====================================================== WARNING: possible circular locking dependency detected 4.14.85+ #15 Not tainted ------------------------------------------------------ syz-executor0/9590 is trying to acquire lock: (&mm->mmap_sem){++++}, at: [] __might_fault+0xd4/0x1b0 mm/memory.c:4554 but task is already holding lock: (&cpuctx_mutex){+.+.}, at: [] perf_event_ctx_lock_nested+0x149/0x2f0 kernel/events/core.c:1240 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #5 (&cpuctx_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xf5/0x1480 kernel/locking/mutex.c:893 perf_event_init_cpu+0xab/0x150 kernel/events/core.c:11213 perf_event_init+0x295/0x2d4 kernel/events/core.c:11260 start_kernel+0x441/0x739 init/main.c:621 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:240 -> #4 (pmus_lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xf5/0x1480 kernel/locking/mutex.c:893 perf_event_init_cpu+0x2c/0x150 kernel/events/core.c:11207 cpuhp_invoke_callback+0x1b5/0x1960 kernel/cpu.c:183 cpuhp_up_callbacks kernel/cpu.c:567 [inline] _cpu_up+0x22c/0x520 kernel/cpu.c:1126 do_cpu_up+0x13f/0x180 kernel/cpu.c:1160 smp_init+0x137/0x14b kernel/smp.c:578 kernel_init_freeable+0x186/0x39f init/main.c:1068 kernel_init+0xc/0x157 init/main.c:1000 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402 -> #3 (cpu_hotplug_lock.rw_sem){++++}: percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x39/0xb0 kernel/cpu.c:294 get_online_cpus include/linux/cpu.h:138 [inline] lru_add_drain_all+0xa/0x20 mm/swap.c:729 shmem_wait_for_pins mm/shmem.c:2681 [inline] shmem_add_seals+0x4db/0x1230 mm/shmem.c:2789 shmem_fcntl+0xea/0x120 mm/shmem.c:2824 do_fcntl+0x966/0xea0 fs/fcntl.c:421 SYSC_fcntl fs/fcntl.c:463 [inline] SyS_fcntl+0xc7/0x100 fs/fcntl.c:448 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #2 (&sb->s_type->i_mutex_key#10){+.+.}: down_write+0x34/0x90 kernel/locking/rwsem.c:54 inode_lock include/linux/fs.h:715 [inline] shmem_fallocate+0x149/0xb20 mm/shmem.c:2850 ashmem_shrink_scan+0x1b6/0x4e0 drivers/staging/android/ashmem.c:453 ashmem_ioctl+0x2cc/0xe20 drivers/staging/android/ashmem.c:795 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #1 (ashmem_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xf5/0x1480 kernel/locking/mutex.c:893 ashmem_mmap+0x4c/0x430 drivers/staging/android/ashmem.c:369 call_mmap include/linux/fs.h:1789 [inline] mmap_region+0x836/0xfb0 mm/mmap.c:1731 do_mmap+0x551/0xb80 mm/mmap.c:1509 do_mmap_pgoff include/linux/mm.h:2167 [inline] vm_mmap_pgoff+0x180/0x1d0 mm/util.c:333 SYSC_mmap_pgoff mm/mmap.c:1559 [inline] SyS_mmap_pgoff+0xf8/0x1a0 mm/mmap.c:1517 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #0 (&mm->mmap_sem){++++}: lock_acquire+0x10f/0x380 kernel/locking/lockdep.c:3991 __might_fault+0x137/0x1b0 mm/memory.c:4555 _copy_to_user+0x27/0xc0 lib/usercopy.c:25 copy_to_user include/linux/uaccess.h:155 [inline] perf_read_one kernel/events/core.c:4582 [inline] __perf_read kernel/events/core.c:4625 [inline] perf_read+0x597/0x800 kernel/events/core.c:4638 __vfs_read+0xf4/0x5b0 fs/read_write.c:411 vfs_read+0x11e/0x330 fs/read_write.c:447 SYSC_read fs/read_write.c:577 [inline] SyS_read+0xc2/0x1a0 fs/read_write.c:570 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 other info that might help us debug this: Chain exists of: &mm->mmap_sem --> pmus_lock --> &cpuctx_mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&cpuctx_mutex); lock(pmus_lock); lock(&cpuctx_mutex); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor0/9590: #0: (&cpuctx_mutex){+.+.}, at: [] perf_event_ctx_lock_nested+0x149/0x2f0 kernel/events/core.c:1240 stack backtrace: CPU: 1 PID: 9590 Comm: syz-executor0 Not tainted 4.14.85+ #15 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xb9/0x11b lib/dump_stack.c:53 print_circular_bug.isra.18.cold.43+0x2d3/0x40c kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1901 [inline] check_prevs_add kernel/locking/lockdep.c:2018 [inline] validate_chain kernel/locking/lockdep.c:2460 [inline] __lock_acquire+0x2ff9/0x4320 kernel/locking/lockdep.c:3487 lock_acquire+0x10f/0x380 kernel/locking/lockdep.c:3991 netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. __might_fault+0x137/0x1b0 mm/memory.c:4555 _copy_to_user+0x27/0xc0 lib/usercopy.c:25 copy_to_user include/linux/uaccess.h:155 [inline] perf_read_one kernel/events/core.c:4582 [inline] __perf_read kernel/events/core.c:4625 [inline] perf_read+0x597/0x800 kernel/events/core.c:4638 __vfs_read+0xf4/0x5b0 fs/read_write.c:411 vfs_read+0x11e/0x330 fs/read_write.c:447 SYSC_read fs/read_write.c:577 [inline] SyS_read+0xc2/0x1a0 fs/read_write.c:570 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x457569 RSP: 002b:00007f918dd88c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 RDX: 0000000000000080 RSI: 00000000200000c0 RDI: 0000000000000004 RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f918dd896d4 R13: 00000000004c292a R14: 00000000004d5db8 R15: 00000000ffffffff netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. ip6_tunnel: ip6tnl1 xmit: Local address not yet configured! netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor0'. audit: type=1400 audit(1543916654.283:66): avc: denied { create } for pid=9774 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0 tclass=netlink_netfilter_socket permissive=1 SELinux: security policydb version 18 (MLS) not backwards compatible SELinux: failed to load policy netlink: 8 bytes leftover after parsing attributes in process `syz-executor0'. SELinux: security policydb version 18 (MLS) not backwards compatible SELinux: failed to load policy