possible deadlock in static_key_slow

[upstream] possible deadlock in static_key_slow_dec
Status: upstream: reported on 2018/11/07 01:38
Reported-by: syzbot+b011e55d1b4c015100d2@syzkaller.appspotmail.com
First: 76d, last: 8d03h

Sample crash report:

======================================================
WARNING: possible circular locking dependency detected
4.19.0+ #318 Not tainted
------------------------------------------------------
syz-executor3/25522 is trying to acquire lock:
000000009aed6c7d (cpu_hotplug_lock.rw_sem){++++}, at: __static_key_slow_dec kernel/jump_label.c:239 [inline]
000000009aed6c7d (cpu_hotplug_lock.rw_sem){++++}, at: static_key_slow_dec+0x57/0xa0 kernel/jump_label.c:254

but task is already holding lock:
00000000d2ffe4a1 (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x1b5/0x2c0 mm/util.c:348

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (&mm->mmap_sem){++++}:
       __might_fault+0x15e/0x1e0 mm/memory.c:4360
       _copy_to_user+0x30/0x110 lib/usercopy.c:25
       copy_to_user include/linux/uaccess.h:155 [inline]
       perf_read_group kernel/events/core.c:4776 [inline]
       __perf_read kernel/events/core.c:4843 [inline]
       perf_read+0x7e3/0xa60 kernel/events/core.c:4858
       __vfs_read+0x117/0x9b0 fs/read_write.c:416
       vfs_read+0x17f/0x3c0 fs/read_write.c:452
       ksys_read+0x101/0x260 fs/read_write.c:578
       __do_sys_read fs/read_write.c:588 [inline]
       __se_sys_read fs/read_write.c:586 [inline]
       __x64_sys_read+0x73/0xb0 fs/read_write.c:586
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #2 (&cpuctx_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:925 [inline]
       __mutex_lock+0x166/0x16f0 kernel/locking/mutex.c:1072
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
       perf_event_init_cpu+0xd2/0x180 kernel/events/core.c:11679
       perf_event_init+0x519/0x595 kernel/events/core.c:11726
       start_kernel+0x646/0xa2b init/main.c:652
       x86_64_start_reservations+0x2e/0x30 arch/x86/kernel/head64.c:472
       x86_64_start_kernel+0x76/0x79 arch/x86/kernel/head64.c:451
       secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243

-> #1 (pmus_lock){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:925 [inline]
       __mutex_lock+0x166/0x16f0 kernel/locking/mutex.c:1072
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
       perf_event_init_cpu+0x2f/0x180 kernel/events/core.c:11673
       cpuhp_invoke_callback+0x35d/0x2100 kernel/cpu.c:167
       cpuhp_up_callbacks kernel/cpu.c:584 [inline]
       _cpu_up+0x290/0x560 kernel/cpu.c:1139
       do_cpu_up+0x1ca/0x210 kernel/cpu.c:1173
       cpu_up+0x18/0x20 kernel/cpu.c:1181
       smp_init+0x1a3/0x1be kernel/smp.c:578
       kernel_init_freeable+0x431/0x6b9 init/main.c:1146
       kernel_init+0x11/0x1ae init/main.c:1071
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

-> #0 (cpu_hotplug_lock.rw_sem){++++}:
       lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
       percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
       percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
       cpus_read_lock+0x3e/0xd0 kernel/cpu.c:287
       __static_key_slow_dec kernel/jump_label.c:239 [inline]
       static_key_slow_dec+0x57/0xa0 kernel/jump_label.c:254
       sw_perf_event_destroy+0x8b/0x140 kernel/events/core.c:8172
       _free_event+0x414/0x1660 kernel/events/core.c:4446
       put_event+0x48/0x60 kernel/events/core.c:4532
       perf_mmap_close+0x62f/0x1220 kernel/events/core.c:5515
       remove_vma+0xb1/0x180 mm/mmap.c:181
       remove_vma_list mm/mmap.c:2574 [inline]
       __do_munmap+0x751/0xf80 mm/mmap.c:2817
       do_munmap mm/mmap.c:2825 [inline]
       mmap_region+0x6a7/0x1cd0 mm/mmap.c:1729
       do_mmap+0xa22/0x1230 mm/mmap.c:1559
       do_mmap_pgoff include/linux/mm.h:2320 [inline]
       vm_mmap_pgoff+0x213/0x2c0 mm/util.c:350
       ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1609
       __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
       __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
       __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

Chain exists of:
  cpu_hotplug_lock.rw_sem --> &cpuctx_mutex --> &mm->mmap_sem

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&mm->mmap_sem);
                               lock(&cpuctx_mutex);
                               lock(&mm->mmap_sem);
  lock(cpu_hotplug_lock.rw_sem);

 *** DEADLOCK ***

1 lock held by syz-executor3/25522:
 #0: 00000000d2ffe4a1 (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x1b5/0x2c0 mm/util.c:348

stack backtrace:
CPU: 1 PID: 25522 Comm: syz-executor3 Not tainted 4.19.0+ #318
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x244/0x39d lib/dump_stack.c:113
 print_circular_bug.isra.35.cold.54+0x1bd/0x27d kernel/locking/lockdep.c:1221
 check_prev_add kernel/locking/lockdep.c:1863 [inline]
 check_prevs_add kernel/locking/lockdep.c:1976 [inline]
 validate_chain kernel/locking/lockdep.c:2347 [inline]
 __lock_acquire+0x3399/0x4c20 kernel/locking/lockdep.c:3341
 lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
 percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
 cpus_read_lock+0x3e/0xd0 kernel/cpu.c:287
 __static_key_slow_dec kernel/jump_label.c:239 [inline]
 static_key_slow_dec+0x57/0xa0 kernel/jump_label.c:254
 sw_perf_event_destroy+0x8b/0x140 kernel/events/core.c:8172
 _free_event+0x414/0x1660 kernel/events/core.c:4446
 put_event+0x48/0x60 kernel/events/core.c:4532
 perf_mmap_close+0x62f/0x1220 kernel/events/core.c:5515
 remove_vma+0xb1/0x180 mm/mmap.c:181
 remove_vma_list mm/mmap.c:2574 [inline]
 __do_munmap+0x751/0xf80 mm/mmap.c:2817
 do_munmap mm/mmap.c:2825 [inline]
 mmap_region+0x6a7/0x1cd0 mm/mmap.c:1729
 do_mmap+0xa22/0x1230 mm/mmap.c:1559
 do_mmap_pgoff include/linux/mm.h:2320 [inline]
 vm_mmap_pgoff+0x213/0x2c0 mm/util.c:350
 ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1609
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
 __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457569
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f217cd7fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000457569
RDX: 0000000000000000 RSI: 0000000000003000 RDI: 0000000020ffd000
RBP: 000000000072bfa0 R08: 000000000000000a R09: 0000000000000000
R10: 0000000000000011 R11: 0000000000000246 R12: 00007f217cd806d4
R13: 00000000004c2a9d R14: 00000000004d40c0 R15: 00000000ffffffff
kobject: 'loop2' (00000000ca2cc98a): kobject_uevent_env
kobject: 'loop2' (00000000ca2cc98a): fill_kobj_path: path = '/devices/virtual/block/loop2'
kobject: 'loop4' (00000000812c9751): kobject_uevent_env
kobject: 'loop4' (00000000812c9751): fill_kobj_path: path = '/devices/virtual/block/loop4'
kobject: 'loop0' (00000000fba26143): kobject_uevent_env
kobject: 'loop0' (00000000fba26143): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop3' (0000000099278ded): kobject_uevent_env
kobject: 'loop3' (0000000099278ded): fill_kobj_path: path = '/devices/virtual/block/loop3'
kobject: 'loop1' (0000000032ae37eb): kobject_uevent_env
kobject: 'loop1' (0000000032ae37eb): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop5' (000000001bc15b41): kobject_uevent_env
kobject: 'loop5' (000000001bc15b41): fill_kobj_path: path = '/devices/virtual/block/loop5'
kobject: 'loop5' (000000001bc15b41): kobject_uevent_env
kobject: 'loop5' (000000001bc15b41): fill_kobj_path: path = '/devices/virtual/block/loop5'
kobject: 'loop0' (00000000fba26143): kobject_uevent_env
kobject: 'loop0' (00000000fba26143): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop5' (000000001bc15b41): kobject_uevent_env
kobject: 'loop5' (000000001bc15b41): fill_kobj_path: path = '/devices/virtual/block/loop5'
kobject: 'loop5' (000000001bc15b41): kobject_uevent_env
kobject: 'loop5' (000000001bc15b41): fill_kobj_path: path = '/devices/virtual/block/loop5'
kobject: 'loop5' (000000001bc15b41): kobject_uevent_env
kobject: 'loop5' (000000001bc15b41): fill_kobj_path: path = '/devices/virtual/block/loop5'
kobject: 'loop5' (000000001bc15b41): kobject_uevent_env
kobject: 'loop5' (000000001bc15b41): fill_kobj_path: path = '/devices/virtual/block/loop5'
kobject: 'loop0' (00000000fba26143): kobject_uevent_env
kobject: 'loop0' (00000000fba26143): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000812c9751): kobject_uevent_env
kobject: 'loop4' (00000000812c9751): fill_kobj_path: path = '/devices/virtual/block/loop4'
kobject: 'loop2' (00000000ca2cc98a): kobject_uevent_env
kobject: 'loop2' (00000000ca2cc98a): fill_kobj_path: path = '/devices/virtual/block/loop2'
kobject: 'loop0' (00000000fba26143): kobject_uevent_env
kobject: 'loop0' (00000000fba26143): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop1' (0000000032ae37eb): kobject_uevent_env
kobject: 'loop1' (0000000032ae37eb): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop3' (0000000099278ded): kobject_uevent_env
kobject: 'loop3' (0000000099278ded): fill_kobj_path: path = '/devices/virtual/block/loop3'
kobject: 'loop0' (00000000fba26143): kobject_uevent_env
kobject: 'loop0' (00000000fba26143): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop5' (000000001bc15b41): kobject_uevent_env
kobject: 'loop5' (000000001bc15b41): fill_kobj_path: path = '/devices/virtual/block/loop5'

All crashes (7):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Maintainers
ci-upstream-kasan-gce-root	2018/11/04 05:07	upstream	83650fd5	8bd6bd63	.config	log	report	ard.biesheuvel@linaro.org, bp@suse.de, jbaron@akamai.com, jpoimboe@redhat.com, linux-kernel@vger.kernel.org, mingo@kernel.org, peterz@infradead.org, tglx@linutronix.de
ci-upstream-kasan-gce-smack-root	2019/01/11 18:43	upstream	de6629eb	c3f3344c	.config	log	report	ard.biesheuvel@linaro.org, bp@suse.de, jpoimboe@redhat.com, linux-kernel@vger.kernel.org, mingo@kernel.org, peterz@infradead.org, tglx@linutronix.de, yamada.masahiro@socionext.com
ci-upstream-kasan-gce-selinux-root	2019/01/06 11:46	upstream	b5aef86e	94f8adb5	.config	log	report	ard.biesheuvel@linaro.org, bp@suse.de, jpoimboe@redhat.com, linux-kernel@vger.kernel.org, mingo@kernel.org, peterz@infradead.org, tglx@linutronix.de
ci-upstream-kasan-gce-smack-root	2018/11/28 05:34	upstream	ef78e5ec	4b6d14f2	.config	log	report	ard.biesheuvel@linaro.org, bp@suse.de, jpoimboe@redhat.com, linux-kernel@vger.kernel.org, mingo@kernel.org, peterz@infradead.org, tglx@linutronix.de
ci-upstream-kasan-gce-root	2018/11/27 13:40	upstream	ef78e5ec	4b6d14f2	.config	log	report	ard.biesheuvel@linaro.org, bp@suse.de, jpoimboe@redhat.com, linux-kernel@vger.kernel.org, mingo@kernel.org, peterz@infradead.org, tglx@linutronix.de
ci-upstream-kasan-gce-selinux-root	2018/11/25 17:56	upstream	e195ca6c	3d3ec907	.config	log	report	ard.biesheuvel@linaro.org, bp@suse.de, jpoimboe@redhat.com, linux-kernel@vger.kernel.org, mingo@kernel.org, peterz@infradead.org, tglx@linutronix.de
ci-upstream-linux-next-kasan-gce-root	2018/11/04 23:08	linux-next	25e9471b	8bd6bd63	.config	log	report	ard.biesheuvel@linaro.org, bp@suse.de, jbaron@akamai.com, jpoimboe@redhat.com, linux-kernel@vger.kernel.org, mingo@kernel.org, peterz@infradead.org, tglx@linutronix.de