[ 34.666219] audit: type=1800 audit(1564999737.410:33): pid=6919 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 34.693743] audit: type=1800 audit(1564999737.410:34): pid=6919 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 [ 34.979178] random: sshd: uninitialized urandom read (32 bytes read) [ 35.489319] audit: type=1400 audit(1564999738.230:35): avc: denied { map } for pid=7092 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 35.532832] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.129876] random: sshd: uninitialized urandom read (32 bytes read) [ 36.326099] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts. [ 42.290704] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 42.426615] audit: type=1400 audit(1564999745.170:36): avc: denied { map } for pid=7104 comm="syz-executor369" path="/root/syz-executor369886802" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 42.504903] [ 42.506545] ====================================================== [ 42.512833] WARNING: possible circular locking dependency detected [ 42.519124] 4.14.136 #32 Not tainted [ 42.522811] ------------------------------------------------------ [ 42.529102] syz-executor369/7105 is trying to acquire lock: [ 42.534787] (event_mutex){+.+.}, at: [] perf_trace_destroy+0x28/0x100 [ 42.543016] [ 42.543016] but task is already holding lock: [ 42.548971] (&event->child_mutex){+.+.}, at: [] perf_event_release_kernel+0x207/0x880 [ 42.558572] [ 42.558572] which lock already depends on the new lock. [ 42.558572] [ 42.566861] [ 42.566861] the existing dependency chain (in reverse order) is: [ 42.574467] [ 42.574467] -> #5 (&event->child_mutex){+.+.}: [ 42.580511] lock_acquire+0x16f/0x430 [ 42.584815] __mutex_lock+0xe8/0x1470 [ 42.589112] mutex_lock_nested+0x16/0x20 [ 42.593672] perf_event_for_each_child+0x8a/0x150 [ 42.599033] perf_ioctl+0x1d9/0xd80 [ 42.603159] do_vfs_ioctl+0x7ae/0x1060 [ 42.607557] SyS_ioctl+0x8f/0xc0 [ 42.611423] do_syscall_64+0x1e8/0x640 [ 42.615810] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.621493] [ 42.621493] -> #4 (&cpuctx_mutex){+.+.}: [ 42.627038] lock_acquire+0x16f/0x430 [ 42.631342] __mutex_lock+0xe8/0x1470 [ 42.635636] mutex_lock_nested+0x16/0x20 [ 42.640198] perf_event_init_cpu+0xc2/0x170 [ 42.645016] perf_event_init+0x2d8/0x31a [ 42.649598] start_kernel+0x3b6/0x6fd [ 42.653905] x86_64_start_reservations+0x29/0x2b [ 42.659167] x86_64_start_kernel+0x77/0x7b [ 42.663898] secondary_startup_64+0xa5/0xb0 [ 42.668714] [ 42.668714] -> #3 (pmus_lock){+.+.}: [ 42.673905] lock_acquire+0x16f/0x430 [ 42.678201] __mutex_lock+0xe8/0x1470 [ 42.682513] mutex_lock_nested+0x16/0x20 [ 42.687072] perf_event_init_cpu+0x2f/0x170 [ 42.691894] cpuhp_invoke_callback+0x1ea/0x1ab0 [ 42.697071] _cpu_up+0x228/0x530 [ 42.700935] do_cpu_up+0x121/0x150 [ 42.704995] cpu_up+0x1b/0x20 [ 42.708634] smp_init+0x157/0x170 [ 42.712596] kernel_init_freeable+0x30b/0x532 [ 42.717599] kernel_init+0x12/0x162 [ 42.721721] ret_from_fork+0x24/0x30 [ 42.725927] [ 42.725927] -> #2 (cpu_hotplug_lock.rw_sem){++++}: [ 42.732321] lock_acquire+0x16f/0x430 [ 42.736614] cpus_read_lock+0x3d/0xc0 [ 42.740928] static_key_slow_inc+0x13/0x30 [ 42.745687] tracepoint_probe_register_prio+0x4d6/0x6d0 [ 42.751545] tracepoint_probe_register+0x2b/0x40 [ 42.756806] trace_event_reg+0x277/0x330 [ 42.761377] perf_trace_init+0x449/0xaa0 [ 42.765937] perf_tp_event_init+0x7d/0xf0 [ 42.770597] perf_try_init_event+0x164/0x200 [ 42.775502] perf_event_alloc.part.0+0xd90/0x25b0 [ 42.780853] SYSC_perf_event_open+0xad1/0x2610 [ 42.785946] SyS_perf_event_open+0x34/0x40 [ 42.790679] do_syscall_64+0x1e8/0x640 [ 42.795065] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.800765] [ 42.800765] -> #1 (tracepoints_mutex){+.+.}: [ 42.806666] lock_acquire+0x16f/0x430 [ 42.810982] __mutex_lock+0xe8/0x1470 [ 42.815296] mutex_lock_nested+0x16/0x20 [ 42.819853] tracepoint_probe_register_prio+0x36/0x6d0 [ 42.825624] tracepoint_probe_register+0x2b/0x40 [ 42.830881] trace_event_reg+0x277/0x330 [ 42.835439] perf_trace_init+0x449/0xaa0 [ 42.839997] perf_tp_event_init+0x7d/0xf0 [ 42.844655] perf_try_init_event+0x164/0x200 [ 42.849572] perf_event_alloc.part.0+0xd90/0x25b0 [ 42.854910] SYSC_perf_event_open+0xad1/0x2610 [ 42.859986] SyS_perf_event_open+0x34/0x40 [ 42.864729] do_syscall_64+0x1e8/0x640 [ 42.869115] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.874831] [ 42.874831] -> #0 (event_mutex){+.+.}: [ 42.880197] __lock_acquire+0x2cb3/0x4620 [ 42.884839] lock_acquire+0x16f/0x430 [ 42.889135] __mutex_lock+0xe8/0x1470 [ 42.893431] mutex_lock_nested+0x16/0x20 [ 42.897988] perf_trace_destroy+0x28/0x100 [ 42.902747] tp_perf_event_destroy+0x16/0x20 [ 42.907672] _free_event+0x330/0xe70 [ 42.911984] free_event+0x38/0x50 [ 42.915949] perf_event_release_kernel+0x364/0x880 [ 42.921387] perf_release+0x37/0x50 [ 42.925539] __fput+0x275/0x7a0 [ 42.929317] ____fput+0x16/0x20 [ 42.933099] task_work_run+0x114/0x190 [ 42.937495] do_exit+0x7df/0x2c10 [ 42.941472] do_group_exit+0x111/0x330 [ 42.945875] get_signal+0x381/0x1cd0 [ 42.950090] do_signal+0x86/0x19a0 [ 42.954129] exit_to_usermode_loop+0x15c/0x220 [ 42.959206] do_syscall_64+0x4bc/0x640 [ 42.968076] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.973762] [ 42.973762] other info that might help us debug this: [ 42.973762] [ 42.981880] Chain exists of: [ 42.981880] event_mutex --> &cpuctx_mutex --> &event->child_mutex [ 42.981880] [ 42.992626] Possible unsafe locking scenario: [ 42.992626] [ 42.998657] CPU0 CPU1 [ 43.003298] ---- ---- [ 43.007937] lock(&event->child_mutex); [ 43.011971] lock(&cpuctx_mutex); [ 43.018017] lock(&event->child_mutex); [ 43.024569] lock(event_mutex); [ 43.027907] [ 43.027907] *** DEADLOCK *** [ 43.027907] [ 43.033938] 2 locks held by syz-executor369/7105: [ 43.038752] #0: (&ctx->mutex){+.+.}, at: [] perf_event_release_kernel+0x1fd/0x880 [ 43.048101] #1: (&event->child_mutex){+.+.}, at: [] perf_event_release_kernel+0x207/0x880 [ 43.058665] [ 43.058665] stack backtrace: [ 43.063136] CPU: 0 PID: 7105 Comm: syz-executor369 Not tainted 4.14.136 #32 [ 43.070226] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.079555] Call Trace: [ 43.082123] dump_stack+0x138/0x19c [ 43.085728] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 43.091069] __lock_acquire+0x2cb3/0x4620 [ 43.095195] ? event_function+0x28b/0x380 [ 43.099320] ? trace_hardirqs_on+0x10/0x10 [ 43.103546] lock_acquire+0x16f/0x430 [ 43.107323] ? perf_trace_destroy+0x28/0x100 [ 43.111724] ? perf_trace_destroy+0x28/0x100 [ 43.116109] __mutex_lock+0xe8/0x1470 [ 43.119883] ? perf_trace_destroy+0x28/0x100 [ 43.124266] ? perf_trace_destroy+0x28/0x100 [ 43.128660] ? alloc_perf_context+0xf0/0xf0 [ 43.132959] ? mutex_trylock+0x1c0/0x1c0 [ 43.137002] ? save_trace+0x290/0x290 [ 43.140807] ? __mutex_lock+0x36a/0x1470 [ 43.144859] ? perf_event_release_kernel+0x1f3/0x880 [ 43.149953] ? __lock_is_held+0xb6/0x140 [ 43.154007] ? check_preemption_disabled+0x3c/0x250 [ 43.159000] mutex_lock_nested+0x16/0x20 [ 43.163128] ? mutex_lock_nested+0x16/0x20 [ 43.167340] perf_trace_destroy+0x28/0x100 [ 43.171552] tp_perf_event_destroy+0x16/0x20 [ 43.175935] ? perf_tp_event_init+0xf0/0xf0 [ 43.180239] _free_event+0x330/0xe70 [ 43.183937] free_event+0x38/0x50 [ 43.187365] perf_event_release_kernel+0x364/0x880 [ 43.192269] ? perf_event_release_kernel+0x880/0x880 [ 43.197349] perf_release+0x37/0x50 [ 43.200956] __fput+0x275/0x7a0 [ 43.204213] ____fput+0x16/0x20 [ 43.207473] task_work_run+0x114/0x190 [ 43.211337] do_exit+0x7df/0x2c10 [ 43.214770] ? selinux_file_open+0x420/0x420 [ 43.219165] ? find_held_lock+0x35/0x130 [ 43.223221] ? mm_update_next_owner+0x5d0/0x5d0 [ 43.227868] do_group_exit+0x111/0x330 [ 43.231745] get_signal+0x381/0x1cd0 [ 43.235434] ? vfs_writev+0x1d7/0x2a0 [ 43.239215] ? kfree+0x20a/0x270 [ 43.242560] do_signal+0x86/0x19a0 [ 43.246075] ? find_held_lock+0x35/0x130 [ 43.250112] ? setup_sigcontext+0x7d0/0x7d0 [ 43.254412] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 43.259834] ? putname+0xdb/0x120 [ 43.263263] ? rcu_read_lock_sched_held+0x110/0x130 [ 43.268256] ? __fget_light+0x172/0x1f0 [ 43.272206] ? do_writev+0x1af/0x2d0 [ 43.275896] ? exit_to_usermode_loop+0x3d/0x220 [ 43.280543] exit_to_usermode_loop+0x15c/0x220 [ 43.285100] do_syscall_64+0x4bc/0x640 [ 43.288965] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.293792] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.298954] RIP: 0033:0x411ca8 [ 43.302141] RSP: 002b:00007ffe5973da60 EFLAGS: 00000206 ORIG_RAX: 0000000000000014 [ 43.309824] RAX: ffffffffffffffe0 RBX: 00007ffe5973da60 RCX: 0000000000411ca8 [ 43.317069] RDX: 0000000000000001 RSI: 00007ffe5973da60 RDI: 0000000000000002 [ 43.324313] RBP: 00007ffe5973db30 R08: 0000000000000016 R09: 0000000000000014 [ 43.331580] R10: 000000000040f1c3 R11: 0000000000000206 R12: 0000000000000002 [ 43.338924] R13: 0000000000000002 R14: 00000000004a152b R15: 0000000000000000