syzbot


possible deadlock in perf_event_read_value

Status: auto-closed as invalid on 2019/08/10 05:35
Reported-by: syzbot+5380deb188de5fa98ca3@syzkaller.appspotmail.com
First crash: 1948d, last: 1948d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 possible deadlock in perf_event_read_value syz error 445 592d 1882d 0/1 upstream: reported syz repro on 2019/04/18 16:03

Sample crash report:
======================================================
WARNING: possible circular locking dependency detected
4.14.98+ #7 Not tainted
------------------------------------------------------
syz-executor.3/17139 is trying to acquire lock:
 (&event->child_mutex){+.+.}, at: [<ffffffff85feb618>] perf_event_read_value+0x78/0x410 kernel/events/core.c:4452

but task is already holding lock:
 (&cpuctx_mutex){+.+.}, at: [<ffffffff85fe7dfd>] perf_event_ctx_lock_nested+0x14d/0x2c0 kernel/events/core.c:1240

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #8 (&cpuctx_mutex){+.+.}:

-> #7 (pmus_lock){+.+.}:

-> #6 (cpu_hotplug_lock.rw_sem){++++}:

-> #5 (&sb->s_type->i_mutex_key#10){+.+.}:

-> #4 (ashmem_mutex){+.+.}:

-> #3 (&mm->mmap_sem){++++}:

-> #2 (&sb->s_type->i_mutex_key#5){++++}:

-> #1 (event_mutex){+.+.}:

-> #0 (&event->child_mutex){+.+.}:

other info that might help us debug this:

Chain exists of:
  &event->child_mutex --> pmus_lock --> &cpuctx_mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&cpuctx_mutex);
                               lock(pmus_lock);
                               lock(&cpuctx_mutex);
  lock(&event->child_mutex);

 *** DEADLOCK ***

1 lock held by syz-executor.3/17139:
 #0:  (&cpuctx_mutex){+.+.}, at: [<ffffffff85fe7dfd>] perf_event_ctx_lock_nested+0x14d/0x2c0 kernel/events/core.c:1240

stack backtrace:
CPU: 1 PID: 17139 Comm: syz-executor.3 Not tainted 4.14.98+ #7
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x10e lib/dump_stack.c:53
 print_circular_bug.isra.0.cold+0x2dc/0x425 kernel/locking/lockdep.c:1258
kauditd_printk_skb: 18 callbacks suppressed
audit: type=1400 audit(544.645:21668): avc:  denied  { create } for  pid=17141 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0
audit: type=1400 audit(544.695:21669): avc:  denied  { map } for  pid=17138 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=0
audit: type=1400 audit(544.695:21670): avc:  denied  { create } for  pid=17141 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0
audit: type=1400 audit(544.935:21671): avc:  denied  { map } for  pid=17158 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=0
audit: type=1400 audit(545.105:21672): avc:  denied  { map } for  pid=17166 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=0
audit: type=1400 audit(545.335:21673): avc:  denied  { map } for  pid=17175 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=0
audit: type=1400 audit(545.495:21674): avc:  denied  { map } for  pid=17183 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=0
audit: type=1400 audit(545.635:21675): avc:  denied  { map } for  pid=17186 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=0
audit: type=1400 audit(545.825:21676): avc:  denied  { map } for  pid=17190 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=0
audit: type=1400 audit(546.045:21677): avc:  denied  { map } for  pid=17195 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=0
kauditd_printk_skb: 7 callbacks suppressed
audit: type=1400 audit(551.355:21685): avc:  denied  { map } for  pid=17259 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=0
audit: type=1400 audit(551.595:21686): avc:  denied  { map } for  pid=17266 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=0
audit: type=1400 audit(551.605:21687): avc:  denied  { map } for  pid=17267 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=0
audit: type=1400 audit(551.805:21688): avc:  denied  { map } for  pid=17271 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=0

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/02/11 05:33 android-4.14 57de59b3cf53 b4f792e4 .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.