possible deadlock in perf_event_read_value
4 views
Skip to first unread message
syzbot
Apr 14, 2019, 4:52:13 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 57de59b3 UPSTREAM: virt_wifi: fix error return code in vir..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=12529160c00000
kernel config: https://syzkaller.appspot.com/x/.config?x=5a0d66ca5b6245f9
dashboard link: https://syzkaller.appspot.com/bug?extid=5380deb188de5fa98ca3
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5380de...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
4.14.98+ #7 Not tainted
------------------------------------------------------
syz-executor.3/17139 is trying to acquire lock:
(&event->child_mutex){+.+.}, at: [<ffffffff85feb618>]
perf_event_read_value+0x78/0x410 kernel/events/core.c:4452
but task is already holding lock:
(&cpuctx_mutex){+.+.}, at: [<ffffffff85fe7dfd>]
perf_event_ctx_lock_nested+0x14d/0x2c0 kernel/events/core.c:1240
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #8 (&cpuctx_mutex){+.+.}:
-> #7 (pmus_lock){+.+.}:
-> #6 (cpu_hotplug_lock.rw_sem){++++}:
-> #5 (&sb->s_type->i_mutex_key#10){+.+.}:
-> #4 (ashmem_mutex){+.+.}:
-> #3 (&mm->mmap_sem){++++}:
-> #2 (&sb->s_type->i_mutex_key#5){++++}:
-> #1 (event_mutex){+.+.}:
-> #0 (&event->child_mutex){+.+.}:
other info that might help us debug this:
Chain exists of:
&event->child_mutex --> pmus_lock --> &cpuctx_mutex
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&cpuctx_mutex);
lock(pmus_lock);
lock(&cpuctx_mutex);
lock(&event->child_mutex);
*** DEADLOCK ***
1 lock held by syz-executor.3/17139:
#0: (&cpuctx_mutex){+.+.}, at: [<ffffffff85fe7dfd>]
perf_event_ctx_lock_nested+0x14d/0x2c0 kernel/events/core.c:1240
stack backtrace:
CPU: 1 PID: 17139 Comm: syz-executor.3 Not tainted 4.14.98+ #7
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x10e lib/dump_stack.c:53
print_circular_bug.isra.0.cold+0x2dc/0x425 kernel/locking/lockdep.c:1258
kauditd_printk_skb: 18 callbacks suppressed
audit: type=1400 audit(544.645:21668): avc: denied { create } for
pid=17141 comm="syz-executor.0"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=0
audit: type=1400 audit(544.695:21669): avc: denied { map } for pid=17138
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(544.695:21670): avc: denied { create } for
pid=17141 comm="syz-executor.0"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=0
audit: type=1400 audit(544.935:21671): avc: denied { map } for pid=17158
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(545.105:21672): avc: denied { map } for pid=17166
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(545.335:21673): avc: denied { map } for pid=17175
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(545.495:21674): avc: denied { map } for pid=17183
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(545.635:21675): avc: denied { map } for pid=17186
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(545.825:21676): avc: denied { map } for pid=17190
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(546.045:21677): avc: denied { map } for pid=17195
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
kauditd_printk_skb: 7 callbacks suppressed
audit: type=1400 audit(551.355:21685): avc: denied { map } for pid=17259
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(551.595:21686): avc: denied { map } for pid=17266
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(551.605:21687): avc: denied { map } for pid=17267
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(551.805:21688): avc: denied { map } for pid=17271
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 57de59b3 UPSTREAM: virt_wifi: fix error return code in vir..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=12529160c00000
kernel config: https://syzkaller.appspot.com/x/.config?x=5a0d66ca5b6245f9
dashboard link: https://syzkaller.appspot.com/bug?extid=5380deb188de5fa98ca3
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5380de...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
4.14.98+ #7 Not tainted
------------------------------------------------------
syz-executor.3/17139 is trying to acquire lock:
(&event->child_mutex){+.+.}, at: [<ffffffff85feb618>]
perf_event_read_value+0x78/0x410 kernel/events/core.c:4452
but task is already holding lock:
(&cpuctx_mutex){+.+.}, at: [<ffffffff85fe7dfd>]
perf_event_ctx_lock_nested+0x14d/0x2c0 kernel/events/core.c:1240
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #8 (&cpuctx_mutex){+.+.}:
-> #7 (pmus_lock){+.+.}:
-> #6 (cpu_hotplug_lock.rw_sem){++++}:
-> #5 (&sb->s_type->i_mutex_key#10){+.+.}:
-> #4 (ashmem_mutex){+.+.}:
-> #3 (&mm->mmap_sem){++++}:
-> #2 (&sb->s_type->i_mutex_key#5){++++}:
-> #1 (event_mutex){+.+.}:
-> #0 (&event->child_mutex){+.+.}:
other info that might help us debug this:
Chain exists of:
&event->child_mutex --> pmus_lock --> &cpuctx_mutex
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&cpuctx_mutex);
lock(pmus_lock);
lock(&cpuctx_mutex);
lock(&event->child_mutex);
*** DEADLOCK ***
1 lock held by syz-executor.3/17139:
#0: (&cpuctx_mutex){+.+.}, at: [<ffffffff85fe7dfd>]
perf_event_ctx_lock_nested+0x14d/0x2c0 kernel/events/core.c:1240
stack backtrace:
CPU: 1 PID: 17139 Comm: syz-executor.3 Not tainted 4.14.98+ #7
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x10e lib/dump_stack.c:53
print_circular_bug.isra.0.cold+0x2dc/0x425 kernel/locking/lockdep.c:1258
kauditd_printk_skb: 18 callbacks suppressed
audit: type=1400 audit(544.645:21668): avc: denied { create } for
pid=17141 comm="syz-executor.0"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=0
audit: type=1400 audit(544.695:21669): avc: denied { map } for pid=17138
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(544.695:21670): avc: denied { create } for
pid=17141 comm="syz-executor.0"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=0
audit: type=1400 audit(544.935:21671): avc: denied { map } for pid=17158
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(545.105:21672): avc: denied { map } for pid=17166
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(545.335:21673): avc: denied { map } for pid=17175
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(545.495:21674): avc: denied { map } for pid=17183
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(545.635:21675): avc: denied { map } for pid=17186
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(545.825:21676): avc: denied { map } for pid=17190
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(546.045:21677): avc: denied { map } for pid=17195
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
kauditd_printk_skb: 7 callbacks suppressed
audit: type=1400 audit(551.355:21685): avc: denied { map } for pid=17259
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(551.595:21686): avc: denied { map } for pid=17266
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(551.605:21687): avc: denied { map } for pid=17267
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
audit: type=1400 audit(551.805:21688): avc: denied { map } for pid=17271
comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Aug 10, 2019, 1:35:06 AM8/10/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages