1TITLE: WARNING: bad unlock balance in ipmr_mfc_seq_stop
2
3[  123.238569] =====================================
4[  123.243391] WARNING: bad unlock balance detected!
5[  123.248225] 4.15.0-rc6+ #160 Not tainted
6[  123.252273] -------------------------------------
7[  123.253273] binder: BINDER_SET_CONTEXT_MGR already set
8[  123.253280] binder: 19039:19065 ioctl 40046207 0 returned -16
9[  123.254503] binder: 19049 RLIMIT_NICE not set
10[  123.254548] binder_alloc: 19039: binder_alloc_buf, no vma
11[  123.254567] binder: 19039:19065 transaction failed 29189/-3, size 0-0 line 2903
12[  123.277377] binder: undelivered TRANSACTION_ERROR: 29189
13[  123.277534] binder: release 19039:19049 transaction 74 in, still active
14[  123.277539] binder: send failed reply for transaction 74 to 19039:19065
15[  123.277551] binder: undelivered TRANSACTION_COMPLETE
16[  123.277557] binder: undelivered TRANSACTION_ERROR: 29189
17[  123.315003] syz-executor4/19072 is trying to release lock (mrt_lock) at:
18[  123.321838] [<00000000c4ef30ff>] ipmr_mfc_seq_stop+0xe1/0x130
19[  123.327688] but there are no more locks to release!
20[  123.332667]
21[  123.332667] other info that might help us debug this:
22[  123.339299] 2 locks held by syz-executor4/19072:
23[  123.344020]  #0:  (sb_writers#7){.+.+}, at: [<0000000015352bfd>] do_sendfile+0xada/0xe80
24[  123.352230]  #1:  (&p->lock){+.+.}, at: [<0000000070ba5816>] seq_read+0xd5/0x13d0
25[  123.359836]
26[  123.359836] stack backtrace:
27[  123.364303] CPU: 1 PID: 19072 Comm: syz-executor4 Not tainted 4.15.0-rc6+ #160
28[  123.371627] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
29[  123.380959] Call Trace:
30[  123.383521]  dump_stack+0x194/0x257
31[  123.387118]  ? arch_local_irq_restore+0x53/0x53
32[  123.391765]  ? ipmr_mfc_seq_stop+0xe1/0x130
33[  123.396068]  print_unlock_imbalance_bug+0x12f/0x140
34[  123.401052]  lock_release+0x6fe/0xa40
35[  123.404821]  ? ipmr_mfc_seq_stop+0xe1/0x130
36[  123.409112]  ? lock_downgrade+0x980/0x980
37[  123.413232]  ? ipmr_mfc_seq_start+0x22f/0x3d0
38[  123.417697]  ? memcpy+0x45/0x50
39[  123.420945]  ? seq_puts+0xb5/0x130
40[  123.424455]  _raw_read_unlock+0x1a/0x30
41[  123.428399]  ipmr_mfc_seq_stop+0xe1/0x130
42[  123.432516]  seq_read+0xc42/0x13d0
43[  123.436031]  ? seq_lseek+0x3c0/0x3c0
44[  123.439716]  ? fsnotify_first_mark+0x2b0/0x2b0
45[  123.444269]  ? avc_policy_seqno+0x9/0x20
46[  123.448302]  ? selinux_file_permission+0x82/0x460
47[  123.453113]  ? seq_lseek+0x3c0/0x3c0
48[  123.456810]  proc_reg_read+0xef/0x170
49[  123.460580]  do_iter_read+0x3d2/0x5a0
50[  123.464351]  ? dup_iter+0x260/0x260
51[  123.467951]  vfs_readv+0x121/0x1c0
52[  123.471463]  ? compat_rw_copy_check_uvector+0x2e0/0x2e0
53[  123.476795]  ? is_bpf_text_address+0x7b/0x120
54[  123.481261]  ? lock_downgrade+0x980/0x980
55[  123.485379]  ? __free_insn_slot+0x5c0/0x5c0
56[  123.489672]  ? rcutorture_record_progress+0x10/0x10
57[  123.494660]  ? is_bpf_text_address+0xa4/0x120
58[  123.499125]  ? kernel_text_address+0x102/0x140
59[  123.503677]  default_file_splice_read+0x508/0xae0
60[  123.508507]  ? default_file_splice_read+0x508/0xae0
61[  123.513494]  ? __save_stack_trace+0x7e/0xd0
62[  123.517787]  ? do_splice_direct+0x3c0/0x3c0
63[  123.522079]  ? print_irqtrace_events+0x270/0x270
64[  123.526802]  ? save_stack+0xa3/0xd0
65[  123.530398]  ? save_stack+0x43/0xd0
66[  123.533995]  ? kasan_kmalloc+0xad/0xe0
67[  123.537852]  ? __kmalloc+0x162/0x760
68[  123.541539]  ? splice_direct_to_actor+0x64a/0x820
69[  123.546349]  ? do_splice_direct+0x29b/0x3c0
70[  123.550640]  ? do_sendfile+0x5c9/0xe80
71[  123.554498]  ? compat_SyS_sendfile+0xea/0x1a0
72[  123.558962]  ? do_fast_syscall_32+0x3ee/0xf9d
73[  123.563437]  ? print_irqtrace_events+0x270/0x270
74[  123.568161]  ? __lock_is_held+0xb6/0x140
75[  123.572194]  ? __lockdep_init_map+0xe4/0x650
76[  123.576570]  ? fsnotify+0x7b3/0x1140
77[  123.580255]  ? fsnotify_first_mark+0x2b0/0x2b0
78[  123.584808]  ? avc_policy_seqno+0x9/0x20
79[  123.588837]  ? selinux_file_permission+0x82/0x460
80[  123.593648]  ? security_file_permission+0x89/0x1e0
81[  123.598548]  ? do_splice_direct+0x3c0/0x3c0
82[  123.602838]  do_splice_to+0x10a/0x160
83[  123.606605]  ? do_splice_to+0x10a/0x160
84[  123.610550]  splice_direct_to_actor+0x242/0x820
85[  123.615199]  ? _cond_resched+0x14/0x30
86[  123.619067]  ? generic_pipe_buf_nosteal+0x10/0x10
87[  123.623881]  ? do_splice_to+0x160/0x160
88[  123.627826]  ? security_file_permission+0x89/0x1e0
89[  123.632743]  ? rw_verify_area+0xe5/0x2b0
90[  123.636796]  do_splice_direct+0x29b/0x3c0
91[  123.640914]  ? splice_direct_to_actor+0x820/0x820
92[  123.645727]  ? rcu_sync_lockdep_assert+0x6d/0xb0
93[  123.650451]  ? __sb_start_write+0x209/0x2a0
94[  123.654744]  do_sendfile+0x5c9/0xe80
95[  123.658431]  ? do_compat_pwritev64+0x100/0x100
96[  123.662992]  ? __fdget_raw+0x20/0x20
97[  123.666680]  ? __might_sleep+0x95/0x190
98[  123.670632]  compat_SyS_sendfile+0xea/0x1a0
99[  123.674924]  ? SyS_sendfile64+0x160/0x160
100[  123.679044]  ? do_fast_syscall_32+0x156/0xf9d
101[  123.683509]  ? SyS_sendfile64+0x160/0x160
102[  123.687625]  do_fast_syscall_32+0x3ee/0xf9d
103[  123.691917]  ? do_int80_syscall_32+0x9d0/0x9d0
104[  123.696488]  ? syscall_return_slowpath+0x2ad/0x550
105[  123.701386]  ? prepare_exit_to_usermode+0x340/0x340
106[  123.706373]  ? sysret32_from_system_call+0x5/0x3b
107[  123.711188]  ? trace_hardirqs_off_thunk+0x1a/0x1c
108[  123.716008]  entry_SYSENTER_compat+0x54/0x63
109[  123.720385] RIP: 0023:0xf7facc79
110[  123.723728] RSP: 002b:00000000f77a808c EFLAGS: 00000296 ORIG_RAX: 00000000000000bb
111[  123.731405] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 0000000000000013
112[  123.738646] RDX: 0000000020292000 RSI: 0000000000000008 RDI: 0000000000000000
113[  123.745884] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
114[  123.753123] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
115[  123.760361] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
116