[ 33.145265] audit: type=1800 audit(1561015255.998:33): pid=6870 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.172157] audit: type=1800 audit(1561015255.998:34): pid=6870 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 57.614342] random: sshd: uninitialized urandom read (32 bytes read) [ 58.070320] audit: type=1400 audit(1561015280.928:35): avc: denied { map } for pid=7041 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 58.142656] random: sshd: uninitialized urandom read (32 bytes read) [ 58.741306] random: sshd: uninitialized urandom read (32 bytes read) [ 58.948043] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.94' (ECDSA) to the list of known hosts. [ 64.591662] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 64.712578] audit: type=1400 audit(1561015287.568:36): avc: denied { map } for pid=7054 comm="syz-executor517" path="/root/syz-executor517384248" dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 64.780904] [ 64.782540] ====================================================== [ 64.788940] WARNING: possible circular locking dependency detected [ 64.795234] 4.14.128 #22 Not tainted [ 64.798918] ------------------------------------------------------ [ 64.805215] syz-executor517/7054 is trying to acquire lock: [ 64.810905] (pmus_lock){+.+.}, at: [] perf_swevent_init+0x12e/0x490 [ 64.818960] [ 64.818960] but task is already holding lock: [ 64.824910] (&cpuctx_mutex/1){+.+.}, at: [] perf_event_ctx_lock_nested+0x150/0x2c0 [ 64.834350] [ 64.834350] which lock already depends on the new lock. [ 64.834350] [ 64.842645] [ 64.842645] the existing dependency chain (in reverse order) is: [ 64.850499] [ 64.850499] -> #2 (&cpuctx_mutex/1){+.+.}: [ 64.856199] lock_acquire+0x16f/0x430 [ 64.860573] __mutex_lock+0xe8/0x1470 [ 64.864890] mutex_lock_nested+0x16/0x20 [ 64.869517] SYSC_perf_event_open+0x121f/0x24b0 [ 64.874689] SyS_perf_event_open+0x34/0x40 [ 64.879427] do_syscall_64+0x1e8/0x640 [ 64.883817] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 64.889614] [ 64.889614] -> #1 (&cpuctx_mutex){+.+.}: [ 64.895136] lock_acquire+0x16f/0x430 [ 64.899500] __mutex_lock+0xe8/0x1470 [ 64.903808] mutex_lock_nested+0x16/0x20 [ 64.908372] perf_event_init_cpu+0xc2/0x170 [ 64.913204] perf_event_init+0x2d8/0x31a [ 64.917769] start_kernel+0x3b6/0x6fd [ 64.922072] x86_64_start_reservations+0x29/0x2b [ 64.927332] x86_64_start_kernel+0x77/0x7b [ 64.932074] secondary_startup_64+0xa5/0xb0 [ 64.936894] [ 64.936894] -> #0 (pmus_lock){+.+.}: [ 64.942077] __lock_acquire+0x2c89/0x45e0 [ 64.946725] lock_acquire+0x16f/0x430 [ 64.951328] __mutex_lock+0xe8/0x1470 [ 64.955633] mutex_lock_nested+0x16/0x20 [ 64.960199] perf_swevent_init+0x12e/0x490 [ 64.965045] perf_try_init_event+0xe6/0x200 [ 64.969863] perf_event_alloc.part.0+0xd48/0x2530 [ 64.975206] SYSC_perf_event_open+0xa2d/0x24b0 [ 64.980287] SyS_perf_event_open+0x34/0x40 [ 64.985025] do_syscall_64+0x1e8/0x640 [ 64.989410] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 64.995096] [ 64.995096] other info that might help us debug this: [ 64.995096] [ 65.003218] Chain exists of: [ 65.003218] pmus_lock --> &cpuctx_mutex --> &cpuctx_mutex/1 [ 65.003218] [ 65.013435] Possible unsafe locking scenario: [ 65.013435] [ 65.019472] CPU0 CPU1 [ 65.024114] ---- ---- [ 65.028756] lock(&cpuctx_mutex/1); [ 65.032549] lock(&cpuctx_mutex); [ 65.038653] lock(&cpuctx_mutex/1); [ 65.044871] lock(pmus_lock); [ 65.048139] [ 65.048139] *** DEADLOCK *** [ 65.048139] [ 65.054240] 2 locks held by syz-executor517/7054: [ 65.059099] #0: (&pmus_srcu){....}, at: [] perf_event_alloc.part.0+0xba8/0x2530 [ 65.068281] #1: (&cpuctx_mutex/1){+.+.}, at: [] perf_event_ctx_lock_nested+0x150/0x2c0 [ 65.078068] [ 65.078068] stack backtrace: [ 65.082548] CPU: 1 PID: 7054 Comm: syz-executor517 Not tainted 4.14.128 #22 [ 65.089726] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.099058] Call Trace: [ 65.101638] dump_stack+0x138/0x19c [ 65.105247] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 65.110596] __lock_acquire+0x2c89/0x45e0 [ 65.114722] ? __lock_acquire+0x5f9/0x45e0 [ 65.118934] ? trace_hardirqs_on+0x10/0x10 [ 65.123151] ? depot_save_stack+0x11c/0x410 [ 65.127559] lock_acquire+0x16f/0x430 [ 65.131390] ? perf_swevent_init+0x12e/0x490 [ 65.135780] ? perf_swevent_init+0x12e/0x490 [ 65.140170] __mutex_lock+0xe8/0x1470 [ 65.143966] ? perf_swevent_init+0x12e/0x490 [ 65.148389] ? __mutex_lock+0x36a/0x1470 [ 65.152437] ? trace_hardirqs_on+0x10/0x10 [ 65.156647] ? perf_try_init_event+0xf2/0x200 [ 65.161123] ? perf_swevent_init+0x12e/0x490 [ 65.165510] ? perf_event_ctx_lock_nested+0x150/0x2c0 [ 65.170679] ? perf_try_init_event+0xf2/0x200 [ 65.175158] ? mutex_trylock+0x1c0/0x1c0 [ 65.179283] ? mutex_trylock+0x1c0/0x1c0 [ 65.183332] ? find_held_lock+0x35/0x130 [ 65.187375] ? perf_event_ctx_lock_nested+0x119/0x2c0 [ 65.192551] mutex_lock_nested+0x16/0x20 [ 65.196595] ? mutex_lock_nested+0x16/0x20 [ 65.200816] perf_swevent_init+0x12e/0x490 [ 65.205076] ? perf_event_ctx_lock_nested+0x248/0x2c0 [ 65.210247] perf_try_init_event+0xe6/0x200 [ 65.214546] perf_event_alloc.part.0+0xd48/0x2530 [ 65.219364] SYSC_perf_event_open+0xa2d/0x24b0 [ 65.223925] ? perf_event_set_output+0x460/0x460 [ 65.228666] ? lock_downgrade+0x6e0/0x6e0 [ 65.232797] SyS_perf_event_open+0x34/0x40 [ 65.237010] ? perf_bp_event+0x170/0x170 [ 65.241055] do_syscall_64+0x1e8/0x640 [ 65.244919] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 65.249746] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 65.254924] RIP: 0033:0x440569 [ 65.258091] RSP: 002b:00007ffdd5d14498 EFLAGS: 00000246 ORIG_RAX: 000000000000012a [ 65.265777] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440569 [ 65.273030] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000020000040 [ 65.280287] RBP: 00000000006ca018