===================================== [ BUG: bad unlock balance detected! ] netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. 4.9.67-gf26d3c7 #106 Not tainted ------------------------------------- syz-executor6/9948 is trying to release lock ([ 81.889667] netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. mrt_lock) at: but there are no more locks to release! other info that might help us debug this: 2 locks held by syz-executor6/9948: #0: (&f->f_pos_lock){+.+.+.}, at: [] __fdget_pos+0x9f/0xc0 fs/file.c:781 #1: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 1 PID: 9948 Comm: syz-executor6 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d20bf8e8 ffffffff81d906e9 ffffffff849ae8f8 ffff8801d1ba4800 ffffffff834dec54 ffffffff849ae8f8 ffff8801d1ba5088 ffff8801d20bf918 ffffffff812353f4 dffffc0000000000 ffffffff849ae8f8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa83/0x1290 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready binder: 10032:10033 transaction failed 29189/-22, size 0-0 line 3007 device gre0 entered promiscuous mode binder: undelivered TRANSACTION_ERROR: 29189 device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 10214 Comm: syz-executor0 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdf07930 ffffffff81d906e9 ffff8801cdf07c10 0000000000000000 ffff8801a939c110 ffff8801cdf07b00 ffff8801a939c000 ffff8801cdf07b28 ffffffff8165e307 ffff8801cdf07ac8 ffff8801cdf07a80 00000001ce6d8067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 rfkill: input handler disabled rfkill: input handler enabled SELinux: unrecognized netlink message: protocol=4 nlmsg_type=65535 sclass=netlink_tcpdiag_socket pig=10356 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=65535 sclass=netlink_tcpdiag_socket pig=10366 comm=syz-executor2 device gre0 entered promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 10407 Comm: syz-executor4 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a489f5d0 ffffffff81d906e9 ffff8801a489f8b0 0000000000000000 ffff8801a5da7910 ffff8801a489f7a0 ffff8801a5da7800 ffff8801a489f7c8 ffffffff8165e307 0000000000000000 ffff8801a489f720 00000001cfb4d067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 1 PID: 10413 Comm: syz-executor4 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a3a17850 ffffffff81d906e9 ffff8801a3a17b30 0000000000000000 ffff8801a5da7910 ffff8801a3a17a20 ffff8801a5da7800 ffff8801a3a17a48 ffffffff8165e307 0000000000000000 ffff8801a3a179a0 00000001cfb4d067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] do_fcntl fs/fcntl.c:284 [inline] [] SYSC_fcntl fs/fcntl.c:372 [inline] [] SyS_fcntl+0x81c/0xc70 fs/fcntl.c:357 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 10442:10451 ERROR: BC_REGISTER_LOOPER called without request SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10456 comm=syz-executor0 nla_parse: 6 callbacks suppressed netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10459 comm=syz-executor0 netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. binder: 10442:10464 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 10442:10464 got reply transaction with no transaction stack binder: 10442:10464 transaction failed 29201/-71, size 48-16 line 2923 binder: 10442:10451 ERROR: BC_REGISTER_LOOPER called without request binder: 10442:10464 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 10442:10464 got reply transaction with no transaction stack binder: 10442:10464 transaction failed 29201/-71, size 48-16 line 2923 netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. device gre0 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode binder: 10565:10571 got reply transaction with no transaction stack device gre0 left promiscuous mode binder: 10565:10571 transaction failed 29201/-71, size 32-8 line 2923 binder: 10565:10571 ioctl 404c534a 2000b000 returned -22 binder: 10565:10571 BC_DEAD_BINDER_DONE 0000000000000002 not found binder: 10565:10580 ioctl c0306201 20007000 returned -14 binder: 10565:10580 got new transaction with bad transaction stack, transaction 117 has target 10565:0 binder: 10565:10580 transaction failed 29201/-71, size 0-0 line 3034 binder: 10565:10603 got reply transaction with no transaction stack binder: 10565:10603 transaction failed 29201/-71, size 24-16 line 2923 binder: 10616:10617 BC_ACQUIRE_DONE node 120 has no pending acquire request binder_alloc: binder_alloc_mmap_handler: 10565 20000000-20002000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 10616 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10565:10580 ioctl 40046207 0 returned -16 binder: 10565:10580 ioctl 404c534a 2000b000 returned -22 binder: 10565:10603 unknown command 0 binder: 10565:10603 ioctl c0306201 20007000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 10616:10617 ioctl 40046207 0 returned -16 binder: 10565:10603 got reply transaction with no transaction stack binder: 10565:10603 transaction failed 29201/-71, size 24-16 line 2923 binder: send failed reply for transaction 117 to 10565:10580 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 10686:10687 ioctl c0306201 20009fd0 returned -11 binder: 10686:10687 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 10686:10687 unknown command 0 binder: 10686:10687 ioctl c0306201 20004000 returned -22 binder: 10686:10687 ioctl c0306201 20007000 returned -14 binder: 10686:10695 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 10686:10695 unknown command 0 binder: 10686:10695 ioctl c0306201 20004000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 10686:10695 ioctl 40046207 0 returned -16 binder: 10686:10695 unknown command 0 binder: 10686:10695 ioctl c0306201 20007000 returned -22 binder_alloc: 10616: binder_alloc_buf, no vma binder: 10616:10617 transaction failed 29189/-3, size 80-16 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 10616:10617 transaction 121 out, still active binder: unexpected work type, 4, not freed netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 121, target dead binder: 10753:10754 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 10753: binder_alloc_buf failed to map page at 20000000 in userspace binder: 10753:10768 transaction failed 29201/-12, size 0-0 line 3130 binder_alloc: binder_alloc_mmap_handler: 10753 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10753:10768 ioctl 40046207 0 returned -16 binder: 10753:10780 ERROR: BC_REGISTER_LOOPER called without request binder: 10753:10798 unknown command 0 binder: 10753:10798 ioctl c0306201 20007000 returned -22 binder: undelivered TRANSACTION_ERROR: 29201 sg_write: data in/out 327644/32 bytes for SCSI command 0x4-- guessing data in; program syz-executor0 not setting count and/or reply_len properly 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: 10895:10898 ioctl 85 20416000 returned -22 netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. loop_reread_partitions: partition scan of loop0 (2°]€fI¸Òæ¶Ì”B±!S,›ùDÏ') failed (rc=-13) binder: 10895:10916 ioctl 85 20416000 returned -22 netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. loop_reread_partitions: partition scan of loop0 () failed (rc=-13) device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode binder: 11289:11292 got transaction with invalid offset (0, min 0 max 0) or object. binder: 11289:11292 transaction failed 29201/-22, size 0-8 line 3193 binder: 11289:11299 got transaction with invalid handle, 0 binder: 11289:11299 transaction failed 29201/-22, size 24-16 line 3222 binder_alloc: binder_alloc_mmap_handler: 11289 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 11289:11292 ioctl 40046207 0 returned -16 device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready device lo left promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. device lo entered promiscuous mode device lo left promiscuous mode binder_alloc: 11289: binder_alloc_buf, no vma binder: 11289:11292 transaction failed 29189/-3, size 0-8 line 3130 binder_alloc: 11289: binder_alloc_buf, no vma binder: 11289:11292 transaction failed 29189/-3, size 24-16 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: 11353:11354 ioctl 40046205 0 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 11353:11354 ioctl 40046207 0 returned -16 binder: 11353:11354 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 11289: binder_alloc_buf, no vma binder: 11353:11363 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11353:11363 got reply transaction with no transaction stack binder: 11353:11363 transaction failed 29201/-71, size 24-8 line 2923 binder: 11353:11363 ioctl c0306201 20005fd0 returned -14 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11353:11363 got reply transaction with no transaction stack binder: 11353:11363 transaction failed 29201/-71, size 0-8 line 2923 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11353:11354 ioctl 40046205 6 returned -22 binder: 11353:11363 ioctl 40046205 0 returned -22 binder: 11353:11363 ERROR: BC_REGISTER_LOOPER called without request binder: 11353:11363 ioctl c0306201 20008fd0 returned -11 binder: 11353:11363 unknown command 0 binder: 11353:11363 ioctl c0306201 20002fd0 returned -22 binder: 11353:11363 got reply transaction with no transaction stack binder: 11353:11363 transaction failed 29201/-71, size 24-8 line 2923 binder: 11353:11354 BC_FREE_BUFFER u0000000000000000 no match binder: 11353:11354 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 11353:11354 got transaction to invalid handle binder: 11353:11354 transaction failed 29201/-22, size 72-8 line 3007 binder: 11353:11354 ioctl c0306201 20005fd0 returned -14 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11353:11363 got reply transaction with no transaction stack binder: 11353:11363 transaction failed 29201/-71, size 0-8 line 2923 binder: release 11353:11354 transaction 140 out, still active binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 140, target dead IPVS: length: 24 != 8 IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable device gre0 entered promiscuous mode IPVS: length: 24 != 8 binder: 11502:11511 ioctl 8924 20002000 returned -22 PF_BRIDGE: RTM_SETLINK with unknown ifindex binder_alloc: binder_alloc_mmap_handler: 11502 20000000-20002000 already mapped failed -16 IPv6: Can't replace route, no match found PF_BRIDGE: RTM_SETLINK with unknown ifindex IPv6: Can't replace route, no match found device gre0 entered promiscuous mode sock: process `syz-executor2' is using obsolete getsockopt SO_BSDCOMPAT sg_write: data in/out 327644/32 bytes for SCSI command 0x4-- guessing data in; program syz-executor1 not setting count and/or reply_len properly selinux_nlmsg_perm: 2 callbacks suppressed SELinux: unrecognized netlink message: protocol=6 nlmsg_type=770 sclass=netlink_xfrm_socket pig=11712 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=770 sclass=netlink_xfrm_socket pig=11712 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=770 sclass=netlink_xfrm_socket pig=11730 comm=syz-executor5 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 IPVS: Creating netns size=2536 id=20 device gre0 entered promiscuous mode binder: 11903:11904 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 11903:11904 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 11903:11904 Release 1 refcount change on invalid ref 0 ret -22 binder: 11903:11904 got transaction to invalid handle binder: 11903:11904 transaction failed 29201/-22, size 24-16 line 3007 IPVS: Creating netns size=2536 id=21 binder: 11903:11904 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 11903:11919 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 11903:11919 Release 1 refcount change on invalid ref 0 ret -22 binder: 11903:11919 got transaction to invalid handle binder: 11903:11919 transaction failed 29201/-22, size 24-16 line 3007 device gre0 entered promiscuous mode keychord: keycode 25638 out of range keychord: keycode 25638 out of range nla_parse: 3 callbacks suppressed netlink: 8 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: binder_alloc_mmap_handler: 12243 20000000-20002000 already mapped failed -16 binder: 12243:12256 ioctl 40046207 0 returned -16 netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. binder_alloc: 12243: binder_alloc_buf, no vma binder: 12243:12256 transaction failed 29189/-3, size 80-16 line 3130 binder: release 12243:12246 transaction 150 out, still active binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 150, target dead device lo left promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. device lo entered promiscuous mode qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo left promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. binder_alloc: binder_alloc_mmap_handler: 12491 20000000-20002000 already mapped failed -16 device gre0 entered promiscuous mode binder: 12515:12519 ioctl c0306201 20009fd0 returned -11 binder: 12515:12519 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 12515:12519 unknown command 0 binder: 12515:12519 ioctl c0306201 2000a000 returned -22 binder: 12515:12519 ioctl c0306201 20007000 returned -14 binder: 12515:12530 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 12515:12533 ioctl 40046207 0 returned -16 binder: 12515:12530 unknown command 0 binder: 12515:12530 ioctl c0306201 2000a000 returned -22 binder: 12515:12532 ioctl c0306201 20007000 returned -14 binder: 12541:12552 ioctl c0306201 20009fd0 returned -11 binder: 12541:12552 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 12541:12552 unknown command 0 binder: 12541:12552 ioctl c0306201 2000a000 returned -22 binder: 12541:12552 ioctl c0306201 20007000 returned -14 binder: 12541:12598 ioctl c0306201 20009fd0 returned -11 binder: 12541:12597 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 12541:12597 unknown command 0 binder: BINDER_SET_CONTEXT_MGR already set binder: 12541:12607 ioctl 40046207 0 returned -16 binder: 12541:12597 ioctl c0306201 2000a000 returned -22 binder: 12541:12598 ioctl c0306201 20007000 returned -14 binder: 12611:12629 ioctl 40046205 0 returned -22 binder: 12611:12629 ERROR: BC_REGISTER_LOOPER called without request device gre0 entered promiscuous mode binder: 12611:12672 ERROR: BC_REGISTER_LOOPER called without request binder: release 12611:12629 transaction 159 in, still active binder: send failed reply for transaction 159 to 12611:12653 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189