netlink: 9 bytes leftover after parsing attributes in process `+'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. ===================================== [ BUG: bad unlock balance detected! ] 4.9.79-g71f1469 #25 Not tainted ------------------------------------- syz-executor6/13874 is trying to release lock (mrt_lock) at: [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 but there are no more locks to release! other info that might help us debug this: 2 locks held by syz-executor6/13874: #0: (sb_writers#7){.+.+.+}, at: [] file_start_write include/linux/fs.h:2621 [inline] #0: (sb_writers#7){.+.+.+}, at: [] do_sendfile+0x9ff/0xd30 fs/read_write.c:1400 #1: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 0 PID: 13874 Comm: syz-executor6 Not tainted 4.9.79-g71f1469 #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ceec72a8 ffffffff81d94829 ffffffff849b6cb8 ffff8801d61be000 ffffffff834e8ee4 ffffffff849b6cb8 ffff8801d61be888 ffff8801ceec72d8 ffffffff81237df4 dffffc0000000000 ffffffff849b6cb8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa83/0x1290 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] kernel_readv fs/splice.c:363 [inline] [] default_file_splice_read+0x43f/0x7a0 fs/splice.c:435 [] do_splice_to+0x10a/0x160 fs/splice.c:899 [] splice_direct_to_actor+0x24d/0x800 fs/splice.c:971 [] do_splice_direct+0x1a7/0x270 fs/splice.c:1080 [] do_sendfile+0x54b/0xd30 fs/read_write.c:1401 [] SYSC_sendfile64 fs/read_write.c:1456 [inline] [] SyS_sendfile64+0xd1/0x160 fs/read_write.c:1448 [] entry_SYSCALL_64_fastpath+0x29/0xe8 netlink: 9 bytes leftover after parsing attributes in process `+'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode binder: 14097:14106 BC_CLEAR_DEATH_NOTIFICATION invalid ref 1 binder: 14097:14106 Acquire 1 refcount change on invalid ref 3 ret -22 binder: 14097:14106 Release 1 refcount change on invalid ref 1 ret -22 binder: 14097:14106 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2 binder: 14097:14123 ERROR: BC_REGISTER_LOOPER called without request binder: 14097:14106 BC_FREE_BUFFER uffffffffffffffff no match binder: 14097:14135 got reply transaction with bad transaction stack, transaction 93 has target 14097:0 binder: 14097:14135 transaction failed 29201/-71, size 32-8 line 2935 binder: 14097:14106 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 binder: BINDER_SET_CONTEXT_MGR already set binder: 14097:14145 ioctl 40046207 0 returned -16 binder: release 14097:14123 transaction 93 in, still active binder: send failed reply for transaction 93 to 14097:14135 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 binder: 14097:14106 BC_CLEAR_DEATH_NOTIFICATION invalid ref 1 binder: 14097:14123 ERROR: BC_REGISTER_LOOPER called without request binder: 14097:14123 transaction failed 29189/-22, size 0-0 line 3004 binder: 14097:14135 got reply transaction with no transaction stack binder: 14097:14135 transaction failed 29201/-71, size 32-8 line 2920 binder: 14097:14106 Acquire 1 refcount change on invalid ref 3 ret -22 binder: 14097:14106 Release 1 refcount change on invalid ref 1 ret -22 binder: 14097:14106 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2 binder: 14097:14106 BC_FREE_BUFFER uffffffffffffffff no match binder: 14097:14106 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 binder: undelivered TRANSACTION_ERROR: 29189 netlink: 11 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor0'. device lo left promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'. sock: sock_set_timeout: `syz-executor6' (pid 14310) tries to set negative timeout sock: sock_set_timeout: `syz-executor6' (pid 14311) tries to set negative timeout device lo entered promiscuous mode A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. PF_BRIDGE: RTM_NEWNEIGH with invalid address netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. PF_BRIDGE: RTM_NEWNEIGH with invalid address netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. binder: 14726:14729 ioctl 40046205 fff00000000 returned -22 binder: 14726:14746 ioctl 40046205 fff00000000 returned -22 device gre0 entered promiscuous mode device eql entered promiscuous mode binder: 14872:14882 got transaction with invalid offset (0, min 0 max 0) or object. binder: 14872:14882 transaction failed 29201/-22, size 0-8 line 3190 binder: 14872:14894 got transaction with unaligned buffers size, 58534 binder: 14872:14894 transaction failed 29201/-22, size 0-0 line 3172 binder: BINDER_SET_CONTEXT_MGR already set binder: 14872:14894 ioctl 40046207 0 returned -16 binder_alloc: 14872: binder_alloc_buf, no vma binder: 14872:14894 transaction failed 29189/-3, size 0-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 binder: 14919:14920 ERROR: BC_REGISTER_LOOPER called without request binder: 14919:14920 ioctl c0306201 204edfd0 returned -11 binder: 14919:14920 ioctl c0306201 204ec000 returned -11 binder: 14919:14920 got reply transaction with bad transaction stack, transaction 102 has target 14919:0 binder: 14919:14920 transaction failed 29201/-71, size 32-0 line 2935 binder: 14919:14920 DecRefs 0 refcount change on invalid ref 1 ret -22 binder: 14919:14920 BC_INCREFS_DONE node 101 has no pending increfs request binder: 14919:14920 ioctl c0306201 2000efd0 returned -11 binder: release 14919:14920 transaction 102 out, still active binder: send failed reply for transaction 102, target dead binder: 14919:14937 got reply transaction with no transaction stack binder: 14919:14920 transaction failed 29189/-22, size 0-0 line 3004 binder: 14919:14937 transaction failed 29201/-71, size 32-0 line 2920 binder: undelivered TRANSACTION_ERROR: 29189 mip6: mip6_rthdr_init_state: state's mode is not 2: 0 IPVS: set_ctl: invalid protocol: 65286 0.0.0.0:60696 IPVS: set_ctl: invalid protocol: 65286 0.0.0.0:60696 audit: type=1400 audit(1517437349.042:88): avc: denied { setattr } for pid=15133 comm="syz-executor6" name="map_files" dev="proc" ino=29380 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 SELinux: unknown mount option SELinux: unknown mount option IPVS: Creating netns size=2536 id=16 IPVS: Creating netns size=2536 id=17 audit: type=1400 audit(1517437349.842:89): avc: denied { bind } for pid=15443 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 15515 Comm: syz-executor5 Not tainted 4.9.79-g71f1469 #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b5a5f660 ffffffff81d94829 ffff8801b5a5f940 0000000000000000 ffff8801bf942b90 ffff8801b5a5f830 ffff8801bf942a80 ffff8801b5a5f858 ffffffff816621ca ffffffff838ac039 ffff8801b5a5f7b0 00000001c84f1067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1055 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x29/0xe8 sock: sock_set_timeout: `syz-executor7' (pid 15558) tries to set negative timeout sock: sock_set_timeout: `syz-executor7' (pid 15558) tries to set negative timeout binder: 15578:15583 unknown command 0 binder: 15578:15583 ioctl c0306201 2000a000 returned -22 binder_alloc: binder_alloc_mmap_handler: 15578 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 15578:15596 ioctl 40046207 0 returned -16 binder: 15578:15596 unknown command 0 binder: 15578:15596 ioctl c0306201 2000a000 returned -22 binder: release 15578:15583 transaction 108 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 108, target dead binder: 15742:15747 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: binder_alloc_mmap_handler: 15742 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 15742:15768 ioctl 40046207 0 returned -16 binder: 15742:15768 ERROR: BC_REGISTER_LOOPER called without request device lo entered promiscuous mode audit: type=1400 audit(1517437351.212:90): avc: denied { create } for pid=15866 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_iscsi_socket permissive=1 netlink: 9 bytes leftover after parsing attributes in process `+'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 15900 Comm: syz-executor4 Not tainted 4.9.79-g71f1469 #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801bb1375d0 ffffffff81d94829 ffff8801bb1378b0 0000000000000000 ffff8801c85be590 ffff8801bb1377a0 ffff8801c85be480 ffff8801bb1377c8 ffffffff816621ca 0000000000000000 ffff8801bb137720 00000001d9225067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1055 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x29/0xe8 netlink: 9 bytes leftover after parsing attributes in process `+'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. CPU: 0 PID: 15917 Comm: syz-executor4 Not tainted 4.9.79-g71f1469 #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d94ff930 ffffffff81d94829 ffff8801d94ffc10 0000000000000000 ffff8801c85be590 ffff8801d94ffb00 ffff8801c85be480 ffff8801d94ffb28 ffffffff816621ca ffff8801d94ffac8 ffff8801d94ffa80 00000001d9225067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1055 [] entry_SYSCALL_64_fastpath+0x29/0xe8 device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: 15994:15997 Release 1 refcount change on invalid ref 0 ret -22 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 16054 Comm: syz-executor6 Not tainted 4.9.79-g71f1469 #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cb37f4e0 ffffffff81d94829 ffff8801cb37f7c0 0000000000000000 ffff8801bf943190 ffff8801cb37f6b0 ffff8801bf943080 ffff8801cb37f6d8 ffffffff816621ca ffff8801d90c6000 ffff8801cb37f630 00000001cc1e1067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1055 [] generic_perform_write+0x1dc/0x500 mm/filemap.c:2731 [] __generic_file_write_iter+0x348/0x570 mm/filemap.c:2866 [] generic_file_write_iter+0x2d5/0x600 mm/filemap.c:2894 [] new_sync_write fs/read_write.c:499 [inline] [] __vfs_write+0x4bf/0x680 fs/read_write.c:512 [] vfs_write+0x189/0x530 fs/read_write.c:560 [] SYSC_write fs/read_write.c:607 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:599 [] entry_SYSCALL_64_fastpath+0x29/0xe8 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 16061 Comm: syz-executor6 Not tainted 4.9.79-g71f1469 #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c25c74e0 ffffffff81d94829 ffff8801c25c77c0 0000000000000000 ffff8801bf943490 ffff8801c25c76b0 ffff8801bf943380 ffff8801c25c76d8 ffffffff816621ca 1ffff100384b8ea0 ffff8801c25c7630 00000001d6fbe067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323