binder: 8658:8660 transaction failed 29201/-1, size 24-8 line 3233 ===================================== [ BUG: bad unlock balance detected! ] 4.4.114-ga81d322 #4 Not tainted ------------------------------------- syz-executor6/8679 is trying to release lock (mrt_lock) at: [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 but there are no more locks to release! other info that might help us debug this: 2 locks held by syz-executor6/8679: #0: (&f->f_pos_lock){+.+.+.}, at: [] __fdget_pos+0x9f/0xc0 fs/file.c:780 #1: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1270 fs/seq_file.c:178 stack backtrace: CPU: 1 PID: 8679 Comm: syz-executor6 Not tainted 4.4.114-ga81d322 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 7813bfa4a53ebe2c ffff8801cf6b7920 ffffffff81d0394d ffffffff84771c98 ffff8801d05d0000 ffffffff833c7524 ffffffff84771c98 ffff8801d05d08a8 ffff8801cf6b7950 ffffffff81233354 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3266 [] __lock_release kernel/locking/lockdep.c:3408 [inline] [] lock_release+0x72a/0xc10 kernel/locking/lockdep.c:3611 binder: send failed reply for transaction 45 to 8658:8674 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa80/0x1270 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev+0x141/0x1e0 fs/read_write.c:680 [] do_readv_writev+0x5dd/0x6e0 fs/read_write.c:810 [] vfs_readv+0x78/0xb0 fs/read_write.c:834 [] SYSC_readv fs/read_write.c:860 [inline] [] SyS_readv+0xd9/0x240 fs/read_write.c:852 [] entry_SYSCALL_64_fastpath+0x1c/0x98 binder: undelivered TRANSACTION_ERROR: 29190 binder: undelivered TRANSACTION_ERROR: 29201 binder: 8658:8674 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 8658: binder_alloc_buf, no vma binder: 8658:8660 transaction failed 29189/-3, size 0-0 line 3128 binder: 8658:8729 got reply transaction with no transaction stack binder: 8658:8729 transaction failed 29201/-71, size 24-8 line 2921 binder: undelivered TRANSACTION_ERROR: 29201 binder_alloc: binder_alloc_mmap_handler: 8758 20000000-20002000 already mapped failed -16 keychord: invalid keycode count 0 keychord: invalid keycode count 0 keychord: invalid keycode count 0 keychord: invalid keycode count 0 keychord: invalid keycode count 0 keychord: invalid keycode count 0 keychord: invalid keycode count 0 keychord: invalid keycode count 0 keychord: invalid keycode count 0 keychord: invalid keycode count 0 keychord: invalid keycode count 0 keychord: invalid keycode count 0 keychord: invalid keycode count 0 keychord: invalid keycode count 0 keychord: invalid keycode count 0 binder: 10363:10366 ERROR: BC_REGISTER_LOOPER called without request binder: 10363:10377 ERROR: BC_REGISTER_LOOPER called without request audit: type=1400 audit(1517602472.639:30): avc: denied { set_context_mgr } for pid=10824 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 10824:10826 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc binder: 10824:10831 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 10824:10831 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 10824:10826 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 10862:10864 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc binder: 10875:10882 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc binder: 10890:10893 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc binder: 10924:10927 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc binder: 10976:10981 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc binder: 11023:11031 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc binder: 11064:11066 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc binder: 11087:11090 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc device syz1 entered promiscuous mode binder: 11639:11644 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc binder: 11674:11683 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc binder: 11719:11722 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc binder: 11719:11722 unknown command 0 binder: 11719:11722 ioctl c0306201 2000dfd0 returned -22 binder: 11743:11755 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc binder: 11790:11793 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc binder: 11803:11805 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc binder: 11800:11809 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc binder: 11828:11830 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc binder: 11848:11856 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffc