801cff7f868
 ffffffff816621ca 0000000000000000 ffff8801cff7f7c0 00000001c4b52067
Call Trace:
 [<ffffffff81d94829>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94829>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff816621ca>] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323
 [<ffffffff814d0d91>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814d0d91>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814d0d91>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814d0d91>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810de642>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407
 [<ffffffff810dede7>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470
 [<ffffffff838b47c8>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1055
 [<ffffffff815b3d2e>] do_pselect fs/select.c:688 [inline]
 [<ffffffff815b3d2e>] SYSC_pselect6 fs/select.c:729 [inline]
 [<ffffffff815b3d2e>] SyS_pselect6+0x2ae/0x550 fs/select.c:714
 [<ffffffff838b346e>] entry_SYSCALL_64_fastpath+0x29/0xe8
RAX: dffffc0000000000 RBX: dead4ead00000000 RCX: ffffffff82667c6b
RDX: 1bd5a9d5a0000003 RSI: 0000000000000001 RDI: dead4ead0000001c
RBP: ffff8801ba1bfac0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: ffff8801cfbbe000 R12: 0000000000000004
R13: 0000000000000020 R14: ffff8801c99e8000 R15: dffffc0000000000
FS:  00007fe36c92f700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000071c000 CR3: 00000001d8978000 CR4: 0000000000160670
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffff8801cfbbe000 ffff8801c99e8158 ffff8801ba1bfb20 ffffffff82667c91
 ffff8801c99e8170 ffffed003933d02b ffffed003933d02e ffff8801c99e8168
 dead4ead00000000 ffff8801c99e8140 0000000000000000 0000000000000000
Call Trace:
 [<ffffffff82667c91>] sg_remove_scat.isra.19+0x1c1/0x2d0 drivers/scsi/sg.c:1944
 [<ffffffff82668055>] sg_finish_rem_req+0x2b5/0x340 drivers/scsi/sg.c:1825
 [<ffffffff82668119>] sg_new_read.isra.20+0x39/0x3e0 drivers/scsi/sg.c:566
 [<ffffffff82669d87>] sg_read+0x8b7/0x1440 drivers/scsi/sg.c:455
 [<ffffffff8156bed3>] __vfs_read+0x103/0x670 fs/read_write.c:452
 [<ffffffff8156fc6e>] vfs_read+0x11e/0x380 fs/read_write.c:475
 [<ffffffff81573999>] SYSC_read fs/read_write.c:591 [inline]
 [<ffffffff81573999>] SyS_read+0xd9/0x1b0 fs/read_write.c:584
 [<ffffffff838b346e>] entry_SYSCALL_64_fastpath+0x29/0xe8
Code: e9 27 fc ff ff 0f 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 53 48 89 fb 48 83 c7 1c 48 89 fa 48 83 ec 08 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 3d 
RIP  [<ffffffff8144ee71>] __read_once_size include/linux/compiler.h:243 [inline]
RIP  [<ffffffff8144ee71>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
RIP  [<ffffffff8144ee71>] page_ref_count include/linux/page_ref.h:66 [inline]
RIP  [<ffffffff8144ee71>] put_page_testzero include/linux/mm.h:450 [inline]
RIP  [<ffffffff8144ee71>] __free_pages+0x21/0x80 mm/page_alloc.c:3897
 RSP <ffff8801ba1bfab0>
---[ end trace d1bb667cad8711d8 ]---