=====================================
[ BUG: bad unlock balance detected! ]
4.9.67-gf26d3c7 #106 Not tainted
-------------------------------------
syz-executor2/21954 is trying to release lock ([  218.163323] netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'.
mrt_lock) at:
but there are no more locks to release!

other info that might help us debug this:
1 lock held by syz-executor2/21954:
 #0:  (&p->lock){+.+.+.}, at: [<ffffffff815e4cdd>] seq_read+0xdd/0x1290 fs/seq_file.c:178

stack backtrace:
CPU: 0 PID: 21954 Comm: syz-executor2 Not tainted 4.9.67-gf26d3c7 #106
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a7b778e8 ffffffff81d906e9 ffffffff849ae8f8 ffff8801d5579800
 ffffffff834dec54 ffffffff849ae8f8 ffff8801d557a088 ffff8801a7b77918
 ffffffff812353f4 dffffc0000000000 ffffffff849ae8f8 00000000ffffffff
Call Trace:
 [<ffffffff81d906e9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d906e9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff812353f4>] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398
 [<ffffffff8123dec8>] __lock_release kernel/locking/lockdep.c:3540 [inline]
 [<ffffffff8123dec8>] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775
 [<ffffffff838a951a>] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline]
 [<ffffffff838a951a>] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255
 [<ffffffff834dec54>] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553
 [<ffffffff815e5683>] seq_read+0xa83/0x1290 fs/seq_file.c:283
 [<ffffffff816be32f>] proc_reg_read+0xef/0x170 fs/proc/inode.c:202
 [<ffffffff81568cb1>] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714
 [<ffffffff8156cb20>] do_loop_readv_writev fs/read_write.c:880 [inline]
 [<ffffffff8156cb20>] do_readv_writev+0x520/0x750 fs/read_write.c:874
 [<ffffffff8156cdd4>] vfs_readv+0x84/0xc0 fs/read_write.c:898
 [<ffffffff8156cef6>] do_readv+0xe6/0x250 fs/read_write.c:924
 [<ffffffff815703e7>] SYSC_readv fs/read_write.c:1011 [inline]
 [<ffffffff815703e7>] SyS_readv+0x27/0x30 fs/read_write.c:1008
 [<ffffffff838a9985>] entry_SYSCALL_64_fastpath+0x23/0xc6
9pnet_virtio: no channels available for device ./file0
binder: 21991:21992 Acquire 1 refcount change on invalid ref 2 ret -22
binder: 21991:21992 BC_REQUEST_DEATH_NOTIFICATION invalid ref 3
binder: 21991:21992 ERROR: BC_REGISTER_LOOPER called without request
binder: 21991:21992 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER
binder: 21991:21998 BC_CLEAR_DEATH_NOTIFICATION death notification not active
9pnet_virtio: no channels available for device ./file0
binder: 21991:21998 BC_DEAD_BINDER_DONE 0000000000000003 not found
binder: 21991:21998 got transaction to invalid handle
binder: 21991:21998 transaction failed 29201/-22, size 24-16 line 3007
binder: 21991:21998 Acquire 1 refcount change on invalid ref 2 ret -22
binder: 21991:22016 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0
binder: 21991:21998 BC_REQUEST_DEATH_NOTIFICATION invalid ref 3
binder: 22025:22028 ERROR: BC_REGISTER_LOOPER called without request
binder: 21991:21998 ERROR: BC_REGISTER_LOOPER called without request
binder: 21991:21998 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER
binder: 22028 RLIMIT_NICE not set
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 22029 Comm: syz-executor2 Not tainted 4.9.67-gf26d3c7 #106
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c9b6f9a0[  218.759943] device syz1 entered promiscuous mode
 ffffffff81d906e9 ffff8801c9b6fc80 0000000000000000[  218.770566] binder: 22025:22032 ERROR: BC_REGISTER_LOOPER called without request
binder: BINDER_SET_CONTEXT_MGR already set
binder: 22025:22028 ioctl 40046207 0 returned -16
binder_alloc: 22025: binder_alloc_buf, no vma
binder: 22025:22032 transaction failed 29189/-3, size 0-0 line 3130
binder: undelivered TRANSACTION_ERROR: 29189
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket pig=22045 comm=syz-executor6
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket pig=22046 comm=syz-executor6
 ffff8801cfe67d90 ffff8801c9b6fb70 ffff8801cfe67c80 ffff8801c9b6fb98
 ffffffff8165e307 0000000000000282 ffff8801c9b6faf0 00000001ca9c4067
Call Trace:
 [<ffffffff81d906e9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d906e9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165e307>] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cd5f1>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cd5f1>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cd5f1>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cd5f1>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd452>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddbf7>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838aab58>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff838a9985>] entry_SYSCALL_64_fastpath+0x23/0xc6
FAULT_FLAG_ALLOW_RETRY missing 30
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 22017 Comm: syz-executor2 Not tainted 4.9.67-gf26d3c7 #106
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cf8d76c0 ffffffff81d906e9 ffff8801cf8d79a0 0000000000000000
 ffff8801cfe67d90 ffff8801cf8d7890 ffff8801cfe67c80 ffff8801cf8d78b8
 ffffffff8165e307 ffff8801d8b69800 0000000000000000 0000000000000000
Call Trace:
 [<ffffffff81d906e9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d906e9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165e307>] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cd5f1>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cd5f1>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cd5f1>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cd5f1>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd452>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddbf7>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838aab58>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff82ec8f24>] sock_do_ioctl+0x94/0xb0 net/socket.c:899
 [<ffffffff82ec9940>] sock_ioctl+0x2e0/0x3d0 net/socket.c:978
 [<ffffffff815aa59a>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff815aa59a>] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679
 [<ffffffff815ab5bf>] SYSC_ioctl fs/ioctl.c:694 [inline]
 [<ffffffff815ab5bf>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [<ffffffff838a9985>] entry_SYSCALL_64_fastpath+0x23/0xc6
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 250, process died.
CPU: 1 PID: 22010 Comm: syz-executor2 Not tainted 4.9.67-gf26d3c7 #106
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a9ab78a0 ffffffff81d906e9 ffff8801a9ab7b80 0000000000000000
 ffff8801cfe67d90 ffff8801a9ab7a70 ffff8801cfe67c80 ffff8801a9ab7a98
 ffffffff8165e307 ffff8801cbdee000 0000000000000000 0000000000000000
Call Trace:
 [<ffffffff81d906e9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d906e9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165e307>] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cd5f1>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cd5f1>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cd5f1>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cd5f1>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd452>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddbf7>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838aab58>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff838a9985>] entry_SYSCALL_64_fastpath+0x23/0xc6
binder: 22198:22200 BC_INCREFS_DONE u4004630600000000 no match
device gre0 entered promiscuous mode
binder: BINDER_SET_CONTEXT_MGR already set
binder: 22191:22192 ioctl 40046207 0 returned -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 22198:22200 ioctl 40046207 0 returned -16
binder: 22198:22228 BC_INCREFS_DONE u4004630600000000 no match
IPv6: NLM_F_REPLACE set, but no existing node found!
device gre0 entered promiscuous mode
IPv6: NLM_F_REPLACE set, but no existing node found!
device gre0 entered promiscuous mode
IPVS: length: 24 != 8
qtaguid: iface_stat: create6(lo): no inet dev
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=13 sclass=netlink_route_socket pig=22397 comm=syz-executor6
IPVS: length: 24 != 8
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=13 sclass=netlink_route_socket pig=22397 comm=syz-executor6
binder_alloc: binder_alloc_mmap_handler: 22403 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 22403:22405 ioctl 40046207 0 returned -16
binder: 22504:22505 ERROR: BC_REGISTER_LOOPER called without request
binder: 22504:22505 BC_DEAD_BINDER_DONE 0000000000000000 not found
binder: 22504:22505 got transaction with invalid offset (0, min 48 max 48) or object.
binder: 22504:22505 transaction failed 29201/-22, size 48-16 line 3193
binder: send failed reply for transaction 256 to 22504:22515
device lo entered promiscuous mode
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: 22504:22515 ERROR: BC_REGISTER_LOOPER called without request
binder: 22504:22505 BC_DEAD_BINDER_DONE 0000000000000000 not found
binder: 22504:22505 got reply transaction with no transaction stack
binder: 22504:22505 transaction failed 29201/-71, size 48-16 line 2923
binder: release 22504:22505 transaction 261 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 261, target dead
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
device gre0 entered promiscuous mode
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=4 sclass=netlink_tcpdiag_socket pig=22682 comm=syz-executor3
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=4 sclass=netlink_tcpdiag_socket pig=22682 comm=syz-executor3
keychord: using input dev AT Translated Set 2 keyboard for fevent
keychord: using input dev AT Translated Set 2 keyboard for fevent
device lo entered promiscuous mode
tmpfs: No value for mount option '‹'
tmpfs: No value for mount option '‹'
binder: 22793:22798 DecRefs 0 refcount change on invalid ref 8 ret -22
nla_parse: 19 callbacks suppressed
netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'.
binder: 22793 invalid dec weak, ref 264 desc 0 s 1 w 0
binder: 22793:22818 unknown command 0
binder: 22793:22818 ioctl c0306201 20008000 returned -22
netlink: 8 bytes leftover after parsing attributes in process `syz-executor0'.
binder: BINDER_SET_CONTEXT_MGR already set
binder: 22793:22827 ioctl 40046207 0 returned -16
binder: 22793:22818 unknown command 44
binder: 22793:22818 ioctl c0306201 20003fd0 returned -22
binder: 22793:22827 DecRefs 0 refcount change on invalid ref 0 ret -22
binder: 22793:22827 unknown command 0
binder: 22793:22827 ioctl c0306201 20008000 returned -22
netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'.
binder: 22793:22798 unknown command 536907732
binder: 22793:22798 ioctl c0306201 20003fd0 returned -22
binder: 22835:22836 ERROR: BC_REGISTER_LOOPER called without request
binder: 22835:22836 ioctl c0306201 20008fd0 returned -11
netlink: 2 bytes leftover after parsing attributes in process `syz-executor4'.
binder_alloc: binder_alloc_mmap_handler: 22835 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 22835:22836 ioctl 40046207 0 returned -16
binder: 22835:22836 ERROR: BC_REGISTER_LOOPER called without request
binder: 22835:22836 ioctl c0306201 20008fd0 returned -11
binder_alloc: 22835: binder_alloc_buf, no vma
binder: 22835:22858 transaction failed 29189/-3, size 0-0 line 3130
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 22835:22836 transaction 266 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 266, target dead
netlink: 2 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 17 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 17 bytes leftover after parsing attributes in process `syz-executor0'.
device gre0 entered promiscuous mode
binder: 22941:22942 ERROR: BC_REGISTER_LOOPER called without request
tc_dump_action: action bad kind
binder_alloc: 22941: binder_alloc_buf failed to map page at 20000000 in userspace
tc_dump_action: action bad kind
binder: 22941:22953 transaction failed 29201/-12, size 0-0 line 3130
binder: BINDER_SET_CONTEXT_MGR already set
binder: 22941:22961 ERROR: BC_REGISTER_LOOPER called without request
binder: 22941:22953 ioctl 40046207 0 returned -16
binder_alloc: 22941: binder_alloc_buf, no vma
binder: 22941:22961 transaction failed 29189/-3, size 0-0 line 3130
netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'.
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
device lo entered promiscuous mode
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'.
binder: BINDER_SET_CONTEXT_MGR already set
binder: 23009:23010 ioctl 40046207 0 returned -16
binder: binder_mmap: 23009 204c6000-204c7000 bad vm_flags failed -1
netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'.
binder: undelivered transaction 273, process died.
binder: undelivered transaction 272, process died.
binder: undelivered TRANSACTION_COMPLETE
binder: 23009:23010 DecRefs 0 refcount change on invalid ref 4 ret -22
binder: 23009:23010 ERROR: BC_REGISTER_LOOPER called without request
binder: 23009:23010 Acquire 1 refcount change on invalid ref 1 ret -22
binder: 23009:23010 IncRefs 0 refcount change on invalid ref 1 ret -22
binder: 23009:23010 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER
binder: 23009:23010 unknown command 0
binder: 23009:23010 ioctl c0306201 20004fd0 returned -22
binder_alloc: binder_alloc_mmap_handler: 23009 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 23009:23028 ioctl 40046207 0 returned -16
binder_alloc: 23009: binder_alloc_buf, no vma
binder: BINDER_SET_CONTEXT_MGR already set
binder: 23009:23028 ioctl 40046207 0 returned -16
binder: binder_mmap: 23009 204c6000-204c7000 bad vm_flags failed -1
binder: BINDER_SET_CONTEXT_MGR already set
binder: 23009:23075 ioctl 40046207 0 returned -16
binder: 23009:23010 transaction failed 29189/-3, size 0-0 line 3130
binder_alloc: 23009: binder_alloc_buf, no vma
binder: 23009:23028 transaction failed 29189/-3, size 0-0 line 3130
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29189
Empty option to dns_resolver key
Empty option to dns_resolver key