binder: 17484:17490 IncRefs 0 refcount change on invalid ref 1 ret -22 ===================================== [ BUG: bad unlock balance detected! ] 4.9.80-g8a174b47 #31 Not tainted ------------------------------------- syz-executor2/17492 is trying to release lock (mrt_lock) at: [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 but there are no more locks to release! other info that might help us debug this: 1 lock held by syz-executor2/17492: #0: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 1 PID: 17492 Comm: syz-executor2 Not tainted 4.9.80-g8a174b47 #31 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d7897918 ffffffff81d94be9 ffffffff849b6cf8 ffff8801b492e000 ffffffff834e8f44 ffffffff849b6cf8 ffff8801b492e888 ffff8801d7897948 ffffffff81237e84 dffffc0000000000 ffffffff849b6cf8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] traverse+0x3a7/0x900 fs/seq_file.c:148 [] seq_read+0x7ea/0x1290 fs/seq_file.c:195 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] __vfs_read+0x103/0x670 fs/read_write.c:452 [] vfs_read+0x11e/0x380 fs/read_write.c:475 [] SYSC_pread64 fs/read_write.c:629 [inline] [] SyS_pread64+0x13f/0x170 fs/read_write.c:616 [] entry_SYSCALL_64_fastpath+0x29/0xe8 binder: 17484:17502 BC_FREE_BUFFER u0000000020000000 matched unreturned buffer binder: BINDER_SET_CONTEXT_MGR already set binder: 17484:17522 ioctl 40046207 0 returned -16 binder_alloc: 17484: binder_alloc_buf, no vma binder: 17484:17522 transaction failed 29189/-3, size 0-0 line 3127 binder: 17484:17522 BC_FREE_BUFFER u0000000020000000 no match binder: 17484:17490 unknown command 0 binder: 17484:17490 ioctl c0306201 20002fd0 returned -22 binder: release 17484:17490 transaction 155 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 155, target dead audit: type=1400 audit(1518472093.081:66): avc: denied { sys_chroot } for pid=17589 comm="syz-executor0" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 device gre0 entered promiscuous mode : renamed from gre0 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=82 sclass=netlink_tcpdiag_socket pig=17991 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=82 sclass=netlink_tcpdiag_socket pig=17991 comm=syz-executor5 device syz5 entered promiscuous mode IPVS: length: 24 != 3145848 device syz5 left promiscuous mode binder: 18142:18143 ioctl c0086420 20733ff8 returned -22 binder: 18142:18143 ioctl 40086425 20f9f000 returned -22 binder: 18142:18143 got reply transaction with no transaction stack binder: 18142:18143 transaction failed 29201/-71, size 104-8 line 2920 binder: 18142:18143 ioctl c0086420 20733ff8 returned -22 binder: 18142:18164 ioctl 40086425 20f9f000 returned -22 binder: undelivered TRANSACTION_ERROR: 29201 IPv4: Oversized IP packet from 127.0.0.1 keychord: invalid keycode count 0 keychord: invalid keycode count 0 arp_tables: arptables: counters copy to user failed while replacing table arp_tables: arptables: counters copy to user failed while replacing table