===================================== [ BUG: bad unlock balance detected! ] 4.4.113-g202e079 #1 Not tainted ------------------------------------- syz-executor1/11433 is trying to release lock (mrt_lock) at: [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 but there are no more locks to release! other info that might help us debug this: 1 lock held by syz-executor1/11433: #0: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1270 fs/seq_file.c:178 stack backtrace: CPU: 0 PID: 11433 Comm: syz-executor1 Not tainted 4.4.113-g202e079 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 d9c2d1be75990197 ffff8801d9b6f930 ffffffff81d0278d ffffffff84771c18 ffff8801cd722f80 ffffffff833c5524 ffffffff84771c18 ffff8801cd7237c8 ffff8801d9b6f960 ffffffff81232314 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3266 [] __lock_release kernel/locking/lockdep.c:3408 [inline] [] lock_release+0x72a/0xc10 kernel/locking/lockdep.c:3611 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa80/0x1270 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev+0x141/0x1e0 fs/read_write.c:680 [] do_readv_writev+0x5dd/0x6e0 fs/read_write.c:810 [] vfs_readv+0x78/0xb0 fs/read_write.c:834 [] SYSC_preadv fs/read_write.c:912 [inline] [] SyS_preadv+0x199/0x230 fs/read_write.c:898 [] entry_SYSCALL_64_fastpath+0x1c/0x98 audit: type=1400 audit(1517205856.314:54): avc: denied { ioctl } for pid=11469 comm="syz-executor5" path="socket:[20195]" dev="sockfs" ino=20195 ioctlcmd=5411 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 4096 bytes leftover after parsing attributes in process `syz-executor5'. TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. device gre0 entered promiscuous mode device gre0 entered promiscuous mode BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor5/11681 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 11681 Comm: syz-executor5 Not tainted 4.4.113-g202e079 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 271aa82b2d89119e ffff8800b297f480 ffffffff81d0278d 0000000000000001 ffffffff839fe3a0 ffffffff83d0b8a0 ffff8801ccd14740 0000000000000003 ffff8800b297f4c0 ffffffff81d626d4 ffff8800b297f4d8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x980 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2058 [] xfrm_state_construct net/xfrm/xfrm_user.c:590 [inline] [] xfrm_add_sa+0x1916/0x2e40 net/xfrm/xfrm_user.c:636 [] xfrm_user_rcv_msg+0x41c/0x6b0 net/xfrm/xfrm_user.c:2525 [] netlink_rcv_skb+0x13e/0x370 net/netlink/af_netlink.c:2349 [] xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2533 [] netlink_unicast_kernel net/netlink/af_netlink.c:1267 [inline] [] netlink_unicast+0x522/0x760 net/netlink/af_netlink.c:1293 [] netlink_sendmsg+0x8e8/0xc50 net/netlink/af_netlink.c:1847 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] ___sys_sendmsg+0x6c1/0x7c0 net/socket.c:1962 [] __sys_sendmsg+0xd3/0x190 net/socket.c:1996 [] SYSC_sendmsg net/socket.c:2007 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2003 [] entry_SYSCALL_64_fastpath+0x1c/0x98 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor5/11681 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 11681 Comm: syz-executor5 Not tainted 4.4.113-g202e079 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 271aa82b2d89119e ffff8800b297f480 ffffffff81d0278d 0000000000000001 ffffffff839fe3a0 ffffffff83d0b8a0 ffff8801ccd14740 0000000000000003 ffff8800b297f4c0 ffffffff81d626d4 ffff8800b297f4d8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x980 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2058 [] xfrm_state_construct net/xfrm/xfrm_user.c:590 [inline] [] xfrm_add_sa+0x1916/0x2e40 net/xfrm/xfrm_user.c:636 [] xfrm_user_rcv_msg+0x41c/0x6b0 net/xfrm/xfrm_user.c:2525 [] netlink_rcv_skb+0x13e/0x370 net/netlink/af_netlink.c:2349 [] xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2533 [] netlink_unicast_kernel net/netlink/af_netlink.c:1267 [inline] [] netlink_unicast+0x522/0x760 net/netlink/af_netlink.c:1293 [] netlink_sendmsg+0x8e8/0xc50 net/netlink/af_netlink.c:1847 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] ___sys_sendmsg+0x6c1/0x7c0 net/socket.c:1962 [] __sys_sendmsg+0xd3/0x190 net/socket.c:1996 [] SYSC_sendmsg net/socket.c:2007 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2003 [] entry_SYSCALL_64_fastpath+0x1c/0x98 audit: type=1400 audit(1517205857.904:55): avc: denied { create } for pid=11735 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 audit: type=1400 audit(1517205858.134:56): avc: denied { setopt } for pid=11788 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 TCP: request_sock_TCPv6: Possible SYN flooding on port 20030. Sending cookies. Check SNMP counters. FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 11813 Comm: syz-executor0 Not tainted 4.4.113-g202e079 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 aa64c946b0edd8bb ffff8801d7dff990 ffffffff81d0278d ffff8800b56c2600 1ffff1003afbff3f ffff8801d7dffb18 0000000000000000 0000000000000000 ffff8801d7dffb40 ffffffff81605d55 ffffffff812363c0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] handle_userfault+0x715/0xf50 fs/userfaultfd.c:316 [] do_anonymous_page mm/memory.c:2731 [inline] [] handle_pte_fault mm/memory.c:3295 [inline] [] __handle_mm_fault mm/memory.c:3426 [inline] [] handle_mm_fault+0x2938/0x3190 mm/memory.c:3455 [] __do_page_fault+0x35b/0xa00 arch/x86/mm/fault.c:1245 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1033 [] entry_SYSCALL_64_fastpath+0x1c/0x98 binder: BINDER_SET_CONTEXT_MGR already set binder: 11911:11915 ioctl 40046207 0 returned -16 binder: 12002:12003 Release 1 refcount change on invalid ref 4 ret -22 binder: 12002:12003 BC_CLEAR_DEATH_NOTIFICATION death notification not active BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor1/12008 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 12008 Comm: syz-executor1 Not tainted 4.4.113-g202e079 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ece2c31012084b81 ffff8800b9547480 ffffffff81d0278d 0000000000000001 ffffffff839fe3a0 ffffffff83d0b8a0 ffff8800baedc740 0000000000000003 ffff8800b95474c0 ffffffff81d626d4 ffff8800b95474d8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x980 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2058 [] xfrm_state_construct net/xfrm/xfrm_user.c:590 [inline] [] xfrm_add_sa+0x1916/0x2e40 net/xfrm/xfrm_user.c:636 [] xfrm_user_rcv_msg+0x41c/0x6b0 net/xfrm/xfrm_user.c:2525 [] netlink_rcv_skb+0x13e/0x370 net/netlink/af_netlink.c:2349 [] xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2533 [] netlink_unicast_kernel net/netlink/af_netlink.c:1267 [inline] [] netlink_unicast+0x522/0x760 net/netlink/af_netlink.c:1293 [] netlink_sendmsg+0x8e8/0xc50 net/netlink/af_netlink.c:1847 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] ___sys_sendmsg+0x6c1/0x7c0 net/socket.c:1962 [] __sys_sendmsg+0xd3/0x190 net/socket.c:1996 [] SYSC_sendmsg net/socket.c:2007 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2003 [] entry_SYSCALL_64_fastpath+0x1c/0x98 binder: BINDER_SET_CONTEXT_MGR already set binder: 12002:12012 ioctl 40046207 0 returned -16 binder: 12002:12012 Release 1 refcount change on invalid ref 4 ret -22 binder: 12002:12003 BC_CLEAR_DEATH_NOTIFICATION death notification not active Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable