Bluetooth: hci2: command 0x0419 tx timeout Bluetooth: hci5: command 0x0419 tx timeout Bluetooth: hci3: command 0x0419 tx timeout Bluetooth: hci4: command 0x0419 tx timeout ====================================================== WARNING: possible circular locking dependency detected 4.18.0-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.4/10137 is trying to acquire lock: 000000003a470b2a (event_mutex){+.+.}, at: perf_trace_destroy+0x1c/0x100 kernel/trace/trace_event_perf.c:235 but task is already holding lock: 000000006022eb74 (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x15a/0x210 mm/util.c:355 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (&mm->mmap_sem){++++}: down_write_killable+0x3b/0xc0 kernel/locking/rwsem.c:84 dup_mmap kernel/fork.c:430 [inline] dup_mm kernel/fork.c:1266 [inline] copy_mm kernel/fork.c:1320 [inline] copy_process.part.5+0x255c/0x6b70 kernel/fork.c:1826 copy_process kernel/fork.c:1639 [inline] _do_fork+0x159/0xb70 kernel/fork.c:2122 __do_sys_clone kernel/fork.c:2229 [inline] __se_sys_clone kernel/fork.c:2223 [inline] __x64_sys_clone+0xba/0x140 kernel/fork.c:2223 do_syscall_64+0xda/0x540 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #2 (&dup_mmap_sem){++++}: down_write+0x38/0x90 kernel/locking/rwsem.c:70 percpu_down_write+0x77/0x440 kernel/locking/percpu-rwsem.c:145 register_for_each_vma+0x28/0xaf0 kernel/events/uprobes.c:796 __uprobe_register kernel/events/uprobes.c:846 [inline] uprobe_register kernel/events/uprobes.c:907 [inline] uprobe_register+0x329/0x6b0 kernel/events/uprobes.c:880 probe_event_enable+0x3a5/0xae0 kernel/trace/trace_uprobe.c:920 trace_uprobe_register+0x30f/0x8c0 kernel/trace/trace_uprobe.c:1205 perf_trace_event_reg kernel/trace/trace_event_perf.c:123 [inline] perf_trace_event_init+0x3dc/0x7d0 kernel/trace/trace_event_perf.c:198 perf_uprobe_init+0x16c/0x1f0 kernel/trace/trace_event_perf.c:327 perf_uprobe_event_init+0xb2/0x130 kernel/events/core.c:8467 perf_try_init_event+0xf9/0x290 kernel/events/core.c:9739 perf_init_event kernel/events/core.c:9770 [inline] perf_event_alloc+0x12b3/0x24b0 kernel/events/core.c:10043 __do_sys_perf_event_open kernel/events/core.c:10500 [inline] __se_sys_perf_event_open+0x253/0x2020 kernel/events/core.c:10389 __x64_sys_perf_event_open+0xb9/0x140 kernel/events/core.c:10389 do_syscall_64+0xda/0x540 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #1 (&uprobe->register_rwsem){+.+.}: down_write+0x38/0x90 kernel/locking/rwsem.c:70 uprobe_register kernel/events/uprobes.c:904 [inline] uprobe_register+0x2ab/0x6b0 kernel/events/uprobes.c:880 probe_event_enable+0x3a5/0xae0 kernel/trace/trace_uprobe.c:920 trace_uprobe_register+0x30f/0x8c0 kernel/trace/trace_uprobe.c:1205 perf_trace_event_reg kernel/trace/trace_event_perf.c:123 [inline] perf_trace_event_init+0x3dc/0x7d0 kernel/trace/trace_event_perf.c:198 perf_uprobe_init+0x16c/0x1f0 kernel/trace/trace_event_perf.c:327 perf_uprobe_event_init+0xb2/0x130 kernel/events/core.c:8467 perf_try_init_event+0xf9/0x290 kernel/events/core.c:9739 perf_init_event kernel/events/core.c:9770 [inline] perf_event_alloc+0x12b3/0x24b0 kernel/events/core.c:10043 __do_sys_perf_event_open kernel/events/core.c:10500 [inline] __se_sys_perf_event_open+0x253/0x2020 kernel/events/core.c:10389 __x64_sys_perf_event_open+0xb9/0x140 kernel/events/core.c:10389 do_syscall_64+0xda/0x540 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (event_mutex){+.+.}: lock_acquire+0x17e/0x3e0 kernel/locking/lockdep.c:3924 __mutex_lock_common kernel/locking/mutex.c:757 [inline] __mutex_lock+0xf5/0x1300 kernel/locking/mutex.c:894 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:909 perf_trace_destroy+0x1c/0x100 kernel/trace/trace_event_perf.c:235 tp_perf_event_destroy+0x9/0x10 kernel/events/core.c:8329 _free_event+0x2b6/0xd80 kernel/events/core.c:4445 put_event+0x2b/0x30 kernel/events/core.c:4531 perf_mmap_close+0x3f6/0xbf0 kernel/events/core.c:5514 remove_vma+0x9f/0x140 mm/mmap.c:181 remove_vma_list mm/mmap.c:2549 [inline] do_munmap+0x6d9/0xca0 mm/mmap.c:2785 mmap_region+0x126/0xfd0 mm/mmap.c:1705 do_mmap+0x667/0xf80 mm/mmap.c:1535 do_mmap_pgoff include/linux/mm.h:2306 [inline] vm_mmap_pgoff+0x195/0x210 mm/util.c:357 ksys_mmap_pgoff+0x250/0x5a0 mm/mmap.c:1585 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline] __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91 do_syscall_64+0xda/0x540 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Chain exists of: event_mutex --> &dup_mmap_sem --> &mm->mmap_sem Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&mm->mmap_sem); lock(&dup_mmap_sem); lock(&mm->mmap_sem); lock(event_mutex); *** DEADLOCK *** 1 lock held by syz-executor.4/10137: #0: 000000006022eb74 (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x15a/0x210 mm/util.c:355 stack backtrace: CPU: 1 PID: 10137 Comm: syz-executor.4 Not tainted 4.18.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x15a/0x20d lib/dump_stack.c:113 print_circular_bug.isra.17.cold.33+0x2e3/0x41e kernel/locking/lockdep.c:1227 check_prev_add kernel/locking/lockdep.c:1867 [inline] check_prevs_add kernel/locking/lockdep.c:1980 [inline] validate_chain kernel/locking/lockdep.c:2421 [inline] __lock_acquire+0x35da/0x4770 kernel/locking/lockdep.c:3435 lock_acquire+0x17e/0x3e0 kernel/locking/lockdep.c:3924 __mutex_lock_common kernel/locking/mutex.c:757 [inline] __mutex_lock+0xf5/0x1300 kernel/locking/mutex.c:894 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:909 perf_trace_destroy+0x1c/0x100 kernel/trace/trace_event_perf.c:235 tp_perf_event_destroy+0x9/0x10 kernel/events/core.c:8329 _free_event+0x2b6/0xd80 kernel/events/core.c:4445 put_event+0x2b/0x30 kernel/events/core.c:4531 perf_mmap_close+0x3f6/0xbf0 kernel/events/core.c:5514 remove_vma+0x9f/0x140 mm/mmap.c:181 remove_vma_list mm/mmap.c:2549 [inline] do_munmap+0x6d9/0xca0 mm/mmap.c:2785 mmap_region+0x126/0xfd0 mm/mmap.c:1705 do_mmap+0x667/0xf80 mm/mmap.c:1535 do_mmap_pgoff include/linux/mm.h:2306 [inline] vm_mmap_pgoff+0x195/0x210 mm/util.c:357 ksys_mmap_pgoff+0x250/0x5a0 mm/mmap.c:1585 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline] __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91 do_syscall_64+0xda/0x540 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4665e9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd999a4c188 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 RAX: ffffffffffffffda RBX: 000000000056c0f0 RCX: 00000000004665e9 RDX: 0000000000000000 RSI: 0000000000003000 RDI: 0000000020ffc000 RBP: 00000000004bfcc4 R08: 0000000000000006 R09: 0000000000000000 R10: 0000000000000011 R11: 0000000000000246 R12: 000000000056c0f0 R13: 00007ffe5c877aaf R14: 00007fd999a4c300 R15: 0000000000022000 NOHZ: local_softirq_pending 08