=====================================
[ BUG: bad unlock balance detected! ]
4.9.68-gfb66dc2 #107 Not tainted
-------------------------------------
syz-executor4/5560 is trying to release lock ([   92.041420] loop: Write error at byte offset 0, length 512.
blk_update_request: I/O error, dev loop4, sector 0
Buffer I/O error on dev loop4, logical block 0, lost async page write
audit_printk_skb: 3 callbacks suppressed
audit: type=1400 audit(1513132283.510:31): avc:  denied  { setgid } for  pid=5581 comm="syz-executor0" capability=6  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
loop: Write error at byte offset 0, length 512.
blk_update_request: I/O error, dev loop4, sector 0
Buffer I/O error on dev loop4, logical block 0, lost async page write
mrt_lock) at:
but there are no more locks to release!

other info that might help us debug this:
1 lock held by syz-executor4/5560:
 #0:  (&p->lock){+.+.+.}, at: [<ffffffff815e4e5d>] seq_read+0xdd/0x1290 fs/seq_file.c:178

stack backtrace:
CPU: 0 PID: 5560 Comm: syz-executor4 Not tainted 4.9.68-gfb66dc2 #107
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a8f6f8e8 ffffffff81d90889 ffffffff849ae9f8 ffff8801ccdb3000
 ffffffff834dfc54 ffffffff849ae9f8 ffff8801ccdb3888 ffff8801a8f6f918
 ffffffff812353f4 dffffc0000000000 ffffffff849ae9f8 00000000ffffffff
Call Trace:
 [<ffffffff81d90889>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90889>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff812353f4>] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398
 [<ffffffff8123dec8>] __lock_release kernel/locking/lockdep.c:3540 [inline]
 [<ffffffff8123dec8>] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775
 [<ffffffff838aa55a>] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline]
 [<ffffffff838aa55a>] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255
 [<ffffffff834dfc54>] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553
 [<ffffffff815e5803>] seq_read+0xa83/0x1290 fs/seq_file.c:283
 [<ffffffff816be4bf>] proc_reg_read+0xef/0x170 fs/proc/inode.c:202
 [<ffffffff81568e31>] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714
 [<ffffffff8156cca0>] do_loop_readv_writev fs/read_write.c:880 [inline]
 [<ffffffff8156cca0>] do_readv_writev+0x520/0x750 fs/read_write.c:874
 [<ffffffff8156cf54>] vfs_readv+0x84/0xc0 fs/read_write.c:898
 [<ffffffff8156d076>] do_readv+0xe6/0x250 fs/read_write.c:924
 [<ffffffff81570567>] SYSC_readv fs/read_write.c:1011 [inline]
 [<ffffffff81570567>] SyS_readv+0x27/0x30 fs/read_write.c:1008
 [<ffffffff838aa9c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
VFS: Dirty inode writeback failed for block device loop4 (err=-5).
netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'.
device syz2 entered promiscuous mode
netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 13 bytes leftover after parsing attributes in process `syz-executor0'.
device lo entered promiscuous mode
qtaguid: iface_stat: iface_check_stats_reset_and_adjust(lo): iface reset its stats unexpectedly
audit: type=1400 audit(1513132284.110:32): avc:  denied  { write } for  pid=5754 comm="syz-executor4" name="net" dev="proc" ino=15038 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1
audit: type=1400 audit(1513132284.140:33): avc:  denied  { add_name } for  pid=5754 comm="syz-executor4" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1
audit: type=1400 audit(1513132284.160:34): avc:  denied  { create } for  pid=5754 comm="syz-executor4" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:insmod_t:s0 tclass=file permissive=1
binder: 5899:5900 Release 1 refcount change on invalid ref 1 ret -22
binder: 5899 invalid dec weak, ref 9 desc 0 s 1 w 0
binder: 5899:5900 BC_CLEAR_DEATH_NOTIFICATION death notification not active
binder: 5899:5900 got reply transaction with no transaction stack
binder: 5899:5900 transaction failed 29201/-71, size 0-48 line 2923
binder: BINDER_SET_CONTEXT_MGR already set
binder: 5899:5910 ioctl 40046207 0 returned -16
binder: 5899:5900 Release 1 refcount change on invalid ref 1 ret -22
binder: 5899:5910 DecRefs 0 refcount change on invalid ref 0 ret -22
binder: 5899:5910 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0
binder: 5899:5910 got reply transaction with no transaction stack
binder: 5899:5910 transaction failed 29201/-71, size 0-48 line 2923
device syz5 entered promiscuous mode
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 6025 Comm: syz-executor6 Not tainted 4.9.68-gfb66dc2 #107
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ce787710 ffffffff81d90889 ffff8801ce7879f0 0000000000000000
 ffff8801a9a67790 ffff8801ce7878e0 ffff8801a9a67680 ffff8801ce787908
 ffffffff8165e497 ffff8801c00f6080 ffff8801ce787860 00000001cfa73067
Call Trace:
 [<ffffffff81d90889>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90889>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165e497>] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cd771>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cd771>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cd771>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cd771>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd452>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddbf7>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838abb98>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff815afce8>] SYSC_select fs/select.c:652 [inline]
 [<ffffffff815afce8>] SyS_select+0x158/0x1e0 fs/select.c:634
 [<ffffffff838aa9c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
tmpfs: Bad mount option �۪�]�B���@�����7:짜p�7Nȸ�E�
�
����9��n����䰎�8,7��z��
�C��ΆjJ�.c�/�����nN��qyB����U�P]/���1hИh���ȁ6�h||���}�����Vɭ4j�
ww��Dvj���U
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 6039 Comm: syz-executor6 Not tainted 4.9.68-gfb66dc2 #107
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c9c27710 ffffffff81d90889 ffff8801c9c279f0 0000000000000000
 ffff8801b8e15d90 ffff8801c9c278e0 ffff8801b8e15c80 ffff8801c9c27908
 ffffffff8165e497 ffffffff84649700 ffff8801c9c27860 00000001cfa73067
Call Trace:
 [<ffffffff81d90889>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90889>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165e497>] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cd771>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cd771>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cd771>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cd771>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd452>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddbf7>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838abb98>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff815afce8>] SYSC_select fs/select.c:652 [inline]
 [<ffffffff815afce8>] SyS_select+0x158/0x1e0 fs/select.c:634
 [<ffffffff838aa9c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
mmap: syz-executor2 (6120): VmData 2068480 exceed data ulimit 0. Update limits or use boot option ignore_rlimit_data.
device gre0 entered promiscuous mode
cgroup: cgroup2: unknown option ""
cgroup: cgroup2: unknown option ""
binder: 6230:6241 BC_DEAD_BINDER_DONE 0000000000000003 not found
binder: 6230:6241 got transaction to invalid handle
binder: 6230:6241 transaction failed 29201/-22, size 24-16 line 3007
binder: 6230:6253 Acquire 1 refcount change on invalid ref 0 ret -22
binder: 6230:6253 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0
binder: 6230:6241 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
binder_alloc: 6264: binder_alloc_buf, no vma
binder: 6264:6274 transaction failed 29189/-3, size 0-0 line 3130
binder: 6230:6253 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor6/6276
caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
CPU: 1 PID: 6276 Comm: syz-executor6 Not tainted 4.9.68-gfb66dc2 #107
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a98776d8 ffffffff81d90889 0000000000000001 ffffffff83c17800
 ffffffff83f42ec0 ffff8801a9858000 0000000000000003 ffff8801a9877718
 ffffffff81df7854 ffff8801a9877730 ffffffff83f42ec0 dffffc0000000000
Call Trace:
 [<ffffffff81d90889>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90889>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81df7854>] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46
 [<ffffffff81df78bc>] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
 [<ffffffff833f3f78>] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline]
 [<ffffffff833f3f78>] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363
 [<ffffffff83360470>] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137
 [<ffffffff833d2677>] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096
 [<ffffffff833d2dda>] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122
 [<ffffffff8356cb49>] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline]
 [<ffffffff8356cb49>] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498
 [<ffffffff835645ee>] pfkey_process+0x61e/0x730 net/key/af_key.c:2826
 [<ffffffff83565e99>] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670
 [<ffffffff82ecfb9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ecfb9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed1791>] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968
 [<ffffffff82ed37c6>] __sys_sendmsg+0xd6/0x190 net/socket.c:2002
 [<ffffffff82ed38ad>] SYSC_sendmsg net/socket.c:2013 [inline]
 [<ffffffff82ed38ad>] SyS_sendmsg+0x2d/0x50 net/socket.c:2009
 [<ffffffff838aa9c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
binder: 6230:6271 BC_DEAD_BINDER_DONE 0000000000000003 not found
binder: 6230:6271 Release 1 refcount change on invalid ref 0 ret -22
binder: 6230:6271 got transaction to invalid handle
binder: 6230:6271 transaction failed 29201/-22, size 24-16 line 3007
binder: BINDER_SET_CONTEXT_MGR already set
binder: 6264:6294 ioctl 40046207 0 returned -16
binder_alloc: 6264: binder_alloc_buf, no vma
binder: 6264:6294 transaction failed 29189/-3, size 0-0 line 3130
binder: undelivered death notification, 0000000000000000
audit: type=1400 audit(1513132286.760:35): avc:  denied  { setpcap } for  pid=6321 comm="syz-executor2" capability=8  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
capability: warning: `syz-executor2' uses deprecated v2 capabilities in a way that may be insecure
selinux_nlmsg_perm: 1 callbacks suppressed
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=770 sclass=netlink_tcpdiag_socket pig=6325 comm=syz-executor5
Option 't�g�ˆ���a9m�ļw&�	��[�%
�S���M�?�4��-' to dns_resolver key: bad/missing value
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=770 sclass=netlink_tcpdiag_socket pig=6325 comm=syz-executor5
Option 't�g�ˆ���a9m�ļw&�	��[�%
�S���M�?�4��-' to dns_resolver key: bad/missing value
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0 sclass=netlink_tcpdiag_socket pig=6368 comm=syz-executor4
BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor6/6427
caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
CPU: 1 PID: 6427 Comm: syz-executor6 Not tainted 4.9.68-gfb66dc2 #107
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cef9f6d8 ffffffff81d90889 0000000000000001 ffffffff83c17800
 ffffffff83f42ec0 ffff8801d937b000 0000000000000003 ffff8801cef9f718
 ffffffff81df7854 ffff8801cef9f730 ffffffff83f42ec0 dffffc0000000000
Call Trace:
 [<ffffffff81d90889>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90889>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81df7854>] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46
 [<ffffffff81df78bc>] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
 [<ffffffff833f3f78>] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline]
 [<ffffffff833f3f78>] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363
 [<ffffffff83360470>] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137
 [<ffffffff833d2677>] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096
 [<ffffffff833d2dda>] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122
 [<ffffffff8356cb49>] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline]
 [<ffffffff8356cb49>] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498
 [<ffffffff835645ee>] pfkey_process+0x61e/0x730 net/key/af_key.c:2826
 [<ffffffff83565e99>] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670
 [<ffffffff82ecfb9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ecfb9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed1791>] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968
 [<ffffffff82ed37c6>] __sys_sendmsg+0xd6/0x190 net/socket.c:2002
 [<ffffffff82ed38ad>] SYSC_sendmsg net/socket.c:2013 [inline]
 [<ffffffff82ed38ad>] SyS_sendmsg+0x2d/0x50 net/socket.c:2009
 [<ffffffff838aa9c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor6/6427
caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
CPU: 0 PID: 6427 Comm: syz-executor6 Not tainted 4.9.68-gfb66dc2 #107
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cef9f6d8 ffffffff81d90889 0000000000000000 ffffffff83c17800
 ffffffff83f42ec0 ffff8801d937b000 0000000000000003 ffff8801cef9f718
 ffffffff81df7854 ffff8801cef9f730 ffffffff83f42ec0 dffffc0000000000
Call Trace:
 [<ffffffff81d90889>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90889>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81df7854>] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46
 [<ffffffff81df78bc>] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
 [<ffffffff833f3f78>] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline]
 [<ffffffff833f3f78>] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363
 [<ffffffff83360470>] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137
 [<ffffffff833d2677>] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096
 [<ffffffff833d2dda>] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122
 [<ffffffff8356cb49>] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline]
 [<ffffffff8356cb49>] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498
 [<ffffffff835645ee>] pfkey_process+0x61e/0x730 net/key/af_key.c:2826
 [<ffffffff83565e99>] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670
 [<ffffffff82ecfb9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ecfb9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed1791>] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968
 [<ffffffff82ed37c6>] __sys_sendmsg+0xd6/0x190 net/socket.c:2002
 [<ffffffff82ed38ad>] SYSC_sendmsg net/socket.c:2013 [inline]
 [<ffffffff82ed38ad>] SyS_sendmsg+0x2d/0x50 net/socket.c:2009
 [<ffffffff838aa9c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
devpts: called with bogus options
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=6509 comm=syz-executor6
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=6 sclass=netlink_audit_socket pig=6509 comm=syz-executor6
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=6509 comm=syz-executor6
devpts: called with bogus options
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=6 sclass=netlink_audit_socket pig=6527 comm=syz-executor6
nla_parse: 10 callbacks suppressed
netlink: 6 bytes leftover after parsing attributes in process `syz-executor7'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'.
binder: 6678:6681 got transaction with invalid parent offset
binder: 6678:6681 transaction failed 29201/-22, size 80-32 line 3315
binder_alloc: binder_alloc_mmap_handler: 6678 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 6678:6681 ioctl 40046207 0 returned -16
binder_alloc: 6678: binder_alloc_buf, no vma
binder: 6678:6697 transaction failed 29189/-3, size 80-32 line 3130