netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. ====================================================== WARNING: possible circular locking dependency detected 4.14.227-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.4/18582 is trying to acquire lock: (&mm->mmap_sem){++++}, at: [] __might_fault+0xd4/0x1b0 mm/memory.c:4676 but task is already holding lock: (&cpuctx_mutex){+.+.}, at: [] perf_event_ctx_lock_nested+0x14d/0x2c0 kernel/events/core.c:1241 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (&cpuctx_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 perf_event_init_cpu+0xb7/0x170 kernel/events/core.c:11250 perf_event_init+0x2cc/0x308 kernel/events/core.c:11297 start_kernel+0x46a/0x770 init/main.c:620 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:240 -> #2 (pmus_lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 perf_event_init_cpu+0x2c/0x170 kernel/events/core.c:11244 cpuhp_invoke_callback+0x1e6/0x1a80 kernel/cpu.c:184 cpuhp_up_callbacks kernel/cpu.c:572 [inline] _cpu_up+0x219/0x500 kernel/cpu.c:1144 do_cpu_up+0x9a/0x160 kernel/cpu.c:1179 smp_init+0x197/0x1ac kernel/smp.c:578 kernel_init_freeable+0x3f4/0x614 init/main.c:1068 kernel_init+0xd/0x168 init/main.c:1000 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 -> #1 (cpu_hotplug_lock.rw_sem){++++}: percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x39/0xc0 kernel/cpu.c:295 __static_key_slow_dec kernel/jump_label.c:213 [inline] static_key_slow_dec+0x47/0x70 kernel/jump_label.c:228 sw_perf_event_destroy+0x83/0x110 kernel/events/core.c:7951 _free_event+0x321/0xe20 kernel/events/core.c:4244 put_event kernel/events/core.c:4330 [inline] perf_mmap_close+0x47d/0xc00 kernel/events/core.c:5290 remove_vma+0xa9/0x1a0 mm/mmap.c:167 remove_vma_list mm/mmap.c:2507 [inline] do_munmap+0x5fe/0xc30 mm/mmap.c:2748 mmap_region+0x217/0x1220 mm/mmap.c:1658 do_mmap+0x5b3/0xcb0 mm/mmap.c:1495 do_mmap_pgoff include/linux/mm.h:2185 [inline] vm_mmap_pgoff+0x14e/0x1a0 mm/util.c:333 SYSC_mmap_pgoff mm/mmap.c:1545 [inline] SyS_mmap_pgoff+0x249/0x510 mm/mmap.c:1503 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #0 (&mm->mmap_sem){++++}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __might_fault mm/memory.c:4677 [inline] __might_fault+0x137/0x1b0 mm/memory.c:4662 _copy_to_user+0x27/0xd0 lib/usercopy.c:25 copy_to_user include/linux/uaccess.h:155 [inline] perf_read_one kernel/events/core.c:4583 [inline] __perf_read kernel/events/core.c:4626 [inline] perf_read+0x54c/0x7c0 kernel/events/core.c:4639 do_loop_readv_writev fs/read_write.c:695 [inline] do_loop_readv_writev fs/read_write.c:682 [inline] do_iter_read+0x3eb/0x5b0 fs/read_write.c:919 vfs_readv+0xc8/0x120 fs/read_write.c:981 do_readv+0xfc/0x2c0 fs/read_write.c:1014 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb other info that might help us debug this: Chain exists of: &mm->mmap_sem --> pmus_lock --> &cpuctx_mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&cpuctx_mutex); lock(pmus_lock); lock(&cpuctx_mutex); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor.4/18582: #0: (&cpuctx_mutex){+.+.}, at: [] perf_event_ctx_lock_nested+0x14d/0x2c0 kernel/events/core.c:1241 stack backtrace: CPU: 0 PID: 18582 Comm: syz-executor.4 Not tainted 4.14.227-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __might_fault mm/memory.c:4677 [inline] __might_fault+0x137/0x1b0 mm/memory.c:4662 _copy_to_user+0x27/0xd0 lib/usercopy.c:25 copy_to_user include/linux/uaccess.h:155 [inline] perf_read_one kernel/events/core.c:4583 [inline] __perf_read kernel/events/core.c:4626 [inline] perf_read+0x54c/0x7c0 kernel/events/core.c:4639 do_loop_readv_writev fs/read_write.c:695 [inline] do_loop_readv_writev fs/read_write.c:682 [inline] do_iter_read+0x3eb/0x5b0 fs/read_write.c:919 vfs_readv+0xc8/0x120 fs/read_write.c:981 do_readv+0xfc/0x2c0 fs/read_write.c:1014 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x466459 RSP: 002b:00007fdae384a188 EFLAGS: 00000246 ORIG_RAX: 0000000000000013 RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000466459 RDX: 0000000000000001 RSI: 00000000200002c0 RDI: 0000000000000008 RBP: 00000000004bf9fb R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 R13: 00007fff9cd33fdf R14: 00007fdae384a300 R15: 0000000000022000 caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect print_req_error: I/O error, dev loop1, sector 0 print_req_error: I/O error, dev loop3, sector 0 NFQUEUE: number of total queues is 0 NFQUEUE: number of total queues is 0 befs: Unrecognized mount option "}" or missing value befs: (loop3): cannot parse mount options