===================================== [ BUG: bad unlock balance detected! ] 4.9.67-gf26d3c7 #106 Not tainted ------------------------------------- syz-executor4/22954 is trying to release lock ([ 129.074365] binder: 22961:22962 ERROR: BC_REGISTER_LOOPER called without request mrt_lock) at: but there are no more locks to release! other info that might help us debug this: 1 lock held by syz-executor4/22954: #0: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 1 PID: 22954 Comm: syz-executor4 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c87278e8 ffffffff81d906e9 ffffffff849ae8f8 ffff8801cff24800 ffffffff834dec54 ffffffff849ae8f8 ffff8801cff25088 ffff8801c8727918 ffffffff812353f4 dffffc0000000000 ffffffff849ae8f8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa83/0x1290 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder_alloc: 22961: binder_alloc_buf, no vma binder: 22961:22967 transaction failed 29189/-3, size 0-0 line 3130 ALSA: seq fatal error: cannot create timer (-22) binder: 22961:22967 ioctl 8904 20004ffc returned -22 binder: 22961:22967 ioctl c0306201 2000ffd0 returned -14 binder_alloc: 22961: binder_alloc_buf, no vma binder: 22961:22962 ERROR: BC_REGISTER_LOOPER called without request binder: 22961:22967 transaction failed 29189/-3, size 0-0 line 3130 device gre0 entered promiscuous mode binder: 22961:22962 ioctl 8904 20004ffc returned -22 binder: undelivered TRANSACTION_ERROR: 29189 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 22988 Comm: syz-executor0 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a8a5f8c0 ffffffff81d906e9 ffff8801a8a5fba0 0000000000000000 ffff8801cc2fff10 ffff8801a8a5fa90 ffff8801cc2ffe00 ffff8801a8a5fab8 ffffffff8165e307 0000000000000000 ffff8801a8a5fa10 00000001ca71c067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 23000 Comm: syz-executor0 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a7e1f830 ffffffff81d906e9 ffff8801a7e1fb10 0000000000000000 ffff8801cc2fff10 ffff8801a7e1fa00 ffff8801cc2ffe00 ffff8801a7e1fa28 ffffffff8165e307 ffff8801db221400 ffff8801a7e1f980 00000001ca71c067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_mq_timedreceive ipc/mqueue.c:1092 [inline] [] SyS_mq_timedreceive+0xcd/0xdb0 ipc/mqueue.c:1077 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 22984 Comm: syz-executor0 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cf407890 ffffffff81d906e9 ffff8801cf407b70 0000000000000000 ffff8801cc2fff10 ffff8801cf407a60 ffff8801cc2ffe00 ffff8801cf407a88 ffffffff8165e307 ffff8801c92724c0 ffff8801cf4079e0 00000001ca71c067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] getname_flags+0x10e/0x580 fs/namei.c:148 [] getname+0x19/0x20 fs/namei.c:208 [] do_sys_open+0x21d/0x4c0 fs/open.c:1066 [] SYSC_openat fs/open.c:1099 [inline] [] SyS_openat+0x30/0x40 fs/open.c:1093 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 0 PID: 23009 Comm: syz-executor0 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cfdff8c0 ffffffff81d906e9 ffff8801cfdffba0 0000000000000000 ffff8801cc2fff10 ffff8801cfdffa90 ffff8801cc2ffe00 ffff8801cfdffab8 ffffffff8165e307 0000000000000000 ffff8801cfdffa10 00000001ca71c067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Option '9˜ŸT§' to dns_resolver key: bad/missing value Option '9˜ŸT§' to dns_resolver key: bad/missing value device gre0 entered promiscuous mode kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 23207 Comm: syz-executor2 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801d62e3000 task.stack: ffff8801d6c40000 RIP: 0010:[] [] sidtab_search_core+0x6a/0x320 security/selinux/ss/sidtab.c:94 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=32 sclass=netlink_tcpdiag_socket pig=23242 comm=syz-executor6 RSP: 0018:ffff8801d6c47490 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000008 RCX: ffffc90003677000 RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffffffff8593e620 RBP: ffff8801d6c474c0 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: ffff8801d62e3000 R12: 0000000000000001 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=32 sclass=netlink_tcpdiag_socket pig=23263 comm=syz-executor6 R13: 0000000000000001 R14: 0000000000000000 R15: ffff8801d1333db0 binder: 23273:23276 unknown command 2003315333 binder: 23273:23276 ioctl c0306201 20008fd0 returned -22 binder: 23273:23277 unknown command 2003315333 binder: 23273:23277 ioctl c0306201 20008fd0 returned -22 FS: 00007f52d3eed700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000206c7000 CR3: 00000001a81de000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: 0000000000000001 ffffffff8593e620 0000000000000001 0000000000000001 0000000000000001 ffff8801d1333db0 ffff8801d6c474e0 ffffffff81c0582f dffffc0000000000 ffff8801d1333db4 ffff8801d6c47608 ffffffff81c23952 Call Trace: [] sidtab_search+0x1f/0x30 security/selinux/ss/sidtab.c:117 [] security_bounded_transition+0xb2/0x3a0 security/selinux/ss/services.c:860 [] selinux_setprocattr+0x8b0/0xa80 security/selinux/hooks.c:5941 [] security_setprocattr+0x8d/0xc0 security/security.c:1177 [] proc_pid_attr_write+0x1bd/0x270 fs/proc/base.c:2510 [] __vfs_write+0x103/0x680 fs/read_write.c:510 [] __kernel_write+0xf0/0x340 fs/read_write.c:532 [] write_pipe_buf+0x159/0x1f0 fs/splice.c:816 [] splice_from_pipe_feed fs/splice.c:521 [inline] [] __splice_from_pipe+0x323/0x730 fs/splice.c:645 [] splice_from_pipe+0xf9/0x160 fs/splice.c:680 [] default_file_splice_write+0x40/0x90 fs/splice.c:828 [] do_splice_from fs/splice.c:870 [inline] [] direct_splice_actor+0x125/0x180 fs/splice.c:1037 [] splice_direct_to_actor+0x2cc/0x800 fs/splice.c:992 [] do_splice_direct+0x1a7/0x270 fs/splice.c:1080 [] do_sendfile+0x54b/0xd30 fs/read_write.c:1401 [] SYSC_sendfile64 fs/read_write.c:1456 [inline] [] SyS_sendfile64+0xd1/0x160 fs/read_write.c:1448 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Code: ea 03 41 83 e4 7f 80 3c 02 00 0f 85 7d 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 33 4d 63 e4 4b 8d 1c e6 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 41 02 00 00 48 8b 1b 48 85 db 0f 84 8b 00 00 RIP [] sidtab_search_core+0x6a/0x320 security/selinux/ss/sidtab.c:94 RSP ---[ end trace 50c922e7b37d696e ]---