[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   32.982570] random: sshd: uninitialized urandom read (32 bytes read)
[   33.131791] kauditd_printk_skb: 9 callbacks suppressed
[   33.131799] audit: type=1400 audit(1566867611.102:35): avc:  denied  { map } for  pid=6826 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   33.186199] random: sshd: uninitialized urandom read (32 bytes read)
[   33.692901] random: sshd: uninitialized urandom read (32 bytes read)
[   37.402900] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.118' (ECDSA) to the list of known hosts.
[   42.845546] random: sshd: uninitialized urandom read (32 bytes read)
executing program
FATAL: kernel too old
[   42.959472] audit: type=1400 audit(1566867620.922:36): avc:  denied  { map } for  pid=6839 comm="syz-executor347" path="/root/syz-executor347624367" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   43.034578] 
[   43.036211] ======================================================
[   43.042499] WARNING: possible circular locking dependency detected
[   43.048796] 4.14.140 #36 Not tainted
[   43.052475] ------------------------------------------------------
[   43.058765] syz-executor347/6840 is trying to acquire lock:
[   43.064445]  (event_mutex){+.+.}, at: [<ffffffff8162c348>] perf_trace_destroy+0x28/0x100
[   43.072708] 
[   43.072708] but task is already holding lock:
[   43.078661]  (&event->child_mutex){+.+.}, at: [<ffffffff816d4547>] perf_event_release_kernel+0x207/0x880
[   43.088273] 
[   43.088273] which lock already depends on the new lock.
[   43.088273] 
[   43.096562] 
[   43.096562] the existing dependency chain (in reverse order) is:
[   43.104151] 
[   43.104151] -> #5 (&event->child_mutex){+.+.}:
[   43.110193]        lock_acquire+0x16f/0x430
[   43.114551]        __mutex_lock+0xe8/0x1470
[   43.118862]        mutex_lock_nested+0x16/0x20
[   43.123427]        perf_event_for_each_child+0x8a/0x150
[   43.128773]        perf_ioctl+0x1d9/0xdf0
[   43.132900]        do_vfs_ioctl+0x7ae/0x1060
[   43.137298]        SyS_ioctl+0x8f/0xc0
[   43.141168]        do_syscall_64+0x1e8/0x640
[   43.145547]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   43.151225] 
[   43.151225] -> #4 (&cpuctx_mutex){+.+.}:
[   43.156756]        lock_acquire+0x16f/0x430
[   43.161054]        __mutex_lock+0xe8/0x1470
[   43.165344]        mutex_lock_nested+0x16/0x20
[   43.169900]        perf_event_init_cpu+0xc2/0x170
[   43.174716]        perf_event_init+0x2d8/0x31a
[   43.185000]        start_kernel+0x3b6/0x6fd
[   43.189291]        x86_64_start_reservations+0x29/0x2b
[   43.194538]        x86_64_start_kernel+0x77/0x7b
[   43.199265]        secondary_startup_64+0xa5/0xb0
[   43.204076] 
[   43.204076] -> #3 (pmus_lock){+.+.}:
[   43.209891]        lock_acquire+0x16f/0x430
[   43.214189]        __mutex_lock+0xe8/0x1470
[   43.218479]        mutex_lock_nested+0x16/0x20
[   43.223035]        perf_event_init_cpu+0x2f/0x170
[   43.227848]        cpuhp_invoke_callback+0x1ea/0x1ab0
[   43.233009]        _cpu_up+0x228/0x530
[   43.236870]        do_cpu_up+0x121/0x150
[   43.240903]        cpu_up+0x1b/0x20
[   43.244504]        smp_init+0x157/0x170
[   43.248614]        kernel_init_freeable+0x30b/0x532
[   43.253614]        kernel_init+0x12/0x162
[   43.257886]        ret_from_fork+0x24/0x30
[   43.262099] 
[   43.262099] -> #2 (cpu_hotplug_lock.rw_sem){++++}:
[   43.268491]        lock_acquire+0x16f/0x430
[   43.272785]        cpus_read_lock+0x3d/0xc0
[   43.277081]        static_key_slow_inc+0x13/0x30
[   43.281816]        tracepoint_probe_register_prio+0x4d6/0x6d0
[   43.287764]        tracepoint_probe_register+0x2b/0x40
[   43.293032]        trace_event_reg+0x277/0x330
[   43.297598]        perf_trace_init+0x449/0xaa0
[   43.302155]        perf_tp_event_init+0x7d/0xf0
[   43.306795]        perf_try_init_event+0x164/0x200
[   43.312056]        perf_event_alloc.part.0+0xd90/0x25b0
[   43.317546]        SYSC_perf_event_open+0xad1/0x2690
[   43.322622]        SyS_perf_event_open+0x34/0x40
[   43.327363]        do_syscall_64+0x1e8/0x640
[   43.331748]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   43.337714] 
[   43.337714] -> #1 (tracepoints_mutex){+.+.}:
[   43.343590]        lock_acquire+0x16f/0x430
[   43.347886]        __mutex_lock+0xe8/0x1470
[   43.352180]        mutex_lock_nested+0x16/0x20
[   43.356754]        tracepoint_probe_register_prio+0x36/0x6d0
[   43.362524]        tracepoint_probe_register+0x2b/0x40
[   43.367773]        trace_event_reg+0x277/0x330
[   43.372329]        perf_trace_init+0x449/0xaa0
[   43.376882]        perf_tp_event_init+0x7d/0xf0
[   43.381521]        perf_try_init_event+0x164/0x200
[   43.386424]        perf_event_alloc.part.0+0xd90/0x25b0
[   43.391762]        SYSC_perf_event_open+0xad1/0x2690
[   43.396839]        SyS_perf_event_open+0x34/0x40
[   43.401567]        do_syscall_64+0x1e8/0x640
[   43.405948]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   43.411629] 
[   43.411629] -> #0 (event_mutex){+.+.}:
[   43.417028]        __lock_acquire+0x2cb3/0x4620
[   43.421723]        lock_acquire+0x16f/0x430
[   43.426023]        __mutex_lock+0xe8/0x1470
[   43.430325]        mutex_lock_nested+0x16/0x20
[   43.434880]        perf_trace_destroy+0x28/0x100
[   43.439608]        tp_perf_event_destroy+0x16/0x20
[   43.444565]        _free_event+0x330/0xe70
[   43.448791]        free_event+0x38/0x50
[   43.452745]        perf_event_release_kernel+0x364/0x880
[   43.458168]        perf_release+0x37/0x50
[   43.462303]        __fput+0x275/0x7a0
[   43.466080]        ____fput+0x16/0x20
[   43.469860]        task_work_run+0x114/0x190
[   43.474301]        do_exit+0x7df/0x2c10
[   43.478532]        do_group_exit+0x111/0x330
[   43.482926]        get_signal+0x381/0x1cd0
[   43.487146]        do_signal+0x86/0x19a0
[   43.491186]        exit_to_usermode_loop+0x15c/0x220
[   43.496268]        do_syscall_64+0x4bc/0x640
[   43.500659]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   43.506340] 
[   43.506340] other info that might help us debug this:
[   43.506340] 
[   43.514457] Chain exists of:
[   43.514457]   event_mutex --> &cpuctx_mutex --> &event->child_mutex
[   43.514457] 
[   43.525285]  Possible unsafe locking scenario:
[   43.525285] 
[   43.531323]        CPU0                    CPU1
[   43.536049]        ----                    ----
[   43.540778]   lock(&event->child_mutex);
[   43.544810]                                lock(&cpuctx_mutex);
[   43.550841]                                lock(&event->child_mutex);
[   43.557401]   lock(event_mutex);
[   43.560746] 
[   43.560746]  *** DEADLOCK ***
[   43.560746] 
[   43.566782] 2 locks held by syz-executor347/6840:
[   43.571594]  #0:  (&ctx->mutex){+.+.}, at: [<ffffffff816d453d>] perf_event_release_kernel+0x1fd/0x880
[   43.580936]  #1:  (&event->child_mutex){+.+.}, at: [<ffffffff816d4547>] perf_event_release_kernel+0x207/0x880
[   43.590966] 
[   43.590966] stack backtrace:
[   43.595436] CPU: 1 PID: 6840 Comm: syz-executor347 Not tainted 4.14.140 #36
[   43.602671] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.612006] Call Trace:
[   43.614578]  dump_stack+0x138/0x197
[   43.618182]  print_circular_bug.isra.0.cold+0x1cc/0x28f
[   43.623576]  __lock_acquire+0x2cb3/0x4620
[   43.627764]  ? event_function+0x28b/0x380
[   43.631894]  ? trace_hardirqs_on+0x10/0x10
[   43.636103]  lock_acquire+0x16f/0x430
[   43.639932]  ? perf_trace_destroy+0x28/0x100
[   43.644324]  ? perf_trace_destroy+0x28/0x100
[   43.648708]  __mutex_lock+0xe8/0x1470
[   43.652483]  ? perf_trace_destroy+0x28/0x100
[   43.656866]  ? perf_trace_destroy+0x28/0x100
[   43.661296]  ? alloc_perf_context+0xf0/0xf0
[   43.665745]  ? mutex_trylock+0x1c0/0x1c0
[   43.669784]  ? save_trace+0x290/0x290
[   43.673561]  ? __mutex_lock+0x36a/0x1470
[   43.677600]  ? perf_event_release_kernel+0x1f3/0x880
[   43.682735]  ? __lock_is_held+0xb6/0x140
[   43.686780]  ? check_preemption_disabled+0x3c/0x250
[   43.691781]  mutex_lock_nested+0x16/0x20
[   43.695817]  ? mutex_lock_nested+0x16/0x20
[   43.700029]  perf_trace_destroy+0x28/0x100
[   43.704241]  tp_perf_event_destroy+0x16/0x20
[   43.708620]  ? perf_tp_event_init+0xf0/0xf0
[   43.712912]  _free_event+0x330/0xe70
[   43.716599]  free_event+0x38/0x50
[   43.720033]  perf_event_release_kernel+0x364/0x880
[   43.724971]  ? perf_event_release_kernel+0x880/0x880
[   43.730058]  perf_release+0x37/0x50
[   43.733676]  __fput+0x275/0x7a0
[   43.736934]  ____fput+0x16/0x20
[   43.740189]  task_work_run+0x114/0x190
[   43.744051]  do_exit+0x7df/0x2c10
[   43.747478]  ? rcu_read_lock_sched_held+0x110/0x130
[   43.752469]  ? mm_update_next_owner+0x5d0/0x5d0
[   43.757110]  do_group_exit+0x111/0x330
[   43.760968]  get_signal+0x381/0x1cd0
[   43.764654]  ? save_trace+0x290/0x290
[   43.768427]  do_signal+0x86/0x19a0
[   43.772067]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   43.777161]  ? lock_downgrade+0x6e0/0x6e0
[   43.781289]  ? setup_sigcontext+0x7d0/0x7d0
[   43.785643]  ? do_send_specific+0x104/0x1c0
[   43.789953]  ? exit_to_usermode_loop+0x3d/0x220
[   43.794601]  exit_to_usermode_loop+0x15c/0x220
[   43.799158]  do_syscall_64+0x4bc/0x640
[   43.803083]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   43.807916]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   43.813096] RIP: 0033:0x40e348
[   43.816264] RSP: 002b:00007ffcde8e1328 EFLAGS: 00000246 ORIG_RAX: 00000000000000ea
[   43.824032] RAX: 0000000000000000 RBX: 00007ffcde8e1460 RCX: 000000000040e348
[   43.831513] RDX: 0000000000000006 RSI: 0000000000001ab8 RDI: 0000000000001ab8
[   43.838864] RBP: 00007ffcde8e1530 R08: 0a646c6f206f6f74 R09: 0000000000000000
[   43.846112] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[   43.853406] R13: 0000000000000002 R14: 00007f1a43271000 R15: 0000000000001000