====================================================== WARNING: possible circular locking dependency detected 4.13.0+ #67 Not tainted ------------------------------------------------------ syz-executor4/9115 is trying to acquire lock: (event_mutex){+.+.}, at: [] perf_trace_destroy+0x28/0x100 kernel/trace/trace_event_perf.c:234 but task is already holding lock: (&mm->mmap_sem){++++}, at: [] vm_mmap_pgoff+0x198/0x280 mm/util.c:331 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #7 (&mm->mmap_sem){++++}: check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 __might_fault+0x13a/0x1d0 mm/memory.c:4337 _copy_to_user+0x2c/0xc0 lib/usercopy.c:24 copy_to_user include/linux/uaccess.h:154 [inline] filldir+0x1a7/0x320 fs/readdir.c:196 dir_emit_dot include/linux/fs.h:3296 [inline] dir_emit_dots include/linux/fs.h:3307 [inline] dcache_readdir+0x12d/0x5e0 fs/libfs.c:192 iterate_dir+0x4b2/0x5d0 fs/readdir.c:51 SYSC_getdents fs/readdir.c:231 [inline] SyS_getdents+0x225/0x450 fs/readdir.c:212 entry_SYSCALL_64_fastpath+0x1f/0xbe -> #6 (&sb->s_type->i_mutex_key#5){++++}: down_write+0x87/0x120 kernel/locking/rwsem.c:53 inode_lock include/linux/fs.h:711 [inline] handle_create+0x30c/0x760 drivers/base/devtmpfs.c:218 handle drivers/base/devtmpfs.c:372 [inline] devtmpfsd+0x3eb/0x520 drivers/base/devtmpfs.c:398 kthread+0x39c/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 -> #5 ((complete)&req.done){+.+.}: check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 complete_acquire include/linux/completion.h:39 [inline] __wait_for_common kernel/sched/completion.c:108 [inline] wait_for_common kernel/sched/completion.c:122 [inline] wait_for_completion+0xc8/0x770 kernel/sched/completion.c:143 devtmpfs_create_node+0x32b/0x4a0 drivers/base/devtmpfs.c:114 device_add+0x120f/0x1640 drivers/base/core.c:1692 device_create_groups_vargs+0x1f3/0x250 drivers/base/core.c:2298 device_create_vargs drivers/base/core.c:2338 [inline] device_create+0xda/0x110 drivers/base/core.c:2374 msr_device_create+0x26/0x40 arch/x86/kernel/msr.c:188 cpuhp_invoke_callback+0x256/0x14d0 kernel/cpu.c:145 cpuhp_thread_fun+0x265/0x520 kernel/cpu.c:434 smpboot_thread_fn+0x489/0x850 kernel/smpboot.c:164 kthread+0x39c/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 -> #4 (cpuhp_state){+.+.}: check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 cpuhp_invoke_ap_callback kernel/cpu.c:467 [inline] cpuhp_issue_call+0x1a2/0x3e0 kernel/cpu.c:1298 __cpuhp_setup_state_cpuslocked+0x1ce/0x2a0 kernel/cpu.c:1445 __cpuhp_setup_state+0xb0/0x140 kernel/cpu.c:1474 cpuhp_setup_state include/linux/cpuhotplug.h:174 [inline] page_writeback_init+0x4d/0x71 mm/page-writeback.c:2082 pagecache_init+0x48/0x4f mm/filemap.c:885 start_kernel+0x690/0x723 init/main.c:690 x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:381 x86_64_start_kernel+0x13c/0x149 arch/x86/kernel/head64.c:362 verify_cpu+0x0/0xfb -> #3 (cpuhp_state_mutex){+.+.}: check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1870 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 __cpuhp_setup_state_cpuslocked+0x5a/0x2a0 kernel/cpu.c:1420 __cpuhp_setup_state+0xb0/0x140 kernel/cpu.c:1474 cpuhp_setup_state_nocalls include/linux/cpuhotplug.h:202 [inline] kvm_guest_init+0x1f3/0x20f arch/x86/kernel/kvm.c:488 setup_arch+0x1894/0x1aae arch/x86/kernel/setup.c:1292 start_kernel+0xa2/0x723 init/main.c:537 x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:381 x86_64_start_kernel+0x13c/0x149 arch/x86/kernel/head64.c:362 verify_cpu+0x0/0xfb -> #2 (cpu_hotplug_lock.rw_sem){++++}: check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:35 [inline] percpu_down_read include/linux/percpu-rwsem.h:58 [inline] cpus_read_lock+0x42/0x90 kernel/cpu.c:218 static_key_slow_inc+0x9d/0x3c0 kernel/jump_label.c:123 tracepoint_add_func kernel/tracepoint.c:223 [inline] tracepoint_probe_register_prio+0x80d/0x9a0 kernel/tracepoint.c:283 tracepoint_probe_register+0x2a/0x40 kernel/tracepoint.c:304 trace_event_reg+0x167/0x320 kernel/trace/trace_events.c:305 perf_trace_event_reg kernel/trace/trace_event_perf.c:122 [inline] perf_trace_event_init kernel/trace/trace_event_perf.c:197 [inline] perf_trace_init+0x504/0xab0 kernel/trace/trace_event_perf.c:221 perf_tp_event_init+0x7d/0xf0 kernel/events/core.c:8049 perf_try_init_event+0xc9/0x1f0 kernel/events/core.c:9271 perf_init_event kernel/events/core.c:9309 [inline] perf_event_alloc+0x1c5b/0x2a00 kernel/events/core.c:9568 SYSC_perf_event_open+0x842/0x2f10 kernel/events/core.c:10023 SyS_perf_event_open+0x39/0x50 kernel/events/core.c:9909 entry_SYSCALL_64_fastpath+0x1f/0xbe -> #1 (tracepoints_mutex){+.+.}: check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1870 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 tracepoint_probe_register_prio+0xa0/0x9a0 kernel/tracepoint.c:279 tracepoint_probe_register+0x2a/0x40 kernel/tracepoint.c:304 trace_event_reg+0x167/0x320 kernel/trace/trace_events.c:305 perf_trace_event_reg kernel/trace/trace_event_perf.c:122 [inline] perf_trace_event_init kernel/trace/trace_event_perf.c:197 [inline] perf_trace_init+0x504/0xab0 kernel/trace/trace_event_perf.c:221 perf_tp_event_init+0x7d/0xf0 kernel/events/core.c:8049 perf_try_init_event+0xc9/0x1f0 kernel/events/core.c:9271 perf_init_event kernel/events/core.c:9309 [inline] perf_event_alloc+0x1c5b/0x2a00 kernel/events/core.c:9568 SYSC_perf_event_open+0x842/0x2f10 kernel/events/core.c:10023 SyS_perf_event_open+0x39/0x50 kernel/events/core.c:9909 entry_SYSCALL_64_fastpath+0x1f/0xbe -> #0 (event_mutex){+.+.}: check_prev_add+0x865/0x1520 kernel/locking/lockdep.c:1894 check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1870 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 perf_trace_destroy+0x28/0x100 kernel/trace/trace_event_perf.c:234 tp_perf_event_destroy+0x15/0x20 kernel/events/core.c:8033 _free_event+0x401/0x1130 kernel/events/core.c:4205 put_event+0x24/0x30 kernel/events/core.c:4288 perf_mmap_close+0x60d/0xf90 kernel/events/core.c:5236 remove_vma+0xb4/0x1b0 mm/mmap.c:171 remove_vma_list mm/mmap.c:2474 [inline] do_munmap+0x942/0xf40 mm/mmap.c:2705 mmap_region+0x59e/0x15a0 mm/mmap.c:1630 do_mmap+0x6a1/0xd50 mm/mmap.c:1467 do_mmap_pgoff include/linux/mm.h:2108 [inline] vm_mmap_pgoff+0x1de/0x280 mm/util.c:333 SYSC_mmap_pgoff mm/mmap.c:1517 [inline] SyS_mmap_pgoff+0x23b/0x5f0 mm/mmap.c:1475 SYSC_mmap arch/x86/kernel/sys_x86_64.c:99 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:90 entry_SYSCALL_64_fastpath+0x1f/0xbe other info that might help us debug this: Chain exists of: event_mutex --> &sb->s_type->i_mutex_key#5 --> &mm->mmap_sem Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&mm->mmap_sem); lock(&sb->s_type->i_mutex_key#5); lock(&mm->mmap_sem); lock(event_mutex); *** DEADLOCK *** 1 lock held by syz-executor4/9115: #0: (&mm->mmap_sem){++++}, at: [] vm_mmap_pgoff+0x198/0x280 mm/util.c:331 stack backtrace: CPU: 1 PID: 9115 Comm: syz-executor4 Not tainted 4.13.0+ #67 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 print_circular_bug+0x503/0x710 kernel/locking/lockdep.c:1259 check_prev_add+0x865/0x1520 kernel/locking/lockdep.c:1894 check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1870 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 perf_trace_destroy+0x28/0x100 kernel/trace/trace_event_perf.c:234 tp_perf_event_destroy+0x15/0x20 kernel/events/core.c:8033 _free_event+0x401/0x1130 kernel/events/core.c:4205 put_event+0x24/0x30 kernel/events/core.c:4288 perf_mmap_close+0x60d/0xf90 kernel/events/core.c:5236 remove_vma+0xb4/0x1b0 mm/mmap.c:171 remove_vma_list mm/mmap.c:2474 [inline] do_munmap+0x942/0xf40 mm/mmap.c:2705 mmap_region+0x59e/0x15a0 mm/mmap.c:1630 do_mmap+0x6a1/0xd50 mm/mmap.c:1467 do_mmap_pgoff include/linux/mm.h:2108 [inline] vm_mmap_pgoff+0x1de/0x280 mm/util.c:333 SYSC_mmap_pgoff mm/mmap.c:1517 [inline] SyS_mmap_pgoff+0x23b/0x5f0 mm/mmap.c:1475 SYSC_mmap arch/x86/kernel/sys_x86_64.c:99 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:90 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x451e59 RSP: 002b:00007f0b1501cc08 EFLAGS: 00000216 ORIG_RAX: 0000000000000009 RAX: ffffffffffffffda RBX: 00000000007180b0 RCX: 0000000000451e59 RDX: 0000000000000003 RSI: 0000000000003000 RDI: 0000000020007000 RBP: 0000000000000086 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000032 R11: 0000000000000216 R12: 00000000004b7d9c R13: 00000000ffffffff R14: 0000000020049000 R15: 0000000000001000 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9133 comm=syz-executor5 netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor2'. QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl print_req_error: I/O error, dev loop0, sector 0 print_req_error: I/O error, dev loop0, sector 0 nla_parse: 3 callbacks suppressed netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. QAT: Invalid ioctl netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. QAT: Invalid ioctl QAT: Invalid ioctl netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. QAT: Invalid ioctl netlink: 8 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor0'. QAT: Invalid ioctl QAT: Invalid ioctl sctp: [Deprecated]: syz-executor4 (pid 9785) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor3 (pid 9799) Use of int in max_burst socket option deprecated. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor4 (pid 9785) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor3 (pid 9799) Use of int in max_burst socket option deprecated. Use struct sctp_assoc_value instead netlink: 4 bytes leftover after parsing attributes in process `syz-executor7'. sctp: [Deprecated]: syz-executor5 (pid 9843) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead netlink: 4 bytes leftover after parsing attributes in process `syz-executor7'. sctp: [Deprecated]: syz-executor5 (pid 9869) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead TCP: request_sock_TCP: Possible SYN flooding on port 20000. Sending cookies. Check SNMP counters. kvm [9965]: vcpu0, guest rIP: 0xfff0 disabled perfctr wrmsr: 0x186 data 0x8 kvm [9965]: vcpu0, guest rIP: 0xfff0 disabled perfctr wrmsr: 0x186 data 0x8 netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. SELinux: failure in selinux_parse_skb(), unable to parse packet IPv6: Can't replace route, no match found IPv6: Can't replace route, no match found RDS: rds_bind could not find a transport for 224.0.0.1, load rds_tcp or rds_rdma? RDS: rds_bind could not find a transport for 224.0.0.1, load rds_tcp or rds_rdma? device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready print_req_error: I/O error, dev loop3, sector 0 print_req_error: I/O error, dev loop3, sector 0 Buffer I/O error on dev loop3, logical block 0, async page read print_req_error: I/O error, dev loop3, sector 0 sg_write: data in/out 1304068405/1 bytes for SCSI command 0x44-- guessing data in; program syz-executor2 not setting count and/or reply_len properly sg_write: data in/out 1304068405/1 bytes for SCSI command 0x44-- guessing data in; program syz-executor2 not setting count and/or reply_len properly QAT: Invalid ioctl QAT: Invalid ioctl IPv6: ADDRCONF(NETDEV_CHANGE): syz1: link becomes ready QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl sctp: [Deprecated]: syz-executor2 (pid 10960) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor2 (pid 10970) Use of int in maxseg socket option. Use struct sctp_assoc_value instead QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl device gre0 entered promiscuous mode QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl NFS: bad mount option value specified: v; QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl NFS: bad mount option value specified: v; nla_parse: 10 callbacks suppressed netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. QAT: Invalid ioctl QAT: Invalid ioctl netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl