keychord: invalid keycode count 0

=====================================
[ BUG: bad unlock balance detected! ]
4.4.114-ga81d322 #4 Not tainted
-------------------------------------
syz-executor2/8661 is trying to release lock (mrt_lock) at:
[<ffffffff833c7524>] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553
but there are no more locks to release!

other info that might help us debug this:
2 locks held by syz-executor2/8661:
 #0:  (&f->f_pos_lock){+.+.+.}, at: [<ffffffff8157a84f>] __fdget_pos+0x9f/0xc0 fs/file.c:780
 #1:  (&p->lock){+.+.+.}, at: [<ffffffff8158d2fd>] seq_read+0xdd/0x1270 fs/seq_file.c:178

stack backtrace:
CPU: 0 PID: 8661 Comm: syz-executor2 Not tainted 4.4.114-ga81d322 #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 50b778adc0099231 ffff8801c3de7920 ffffffff81d0394d
 ffffffff84771c98 ffff8800a9876000 ffffffff833c7524 ffffffff84771c98
 ffff8800a98768a8 ffff8801c3de7950 ffffffff81233354 dffffc0000000000
Call Trace:
 [<ffffffff81d0394d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d0394d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff81233354>] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3266
 [<ffffffff8123e1ea>] __lock_release kernel/locking/lockdep.c:3408 [inline]
 [<ffffffff8123e1ea>] lock_release+0x72a/0xc10 kernel/locking/lockdep.c:3611
 [<ffffffff837737fa>] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline]
 [<ffffffff837737fa>] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255
 [<ffffffff833c7524>] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553
 [<ffffffff8158dca0>] seq_read+0xa80/0x1270 fs/seq_file.c:283
 [<ffffffff8166594f>] proc_reg_read+0xef/0x170 fs/proc/inode.c:202
 [<ffffffff8151d6e1>] do_loop_readv_writev+0x141/0x1e0 fs/read_write.c:680
 [<ffffffff8151fa3d>] do_readv_writev+0x5dd/0x6e0 fs/read_write.c:810
 [<ffffffff8151fbb8>] vfs_readv+0x78/0xb0 fs/read_write.c:834
 [<ffffffff81521ee9>] SYSC_readv fs/read_write.c:860 [inline]
 [<ffffffff81521ee9>] SyS_readv+0xd9/0x240 fs/read_write.c:852
 [<ffffffff83773edf>] entry_SYSCALL_64_fastpath+0x1c/0x98
keychord: keycode 16224 out of range
keychord: keycode 16224 out of range
netlink: 156 bytes leftover after parsing attributes in process `syz-executor5'.
keychord: invalid keycode count 0
tc_dump_action: action bad kind
keychord: invalid keycode count 0
keychord: invalid keycode count 0
keychord: invalid keycode count 0
netlink: 156 bytes leftover after parsing attributes in process `syz-executor5'.
tc_dump_action: action bad kind
keychord: invalid keycode count 0
keychord: invalid keycode count 0
keychord: invalid keycode count 0
binder: release 8726:8730 transaction 60 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: 8726:8730 BC_FREE_BUFFER u0000000000000000 no match
binder: send failed reply for transaction 60, target dead
binder_alloc: 8726: binder_alloc_buf, no vma
binder: 8726:8736 transaction failed 29189/-3, size 0-0 line 3128
keychord: invalid keycode count 0
binder: 8726:8739 BC_FREE_BUFFER u0000000000000000 no match
netlink: 156 bytes leftover after parsing attributes in process `syz-executor5'.
IPv6: NLM_F_CREATE should be specified when creating new route
IPv6: Can't replace route, no match found
binder: undelivered TRANSACTION_ERROR: 29189
netlink: 156 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 156 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 156 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 156 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 156 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 156 bytes leftover after parsing attributes in process `syz-executor5'.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 8974 at mm/page_alloc.c:3069 __alloc_pages_slowpath mm/page_alloc.c:3069 [inline]()
WARNING: CPU: 1 PID: 8974 at mm/page_alloc.c:3069 __alloc_pages_nodemask+0x62a/0x15f0 mm/page_alloc.c:3315()