===================================== [ BUG: bad unlock balance detected! ] 4.4.113-g202e079 #1 Not tainted ------------------------------------- syz-executor7/6968 is trying to release lock (mrt_lock) at: [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 but there are no more locks to release! other info that might help us debug this: 1 lock held by syz-executor7/6968: #0: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1270 fs/seq_file.c:178 stack backtrace: CPU: 0 PID: 6968 Comm: syz-executor7 Not tainted 4.4.113-g202e079 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 8403757798a34627 ffff8801d8c8f930 ffffffff81d0278d ffffffff84771c18 ffff8800bac84740 ffffffff833c5524 ffffffff84771c18 ffff8800bac84f88 ffff8801d8c8f960 ffffffff81232314 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3266 [] __lock_release kernel/locking/lockdep.c:3408 [inline] [] lock_release+0x72a/0xc10 kernel/locking/lockdep.c:3611 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa80/0x1270 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev+0x141/0x1e0 fs/read_write.c:680 [] do_readv_writev+0x5dd/0x6e0 fs/read_write.c:810 [] vfs_readv+0x78/0xb0 fs/read_write.c:834 [] SYSC_preadv fs/read_write.c:912 [inline] [] SyS_preadv+0x199/0x230 fs/read_write.c:898 [] entry_SYSCALL_64_fastpath+0x1c/0x98 SELinux: policydb magic number 0x525ca540 does not match expected magic number 0xf97cff8c SELinux: policydb magic number 0x525ca540 does not match expected magic number 0xf97cff8c audit: type=1401 audit(1517201886.469:23): op=setxattr invalid_context=000000020100000000000001040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000[ 47.439394] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. binder: 7148:7161 tried to acquire reference to desc 0, got 1 instead binder: 7148:7161 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7148:7161 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 7148:7150 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: 7204:7205 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: BINDER_SET_CONTEXT_MGR already set binder: 7243:7250 ioctl 40046207 0 returned -16 binder: undelivered death notification, 0000000000000000 binder: 7243:7249 unknown command 0 binder: 7243:7249 ioctl c0306201 20007000 returned -22 netlink: 12 bytes leftover after parsing attributes in process `syz-executor6'. binder: BINDER_SET_CONTEXT_MGR already set binder: 7642:7658 ioctl 40046207 0 returned -16 binder_alloc: 7642: binder_alloc_buf, no vma binder: 7642:7667 transaction failed 29189/-3, size 0-0 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7642:7658 transaction 57 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 57, target dead audit: type=1400 audit(1517201890.259:24): avc: denied { create } for pid=8036 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1517201890.289:25): avc: denied { write } for pid=8036 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1517201890.289:26): avc: denied { getopt } for pid=8036 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=28005 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=28005 sclass=netlink_route_socket audit: type=1400 audit(1517201892.539:27): avc: denied { create } for pid=8780 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=1 audit: type=1400 audit(1517201893.499:28): avc: denied { create } for pid=9065 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_scsitransport_socket permissive=1 audit: type=1400 audit(1517201894.879:29): avc: denied { create } for pid=9540 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 audit: type=1400 audit(1517201894.919:30): avc: denied { write } for pid=9540 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1