[ 32.227901] audit: type=1800 audit(1560776103.051:33): pid=6919 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 32.254725] audit: type=1800 audit(1560776103.061:34): pid=6919 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 38.036537] random: sshd: uninitialized urandom read (32 bytes read) [ 38.357683] audit: type=1400 audit(1560776109.181:35): avc: denied { map } for pid=7093 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 38.428528] random: sshd: uninitialized urandom read (32 bytes read) [ 39.048011] random: sshd: uninitialized urandom read (32 bytes read) [ 39.248186] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.46' (ECDSA) to the list of known hosts. [ 44.726835] random: sshd: uninitialized urandom read (32 bytes read) [ 44.904486] audit: type=1400 audit(1560776115.731:36): avc: denied { map } for pid=7105 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/06/17 12:55:16 parsed 1 programs [ 45.740378] audit: type=1400 audit(1560776116.571:37): avc: denied { map } for pid=7105 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=31 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 46.257020] random: cc1: uninitialized urandom read (8 bytes read) 2019/06/17 12:55:18 executed programs: 0 [ 47.320164] audit: type=1400 audit(1560776118.141:38): avc: denied { map } for pid=7105 comm="syz-execprog" path="/root/syzkaller-shm446966527" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 48.060208] IPVS: ftp: loaded support on port[0] = 21 [ 48.341080] chnl_net:caif_netlink_parms(): no params data found [ 48.370215] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.377004] bridge0: port 1(bridge_slave_0) entered disabled state [ 48.384234] device bridge_slave_0 entered promiscuous mode [ 48.391473] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.397858] bridge0: port 2(bridge_slave_1) entered disabled state [ 48.405413] device bridge_slave_1 entered promiscuous mode [ 48.420795] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 48.429364] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 48.445662] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 48.453087] team0: Port device team_slave_0 added [ 48.458437] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 48.465667] team0: Port device team_slave_1 added [ 48.471204] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 48.478339] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 48.532283] device hsr_slave_0 entered promiscuous mode [ 48.580829] device hsr_slave_1 entered promiscuous mode [ 48.650546] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 48.657494] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 48.672554] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.679022] bridge0: port 2(bridge_slave_1) entered forwarding state [ 48.686155] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.692543] bridge0: port 1(bridge_slave_0) entered forwarding state [ 48.719990] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 48.726222] 8021q: adding VLAN 0 to HW filter on device bond0 [ 48.734777] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 48.744814] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 48.763206] bridge0: port 1(bridge_slave_0) entered disabled state [ 48.780652] bridge0: port 2(bridge_slave_1) entered disabled state [ 48.790474] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 48.796568] 8021q: adding VLAN 0 to HW filter on device team0 [ 48.805084] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 48.812734] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.819112] bridge0: port 1(bridge_slave_0) entered forwarding state [ 48.828159] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 48.836366] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.842982] bridge0: port 2(bridge_slave_1) entered forwarding state [ 48.857407] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 48.865233] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 48.874623] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 48.885263] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 48.895014] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 48.904727] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 48.911149] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 48.924167] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 48.933626] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 49.341511] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 50.281740] [ 50.283431] ====================================================== [ 50.289736] WARNING: possible circular locking dependency detected [ 50.296048] 4.14.126 #20 Not tainted [ 50.299746] ------------------------------------------------------ [ 50.306058] syz-executor.0/7136 is trying to acquire lock: [ 50.311670] (pmus_lock){+.+.}, at: [] perf_swevent_init+0x12e/0x490 [ 50.320405] [ 50.320405] but task is already holding lock: [ 50.326367] (&cpuctx_mutex/1){+.+.}, at: [] perf_event_ctx_lock_nested+0x150/0x2c0 [ 50.335753] [ 50.335753] which lock already depends on the new lock. [ 50.335753] [ 50.344070] [ 50.344070] the existing dependency chain (in reverse order) is: [ 50.351686] [ 50.351686] -> #2 (&cpuctx_mutex/1){+.+.}: [ 50.357417] lock_acquire+0x16f/0x430 [ 50.361729] __mutex_lock+0xe8/0x1470 [ 50.366043] mutex_lock_nested+0x16/0x20 [ 50.370613] SYSC_perf_event_open+0x121f/0x24b0 [ 50.375793] SyS_perf_event_open+0x34/0x40 [ 50.380542] do_syscall_64+0x1e8/0x640 [ 50.384942] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.390643] [ 50.390643] -> #1 (&cpuctx_mutex){+.+.}: [ 50.396190] lock_acquire+0x16f/0x430 [ 50.400515] __mutex_lock+0xe8/0x1470 [ 50.404835] mutex_lock_nested+0x16/0x20 [ 50.409404] perf_event_init_cpu+0xc2/0x170 [ 50.414243] perf_event_init+0x2d8/0x31a [ 50.419337] start_kernel+0x3b6/0x6fd [ 50.423742] x86_64_start_reservations+0x29/0x2b [ 50.429011] x86_64_start_kernel+0x77/0x7b [ 50.433774] secondary_startup_64+0xa5/0xb0 [ 50.438610] [ 50.438610] -> #0 (pmus_lock){+.+.}: [ 50.443836] __lock_acquire+0x2c89/0x45e0 [ 50.448501] lock_acquire+0x16f/0x430 [ 50.452825] __mutex_lock+0xe8/0x1470 [ 50.457135] mutex_lock_nested+0x16/0x20 [ 50.461709] perf_swevent_init+0x12e/0x490 [ 50.466456] perf_try_init_event+0xe6/0x200 [ 50.471476] perf_event_alloc.part.0+0xd48/0x2530 [ 50.476929] SYSC_perf_event_open+0xa2d/0x24b0 [ 50.482024] SyS_perf_event_open+0x34/0x40 [ 50.486783] do_syscall_64+0x1e8/0x640 [ 50.491204] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.496901] [ 50.496901] other info that might help us debug this: [ 50.496901] [ 50.505054] Chain exists of: [ 50.505054] pmus_lock --> &cpuctx_mutex --> &cpuctx_mutex/1 [ 50.505054] [ 50.515298] Possible unsafe locking scenario: [ 50.515298] [ 50.521354] CPU0 CPU1 [ 50.526040] ---- ---- [ 50.530701] lock(&cpuctx_mutex/1); [ 50.534417] lock(&cpuctx_mutex); [ 50.540472] lock(&cpuctx_mutex/1); [ 50.546711] lock(pmus_lock); [ 50.549904] [ 50.549904] *** DEADLOCK *** [ 50.549904] [ 50.555980] 2 locks held by syz-executor.0/7136: [ 50.560728] #0: (&pmus_srcu){....}, at: [] perf_event_alloc.part.0+0xba8/0x2530 [ 50.569933] #1: (&cpuctx_mutex/1){+.+.}, at: [] perf_event_ctx_lock_nested+0x150/0x2c0 [ 50.579744] [ 50.579744] stack backtrace: [ 50.584244] CPU: 1 PID: 7136 Comm: syz-executor.0 Not tainted 4.14.126 #20 [ 50.591249] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.600599] Call Trace: [ 50.603195] dump_stack+0x138/0x19c [ 50.606824] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 50.612193] __lock_acquire+0x2c89/0x45e0 [ 50.616342] ? __lock_acquire+0x5f9/0x45e0 [ 50.620578] ? trace_hardirqs_on+0x10/0x10 [ 50.624812] ? depot_save_stack+0x11c/0x410 [ 50.629133] lock_acquire+0x16f/0x430 [ 50.632943] ? perf_swevent_init+0x12e/0x490 [ 50.637360] ? perf_swevent_init+0x12e/0x490 [ 50.641794] __mutex_lock+0xe8/0x1470 [ 50.645609] ? perf_swevent_init+0x12e/0x490 [ 50.650007] ? __mutex_lock+0x36a/0x1470 [ 50.654060] ? trace_hardirqs_on+0x10/0x10 [ 50.658285] ? perf_try_init_event+0xf2/0x200 [ 50.662771] ? perf_swevent_init+0x12e/0x490 [ 50.667229] ? perf_event_ctx_lock_nested+0x150/0x2c0 [ 50.672409] ? perf_try_init_event+0xf2/0x200 [ 50.676893] ? mutex_trylock+0x1c0/0x1c0 [ 50.680987] ? mutex_trylock+0x1c0/0x1c0 [ 50.685036] ? find_held_lock+0x35/0x130 [ 50.689096] ? perf_event_ctx_lock_nested+0x119/0x2c0 [ 50.694287] mutex_lock_nested+0x16/0x20 [ 50.698351] ? mutex_lock_nested+0x16/0x20 [ 50.702583] perf_swevent_init+0x12e/0x490 [ 50.706821] ? perf_event_ctx_lock_nested+0x248/0x2c0 [ 50.712011] perf_try_init_event+0xe6/0x200 [ 50.716325] perf_event_alloc.part.0+0xd48/0x2530 [ 50.721161] SYSC_perf_event_open+0xa2d/0x24b0 [ 50.725758] ? perf_event_set_output+0x460/0x460 [ 50.730519] ? SyS_clock_gettime+0xf8/0x180 [ 50.734847] SyS_perf_event_open+0x34/0x40 [ 50.739083] ? perf_bp_event+0x170/0x170 [ 50.743142] do_syscall_64+0x1e8/0x640 [ 50.747022] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 50.751857] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.757040] RIP: 0033:0x4592c9 [ 50.760236] RSP: 002b:00007fa7157a4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000012a [ 50.767936] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000004592c9 [ 50.775201] RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000020000200 [ 50.782464] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 50.789737] R10: 0000000000000003 R11: 0000000000000246 R12: 00007fa7157a56d4 [ 50.797007] R13: 00000000004c5f2a R14: 00000000004da8c8 R15: 00000000ffffffff