[syzbot] [perf?] WARNING in perf_event_open

[syzbot] [perf?] WARNING in perf_event_open

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    441c725ed592 selftests/bpf: Close cgrp fd before calling c..
git tree:       bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1444d11ae80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
dashboard link: https://syzkaller.appspot.com/bug?extid=07144c543a5c002c7305
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8b0f45da11b1/disk-441c725e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2a5034980240/vmlinux-441c725e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2daadb549a4c/bzImage-441c725e.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+07144c543a5c002c7305@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 1 PID: 5193 at kernel/events/core.c:1950 perf_event_validate_size kernel/events/core.c:1950 [inline]
WARNING: CPU: 1 PID: 5193 at kernel/events/core.c:1950 __do_sys_perf_event_open+0x2748/0x2c70 kernel/events/core.c:12655
Modules linked in:
CPU: 1 PID: 5193 Comm: syz-executor.5 Not tainted 6.7.0-rc5-syzkaller-01532-g441c725ed592 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:perf_event_validate_size kernel/events/core.c:1950 [inline]
RIP: 0010:__do_sys_perf_event_open+0x2748/0x2c70 kernel/events/core.c:12655
Code: ff 48 8d b8 a8 00 00 00 e8 85 0a cf 08 bf 01 00 00 00 89 c3 89 c6 e8 77 74 d5 ff 83 eb 01 0f 84 2d ed ff ff e8 f9 78 d5 ff 90 <0f> 0b 90 e9 1f ed ff ff e8 eb 78 d5 ff be 03 00 00 00 48 89 ef e8
RSP: 0018:ffffc90005187d90 EFLAGS: 00010246
RAX: 0000000000040000 RBX: 00000000ffffffff RCX: ffffc90003d11000
RDX: 0000000000040000 RSI: ffffffff81b224a7 RDI: 0000000000000005
RBP: ffff888077570000 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000000000 R11: ffffffff915e51d0 R12: ffff8880291ffb00
R13: 1ffff92000a30fbd R14: ffff88807a94d940 R15: ffff888077570000
FS:  00007fa10795c6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000002a097000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fa106c7cbe9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa10795c0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 00007fa106d9bf80 RCX: 00007fa106c7cbe9
RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000000020000000
RBP: 00007fa106cc847a R08: 0000000000000001 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fa106d9bf80 R15: 00007fff36da3b98
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [perf?] WARNING in perf_event_open

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    5abde6246522 bpf: Avoid unnecessary use of comma operator ..
git tree:       bpf-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=122f1609e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
dashboard link: https://syzkaller.appspot.com/bug?extid=07144c543a5c002c7305
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14857e81e80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1126ac36e80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a270020a37dc/disk-5abde624.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6b0eb142c0ea/vmlinux-5abde624.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d6ceb3e9bf6a/bzImage-5abde624.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+07144c543a5c002c7305@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 0 PID: 5061 at kernel/events/core.c:1950 perf_event_validate_size kernel/events/core.c:1950 [inline]
WARNING: CPU: 0 PID: 5061 at kernel/events/core.c:1950 __do_sys_perf_event_open+0x2748/0x2c70 kernel/events/core.c:12655
Modules linked in:
CPU: 0 PID: 5061 Comm: syz-executor128 Not tainted 6.7.0-rc5-syzkaller-01540-g5abde6246522 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:perf_event_validate_size kernel/events/core.c:1950 [inline]
RIP: 0010:__do_sys_perf_event_open+0x2748/0x2c70 kernel/events/core.c:12655
Code: ff 48 8d b8 a8 00 00 00 e8 55 07 cf 08 bf 01 00 00 00 89 c3 89 c6 e8 47 71 d5 ff 83 eb 01 0f 84 2d ed ff ff e8 c9 75 d5 ff 90 <0f> 0b 90 e9 1f ed ff ff e8 bb 75 d5 ff be 03 00 00 00 48 89 ef e8
RSP: 0018:ffffc9000398fd90 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffffffff81b227c9
RDX: ffff8880794c3b80 RSI: ffffffff81b227d7 RDI: 0000000000000005
RBP: ffff888017e68608 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000000000 R11: ffffffff915ec900 R12: ffff888024db5800
R13: 1ffff92000731fbd R14: ffff8880794c3b80 R15: ffff888017e68608
FS:  0000555555ca6380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000006c CR3: 0000000059a59000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fddcf7ef369
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc7c42b4a8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 00007ffc7c42b688 RCX: 00007fddcf7ef369
RDX: 00000000ffffffff RSI: 0000000000000000 RDI: 0000000020000000
RBP: 00007fddcf862610 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc7c42b678 R14: 0000000000000001 R15: 0000000000000001
 </TASK>


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [perf?] WARNING in perf_event_open

[syzbot]

syzbot has bisected this issue to:

commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Wed Nov 29 14:24:52 2023 +0000

    perf: Fix perf_event_validate_size()

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=170e70cee80000
start commit:   5abde6246522 bpf: Avoid unnecessary use of comma operator ..
git tree:       bpf-next
final oops:     https://syzkaller.appspot.com/x/report.txt?x=148e70cee80000
console output: https://syzkaller.appspot.com/x/log.txt?x=108e70cee80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
dashboard link: https://syzkaller.appspot.com/bug?extid=07144c543a5c002c7305
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14857e81e80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1126ac36e80000

Reported-by: syzbot+07144c543a5c002c7305@syzkaller.appspotmail.com
Fixes: 382c27f4ed28 ("perf: Fix perf_event_validate_size()")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[PATCH] perf: fix WARNING in perf_event_open

[Edward Adam Davis]

The new version of __perf_event_read_size() only has a read action and does not
require a mutex, so the mutex assertion in the original loop is removed.

Fixes: 382c27f4ed28 ("perf: Fix perf_event_validate_size()")
Reported-and-tested-by: syzbot+07144c543a5c002c7305@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 kernel/events/core.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 9efd0d7775e7..e71e61b46416 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -1924,6 +1924,10 @@ static void perf_event__id_header_size(struct perf_event *event)
 	event->id_header_size = size;
 }
 
+#define read_for_each_sibling_event(sibling, event)		\
+	if ((event)->group_leader == (event))			\
+		list_for_each_entry((sibling), &(event)->sibling_list, sibling_list)
+
 /*
  * Check that adding an event to the group does not result in anybody
  * overflowing the 64k event limit imposed by the output buffer.
@@ -1957,7 +1961,7 @@ static bool perf_event_validate_size(struct perf_event *event)
 	if (event == group_leader)
 		return true;
 
-	for_each_sibling_event(sibling, group_leader) {
+	read_for_each_sibling_event(sibling, group_leader) {
 		if (__perf_event_read_size(sibling->attr.read_format,
 					   group_leader->nr_siblings + 1) > 16*1024)
 			return false;
-- 
2.43.0

Re: [PATCH] perf: fix WARNING in perf_event_open

[Jiri Olsa]

On Tue, Dec 26, 2023 at 03:25:15PM +0800, Edward Adam Davis wrote:
> The new version of __perf_event_read_size() only has a read action and does not
> require a mutex, so the mutex assertion in the original loop is removed.
> 
> Fixes: 382c27f4ed28 ("perf: Fix perf_event_validate_size()")
> Reported-and-tested-by: syzbot+07144c543a5c002c7305@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>

hi,
Mark suggested another fix earlier [1], but I haven't seen the formal patch yet

jirka


[1] https://lore.kernel.org/linux-perf-users/ZXwubNIxKH9s7DWt@FVFF77S0Q05N/

> ---
>  kernel/events/core.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 9efd0d7775e7..e71e61b46416 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -1924,6 +1924,10 @@ static void perf_event__id_header_size(struct perf_event *event)
>  	event->id_header_size = size;
>  }
>  
> +#define read_for_each_sibling_event(sibling, event)		\
> +	if ((event)->group_leader == (event))			\
> +		list_for_each_entry((sibling), &(event)->sibling_list, sibling_list)
> +
>  /*
>   * Check that adding an event to the group does not result in anybody
>   * overflowing the 64k event limit imposed by the output buffer.
> @@ -1957,7 +1961,7 @@ static bool perf_event_validate_size(struct perf_event *event)
>  	if (event == group_leader)
>  		return true;
>  
> -	for_each_sibling_event(sibling, group_leader) {
> +	read_for_each_sibling_event(sibling, group_leader) {
>  		if (__perf_event_read_size(sibling->attr.read_format,
>  					   group_leader->nr_siblings + 1) > 16*1024)
>  			return false;
> -- 
> 2.43.0
> 

Re: [PATCH] perf: fix WARNING in perf_event_open

[Mark Rutland]

On Wed, Dec 27, 2023 at 08:34:57AM +0100, Jiri Olsa wrote:
> On Tue, Dec 26, 2023 at 03:25:15PM +0800, Edward Adam Davis wrote:
> > The new version of __perf_event_read_size() only has a read action and does not
> > require a mutex, so the mutex assertion in the original loop is removed.
> > 
> > Fixes: 382c27f4ed28 ("perf: Fix perf_event_validate_size()")
> > Reported-and-tested-by: syzbot+07144c543a5c002c7305@syzkaller.appspotmail.com
> > Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> 
> hi,
> Mark suggested another fix earlier [1], but I haven't seen the formal patch yet
> 
> jirka
> 
> 
> [1] https://lore.kernel.org/linux-perf-users/ZXwubNIxKH9s7DWt@FVFF77S0Q05N/

For the sake of the archive, that went out as:

  https://lore.kernel.org/lkml/20231215112450.3972309-1-mark.rutland@arm.com/

... was picked up in the tip branch:

  https://lore.kernel.org/lkml/170264057897.398.420625380438569608.tip-bot2@tip-bot2/

... was sent to Linus:

  https://lore.kernel.org/lkml/20231217202613.GAZX9ZZWMM%2FytA74VC@fat_crate.local/

... was merged in v6.7-rc6:
  
  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.7-rc6&id=177c2ffe69555dde28fad5ddb62a6d806982e53f

... and can be found at:

  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.7-rc6&id=7e2c1e4b34f07d9aa8937fab88359d4a0fce468e

Mark.

> 
> > ---
> >  kernel/events/core.c | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> > 
> > diff --git a/kernel/events/core.c b/kernel/events/core.c
> > index 9efd0d7775e7..e71e61b46416 100644
> > --- a/kernel/events/core.c
> > +++ b/kernel/events/core.c
> > @@ -1924,6 +1924,10 @@ static void perf_event__id_header_size(struct perf_event *event)
> >  	event->id_header_size = size;
> >  }
> >  
> > +#define read_for_each_sibling_event(sibling, event)		\
> > +	if ((event)->group_leader == (event))			\
> > +		list_for_each_entry((sibling), &(event)->sibling_list, sibling_list)
> > +
> >  /*
> >   * Check that adding an event to the group does not result in anybody
> >   * overflowing the 64k event limit imposed by the output buffer.
> > @@ -1957,7 +1961,7 @@ static bool perf_event_validate_size(struct perf_event *event)
> >  	if (event == group_leader)
> >  		return true;
> >  
> > -	for_each_sibling_event(sibling, group_leader) {
> > +	read_for_each_sibling_event(sibling, group_leader) {
> >  		if (__perf_event_read_size(sibling->attr.read_format,
> >  					   group_leader->nr_siblings + 1) > 16*1024)
> >  			return false;
> > -- 
> > 2.43.0
> > 

Re: [PATCH] perf: fix WARNING in perf_event_open

[Mark Rutland]

On Tue, Dec 26, 2023 at 03:25:15PM +0800, Edward Adam Davis wrote:
> The new version of __perf_event_read_size() only has a read action and does not
> require a mutex, so the mutex assertion in the original loop is removed.
> 
> Fixes: 382c27f4ed28 ("perf: Fix perf_event_validate_size()")
> Reported-and-tested-by: syzbot+07144c543a5c002c7305@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>  kernel/events/core.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)

Thanks for the patch; this should be fixed by:

  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.7-rc6&id=7e2c1e4b34f07d9aa8937fab88359d4a0fce468e

... which is in v6.7-rc6.

Mark.

> 
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 9efd0d7775e7..e71e61b46416 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -1924,6 +1924,10 @@ static void perf_event__id_header_size(struct perf_event *event)
>  	event->id_header_size = size;
>  }
>  
> +#define read_for_each_sibling_event(sibling, event)		\
> +	if ((event)->group_leader == (event))			\
> +		list_for_each_entry((sibling), &(event)->sibling_list, sibling_list)
> +
>  /*
>   * Check that adding an event to the group does not result in anybody
>   * overflowing the 64k event limit imposed by the output buffer.
> @@ -1957,7 +1961,7 @@ static bool perf_event_validate_size(struct perf_event *event)
>  	if (event == group_leader)
>  		return true;
>  
> -	for_each_sibling_event(sibling, group_leader) {
> +	read_for_each_sibling_event(sibling, group_leader) {
>  		if (__perf_event_read_size(sibling->attr.read_format,
>  					   group_leader->nr_siblings + 1) > 16*1024)
>  			return false;
> -- 
> 2.43.0
> 

Re: [syzbot] [perf?] WARNING in perf_event_open

[syzbot]

syzbot suspects this issue was fixed by commit:

commit 7e2c1e4b34f07d9aa8937fab88359d4a0fce468e
Author: Mark Rutland <mark.rutland@arm.com>
Date:   Fri Dec 15 11:24:50 2023 +0000

    perf: Fix perf_event_validate_size() lockdep splat

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=157c509c180000
start commit:   5abde6246522 bpf: Avoid unnecessary use of comma operator ..
git tree:       bpf-next
kernel config:  https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
dashboard link: https://syzkaller.appspot.com/bug?extid=07144c543a5c002c7305
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ba8929e80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17be7265e80000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: perf: Fix perf_event_validate_size() lockdep splat

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] [perf?] WARNING in perf_event_open

[Mark Rutland]

On Thu, Feb 22, 2024 at 07:58:02PM -0800, syzbot wrote:
> syzbot suspects this issue was fixed by commit:
> 
> commit 7e2c1e4b34f07d9aa8937fab88359d4a0fce468e
> Author: Mark Rutland <mark.rutland@arm.com>
> Date:   Fri Dec 15 11:24:50 2023 +0000
> 
>     perf: Fix perf_event_validate_size() lockdep splat
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=157c509c180000
> start commit:   5abde6246522 bpf: Avoid unnecessary use of comma operator ..
> git tree:       bpf-next
> kernel config:  https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
> dashboard link: https://syzkaller.appspot.com/bug?extid=07144c543a5c002c7305
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ba8929e80000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17be7265e80000
> 
> If the result looks correct, please mark the issue as fixed by replying with:
> 
> #syz fix: perf: Fix perf_event_validate_size() lockdep splat

I believe syzbot is correct; this is fixed by commit:

  7e2c1e4b34f07d9a ("perf: Fix perf_event_validate_size() lockdep splat")

... so:

#syz fix: perf: Fix perf_event_validate_size() lockdep splat

Mark.

Re: [syzbot] [perf?] WARNING in perf_event_open

[xingwei lee]

Hello, I reproduced this bug with repro.c and repro.txt with the same
configure in syzbot and comfiled this bug in the lastest
mainline/net/bpf

bpd-next kernel: 441c725ed592cb22f2a82f2827dccd045356cc81
kernel config: https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
and I also notice it maybe the same bug as
https://lore.kernel.org/all/ZXpm6gQ%2Fd59jGsuW@xpf.sh.intel.com/

Anyway

=* repro.c =*
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

static void sleep_ms(uint64_t ms) { usleep(ms * 1000); }

static uint64_t current_time_ms(void) {
 struct timespec ts;
 if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1);
 return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len)     \
 *(type*)(addr) =                                                   \
     htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
           (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))

static bool write_file(const char* file, const char* what, ...) {
 char buf[1024];
 va_list args;
 va_start(args, what);
 vsnprintf(buf, sizeof(buf), what, args);
 va_end(args);
 buf[sizeof(buf) - 1] = 0;
 int len = strlen(buf);
 int fd = open(file, O_WRONLY | O_CLOEXEC);
 if (fd == -1) return false;
 if (write(fd, buf, len) != len) {
   int err = errno;
   close(fd);
   errno = err;
   return false;
 }
 close(fd);
 return true;
}

static void kill_and_wait(int pid, int* status) {
 kill(-pid, SIGKILL);
 kill(pid, SIGKILL);
 for (int i = 0; i < 100; i++) {
   if (waitpid(-1, status, WNOHANG | __WALL) == pid) return;
   usleep(1000);
 }
 DIR* dir = opendir("/sys/fs/fuse/connections");
 if (dir) {
   for (;;) {
     struct dirent* ent = readdir(dir);
     if (!ent) break;
     if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
       continue;
     char abort[300];
     snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
              ent->d_name);
     int fd = open(abort, O_WRONLY);
     if (fd == -1) {
       continue;
     }
     if (write(fd, abort, 1) < 0) {
     }
     close(fd);
   }
   closedir(dir);
 } else {
 }
 while (waitpid(-1, status, __WALL) != pid) {
 }
}

static void setup_test() {
 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
 setpgrp();
 write_file("/proc/self/oom_score_adj", "1000");
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void) {
 int iter = 0;
 for (;; iter++) {
   int pid = fork();
   if (pid < 0) exit(1);
   if (pid == 0) {
     setup_test();
     execute_one();
     exit(0);
   }
   int status = 0;
   uint64_t start = current_time_ms();
   for (;;) {
     if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break;
     sleep_ms(1);
     if (current_time_ms() - start < 5000) continue;
     kill_and_wait(pid, &status);
     break;
   }
 }
}

void execute_one(void) {
 *(uint32_t*)0x2001d000 = 1;
 *(uint32_t*)0x2001d004 = 0x80;
 *(uint8_t*)0x2001d008 = 0;
 *(uint8_t*)0x2001d009 = 0;
 *(uint8_t*)0x2001d00a = 0;
 *(uint8_t*)0x2001d00b = 0;
 *(uint32_t*)0x2001d00c = 0;
 *(uint64_t*)0x2001d010 = 0x7f;
 *(uint64_t*)0x2001d018 = 0;
 *(uint64_t*)0x2001d020 = 0;
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 0, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 1, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 2, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 3, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 4, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 5, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 6, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 7, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 8, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 9, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 10, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 11, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 12, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 13, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 14, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 15, 2);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 17, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 18, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 19, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 20, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 21, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 22, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 23, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 24, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 25, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 26, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 27, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 28, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 29, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 30, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 31, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 32, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 33, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 34, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 35, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 36, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 37, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 38, 26);
 *(uint32_t*)0x2001d030 = 0;
 *(uint32_t*)0x2001d034 = 0;
 *(uint64_t*)0x2001d038 = 0;
 *(uint64_t*)0x2001d040 = 0;
 *(uint64_t*)0x2001d048 = 0;
 *(uint64_t*)0x2001d050 = 0;
 *(uint32_t*)0x2001d058 = 0;
 *(uint32_t*)0x2001d05c = 0;
 *(uint64_t*)0x2001d060 = 0;
 *(uint32_t*)0x2001d068 = 0;
 *(uint16_t*)0x2001d06c = 0;
 *(uint16_t*)0x2001d06e = 0;
 *(uint32_t*)0x2001d070 = 0;
 *(uint32_t*)0x2001d074 = 0;
 *(uint64_t*)0x2001d078 = 0;
 syscall(__NR_perf_event_open, /*attr=*/0x2001d000ul, /*pid=*/0, /*cpu=*/-1,
         /*group=*/-1, /*flags=*/0ul);
}
int main(void) {
 syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
         /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
 syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
         /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
 syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
         /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
 loop();
 return 0;
}

=* repro.txt =*
perf_event_open(&(0x7f000001d000)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0,
0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff,
0x0)

and also https://gist.github.com/xrivendell7/128e198d8ff27d003998b4f0cc19bb74

I hope it helps.
Thanks!
Best regards.
xingwei Lee