[   33.645108] audit: type=1800 audit(1564996412.867:33): pid=6950 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   33.672978] audit: type=1800 audit(1564996412.867:34): pid=6950 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   36.532210] random: sshd: uninitialized urandom read (32 bytes read)
[   36.847385] audit: type=1400 audit(1564996416.067:35): avc:  denied  { map } for  pid=7123 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   36.898610] random: sshd: uninitialized urandom read (32 bytes read)
[   37.484447] random: sshd: uninitialized urandom read (32 bytes read)
[   37.678525] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.96' (ECDSA) to the list of known hosts.
[   43.243017] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   43.374412] audit: type=1400 audit(1564996422.597:36): avc:  denied  { map } for  pid=7135 comm="syz-executor162" path="/root/syz-executor162792186" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   43.436046] 
[   43.437689] ======================================================
[   43.443997] WARNING: possible circular locking dependency detected
[   43.450288] 4.14.136 #32 Not tainted
[   43.453975] ------------------------------------------------------
[   43.460270] syz-executor162/7136 is trying to acquire lock:
[   43.465950]  (event_mutex){+.+.}, at: [<ffffffff8162a768>] perf_trace_destroy+0x28/0x100
[   43.474180] 
[   43.474180] but task is already holding lock:
[   43.480162]  (&event->child_mutex){+.+.}, at: [<ffffffff816d2757>] perf_event_release_kernel+0x207/0x880
[   43.489780] 
[   43.489780] which lock already depends on the new lock.
[   43.489780] 
[   43.498071] 
[   43.498071] the existing dependency chain (in reverse order) is:
[   43.505981] 
[   43.505981] -> #5 (&event->child_mutex){+.+.}:
[   43.512050]        lock_acquire+0x16f/0x430
[   43.516367]        __mutex_lock+0xe8/0x1470
[   43.520664]        mutex_lock_nested+0x16/0x20
[   43.525221]        perf_event_for_each_child+0x8a/0x150
[   43.530557]        perf_ioctl+0x1d9/0xd80
[   43.534678]        do_vfs_ioctl+0x7ae/0x1060
[   43.539055]        SyS_ioctl+0x8f/0xc0
[   43.542919]        do_syscall_64+0x1e8/0x640
[   43.547302]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   43.553005] 
[   43.553005] -> #4 (&cpuctx_mutex){+.+.}:
[   43.558529]        lock_acquire+0x16f/0x430
[   43.562828]        __mutex_lock+0xe8/0x1470
[   43.567122]        mutex_lock_nested+0x16/0x20
[   43.571678]        perf_event_init_cpu+0xc2/0x170
[   43.576493]        perf_event_init+0x2d8/0x31a
[   43.581054]        start_kernel+0x3b6/0x6fd
[   43.585360]        x86_64_start_reservations+0x29/0x2b
[   43.590613]        x86_64_start_kernel+0x77/0x7b
[   43.595348]        secondary_startup_64+0xa5/0xb0
[   43.600165] 
[   43.600165] -> #3 (pmus_lock){+.+.}:
[   43.605337]        lock_acquire+0x16f/0x430
[   43.609632]        __mutex_lock+0xe8/0x1470
[   43.613932]        mutex_lock_nested+0x16/0x20
[   43.618488]        perf_event_init_cpu+0x2f/0x170
[   43.623308]        cpuhp_invoke_callback+0x1ea/0x1ab0
[   43.628468]        _cpu_up+0x228/0x530
[   43.632330]        do_cpu_up+0x121/0x150
[   43.636361]        cpu_up+0x1b/0x20
[   43.639962]        smp_init+0x157/0x170
[   43.643912]        kernel_init_freeable+0x30b/0x532
[   43.648904]        kernel_init+0x12/0x162
[   43.653050]        ret_from_fork+0x24/0x30
[   43.657255] 
[   43.657255] -> #2 (cpu_hotplug_lock.rw_sem){++++}:
[   43.663643]        lock_acquire+0x16f/0x430
[   43.667935]        cpus_read_lock+0x3d/0xc0
[   43.672235]        static_key_slow_inc+0x13/0x30
[   43.676970]        tracepoint_probe_register_prio+0x4d6/0x6d0
[   43.682832]        tracepoint_probe_register+0x2b/0x40
[   43.688083]        trace_event_reg+0x277/0x330
[   43.692639]        perf_trace_init+0x449/0xaa0
[   43.697194]        perf_tp_event_init+0x7d/0xf0
[   43.701839]        perf_try_init_event+0x164/0x200
[   43.706742]        perf_event_alloc.part.0+0xd90/0x25b0
[   43.712078]        SYSC_perf_event_open+0xad1/0x2610
[   43.717156]        SyS_perf_event_open+0x34/0x40
[   43.721907]        do_syscall_64+0x1e8/0x640
[   43.726296]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   43.731979] 
[   43.731979] -> #1 (tracepoints_mutex){+.+.}:
[   43.737844]        lock_acquire+0x16f/0x430
[   43.742140]        __mutex_lock+0xe8/0x1470
[   43.746436]        mutex_lock_nested+0x16/0x20
[   43.750995]        tracepoint_probe_register_prio+0x36/0x6d0
[   43.756764]        tracepoint_probe_register+0x2b/0x40
[   43.762013]        trace_event_reg+0x277/0x330
[   43.766571]        perf_trace_init+0x449/0xaa0
[   43.771134]        perf_tp_event_init+0x7d/0xf0
[   43.775789]        perf_try_init_event+0x164/0x200
[   43.780690]        perf_event_alloc.part.0+0xd90/0x25b0
[   43.786025]        SYSC_perf_event_open+0xad1/0x2610
[   43.791100]        SyS_perf_event_open+0x34/0x40
[   43.795829]        do_syscall_64+0x1e8/0x640
[   43.800223]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   43.805909] 
[   43.805909] -> #0 (event_mutex){+.+.}:
[   43.811258]        __lock_acquire+0x2cb3/0x4620
[   43.815897]        lock_acquire+0x16f/0x430
[   43.820195]        __mutex_lock+0xe8/0x1470
[   43.824488]        mutex_lock_nested+0x16/0x20
[   43.829058]        perf_trace_destroy+0x28/0x100
[   43.833808]        tp_perf_event_destroy+0x16/0x20
[   43.838710]        _free_event+0x330/0xe70
[   43.842931]        free_event+0x38/0x50
[   43.846873]        perf_event_release_kernel+0x364/0x880
[   43.852307]        perf_release+0x37/0x50
[   43.856434]        __fput+0x275/0x7a0
[   43.860206]        ____fput+0x16/0x20
[   43.863980]        task_work_run+0x114/0x190
[   43.868356]        do_exit+0x7df/0x2c10
[   43.872301]        do_group_exit+0x111/0x330
[   43.876681]        get_signal+0x381/0x1cd0
[   43.880888]        do_signal+0x86/0x19a0
[   43.884923]        exit_to_usermode_loop+0x15c/0x220
[   43.890003]        prepare_exit_to_usermode+0x1b5/0x220
[   43.895347]        retint_user+0x8/0x18
[   43.899290] 
[   43.899290] other info that might help us debug this:
[   43.899290] 
[   43.907404] Chain exists of:
[   43.907404]   event_mutex --> &cpuctx_mutex --> &event->child_mutex
[   43.907404] 
[   43.918145]  Possible unsafe locking scenario:
[   43.918145] 
[   43.924177]        CPU0                    CPU1
[   43.928817]        ----                    ----
[   43.933477]   lock(&event->child_mutex);
[   43.937511]                                lock(&cpuctx_mutex);
[   43.943554]                                lock(&event->child_mutex);
[   43.950105]   lock(event_mutex);
[   43.953444] 
[   43.953444]  *** DEADLOCK ***
[   43.953444] 
[   43.959474] 2 locks held by syz-executor162/7136:
[   43.964290]  #0:  (&ctx->mutex){+.+.}, at: [<ffffffff816d274d>] perf_event_release_kernel+0x1fd/0x880
[   43.973633]  #1:  (&event->child_mutex){+.+.}, at: [<ffffffff816d2757>] perf_event_release_kernel+0x207/0x880
[   43.983686] 
[   43.983686] stack backtrace:
[   43.988170] CPU: 1 PID: 7136 Comm: syz-executor162 Not tainted 4.14.136 #32
[   43.995243] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   44.004569] Call Trace:
[   44.007132]  dump_stack+0x138/0x19c
[   44.010735]  print_circular_bug.isra.0.cold+0x1cc/0x28f
[   44.016074]  __lock_acquire+0x2cb3/0x4620
[   44.020200]  ? event_function+0x28b/0x380
[   44.024322]  ? trace_hardirqs_on+0x10/0x10
[   44.028535]  lock_acquire+0x16f/0x430
[   44.032311]  ? perf_trace_destroy+0x28/0x100
[   44.036693]  ? perf_trace_destroy+0x28/0x100
[   44.041077]  __mutex_lock+0xe8/0x1470
[   44.044859]  ? perf_trace_destroy+0x28/0x100
[   44.049272]  ? perf_trace_destroy+0x28/0x100
[   44.053656]  ? task_function_call+0xe7/0x130
[   44.058038]  ? mutex_trylock+0x1c0/0x1c0
[   44.062072]  ? save_trace+0x290/0x290
[   44.065843]  ? __mutex_lock+0x36a/0x1470
[   44.069876]  ? perf_event_release_kernel+0x1f3/0x880
[   44.074957]  ? __lock_is_held+0xb6/0x140
[   44.078993]  ? check_preemption_disabled+0x3c/0x250
[   44.083983]  mutex_lock_nested+0x16/0x20
[   44.088020]  ? mutex_lock_nested+0x16/0x20
[   44.092230]  perf_trace_destroy+0x28/0x100
[   44.096440]  tp_perf_event_destroy+0x16/0x20
[   44.100819]  ? perf_tp_event_init+0xf0/0xf0
[   44.105110]  _free_event+0x330/0xe70
[   44.108796]  free_event+0x38/0x50
[   44.112223]  perf_event_release_kernel+0x364/0x880
[   44.117129]  ? perf_event_release_kernel+0x880/0x880
[   44.122286]  perf_release+0x37/0x50
[   44.125889]  __fput+0x275/0x7a0
[   44.129170]  ____fput+0x16/0x20
[   44.132423]  task_work_run+0x114/0x190
[   44.136305]  do_exit+0x7df/0x2c10
[   44.139732]  ? save_trace+0x290/0x290
[   44.143509]  ? mm_update_next_owner+0x5d0/0x5d0
[   44.148150]  do_group_exit+0x111/0x330
[   44.152016]  get_signal+0x381/0x1cd0
[   44.155729]  ? force_sig_info+0x277/0x350
[   44.159874]  do_signal+0x86/0x19a0
[   44.163413]  ? trace_raw_output_x86_exceptions+0x140/0x140
[   44.169013]  ? setup_sigcontext+0x7d0/0x7d0
[   44.173313]  ? __bad_area_nosemaphore+0x1fe/0x2a0
[   44.178131]  ? bad_area+0x69/0x80
[   44.181579]  ? __do_page_fault+0x358/0xb80
[   44.185787]  ? _raw_spin_unlock_irq+0x28/0x90
[   44.190262]  ? exit_to_usermode_loop+0x3d/0x220
[   44.194905]  exit_to_usermode_loop+0x15c/0x220
[   44.199461]  prepare_exit_to_usermode+0x1b5/0x220
[   44.204280]  ? page_fault+0x2f/0x50
[   44.207882]  retint_user+0x8/0x18
[   44.211310] RIP: 0033:0x40f218
[   44.214471] RSP: 002b:00007ffe2db0cb38 EFLAGS: 00010246
[   44.219819] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000002
[   44.227064] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003
[   44.234309] RBP: 00000000006ca018 R08: 0000000000000002 R09: 0000000000000006
[   44.241551] R10: 000000000000003f R11: 000000000000000b R12: 0000000000401bf0
[   44.248793] R13: 0000000000401c80 R14: 0000000000000000 R15: 0000000000000000