======================================================
WARNING: possible circular locking dependency detected
4.14.231-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.5/19497 is trying to acquire lock:
 (&event->child_mutex){+.+.}, at: [<ffffffff8163fd58>] perf_event_read_value+0x78/0x410 kernel/events/core.c:4453

but task is already holding lock:
 (&cpuctx_mutex){+.+.}, at: [<ffffffff816334ed>] perf_event_ctx_lock_nested+0x14d/0x2c0 kernel/events/core.c:1241

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #5 (&cpuctx_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       perf_event_init_cpu+0xb7/0x170 kernel/events/core.c:11250
       perf_event_init+0x2cc/0x308 kernel/events/core.c:11297
       start_kernel+0x46a/0x770 init/main.c:620
       secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:240

-> #4 (pmus_lock){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       perf_event_init_cpu+0x2c/0x170 kernel/events/core.c:11244
       cpuhp_invoke_callback+0x1e6/0x1a80 kernel/cpu.c:184
       cpuhp_up_callbacks kernel/cpu.c:572 [inline]
       _cpu_up+0x219/0x500 kernel/cpu.c:1144
       do_cpu_up+0x9a/0x160 kernel/cpu.c:1179
       smp_init+0x197/0x1ac kernel/smp.c:578
       kernel_init_freeable+0x3f4/0x614 init/main.c:1068
       kernel_init+0xd/0x164 init/main.c:1000
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

-> #3 (cpu_hotplug_lock.rw_sem){++++}:
       percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
       percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
       cpus_read_lock+0x39/0xc0 kernel/cpu.c:295
       static_key_slow_inc+0xe/0x20 kernel/jump_label.c:123
       tracepoint_add_func+0x747/0xa40 kernel/tracepoint.c:269
       tracepoint_probe_register_prio kernel/tracepoint.c:331 [inline]
       tracepoint_probe_register+0x8c/0xc0 kernel/tracepoint.c:352
       trace_event_reg+0x272/0x330 kernel/trace/trace_events.c:305
       perf_trace_event_reg kernel/trace/trace_event_perf.c:122 [inline]
       perf_trace_event_init kernel/trace/trace_event_perf.c:197 [inline]
       perf_trace_init+0x424/0xa30 kernel/trace/trace_event_perf.c:221
       perf_tp_event_init+0x79/0xf0 kernel/events/core.c:8138
       perf_try_init_event+0x15b/0x1f0 kernel/events/core.c:9369
       perf_init_event kernel/events/core.c:9407 [inline]
       perf_event_alloc.part.0+0xe2d/0x2640 kernel/events/core.c:9667
       perf_event_alloc kernel/events/core.c:10020 [inline]
       SYSC_perf_event_open kernel/events/core.c:10124 [inline]
       SyS_perf_event_open+0x67f/0x24b0 kernel/events/core.c:10010
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #2 (tracepoints_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       tracepoint_probe_register_prio kernel/tracepoint.c:327 [inline]
       tracepoint_probe_register+0x68/0xc0 kernel/tracepoint.c:352
       trace_event_reg+0x272/0x330 kernel/trace/trace_events.c:305
       perf_trace_event_reg kernel/trace/trace_event_perf.c:122 [inline]
       perf_trace_event_init kernel/trace/trace_event_perf.c:197 [inline]
       perf_trace_init+0x424/0xa30 kernel/trace/trace_event_perf.c:221
       perf_tp_event_init+0x79/0xf0 kernel/events/core.c:8138
       perf_try_init_event+0x15b/0x1f0 kernel/events/core.c:9369
       perf_init_event kernel/events/core.c:9407 [inline]
       perf_event_alloc.part.0+0xe2d/0x2640 kernel/events/core.c:9667
       perf_event_alloc kernel/events/core.c:10020 [inline]
       SYSC_perf_event_open kernel/events/core.c:10124 [inline]
       SyS_perf_event_open+0x67f/0x24b0 kernel/events/core.c:10010
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #1 (event_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       perf_trace_destroy+0x23/0xf0 kernel/trace/trace_event_perf.c:234
       _free_event+0x321/0xe20 kernel/events/core.c:4244
       free_event+0x32/0x40 kernel/events/core.c:4271
       perf_event_release_kernel+0x368/0x8a0 kernel/events/core.c:4415
       perf_release+0x33/0x40 kernel/events/core.c:4441
       __fput+0x25f/0x7a0 fs/file_table.c:210
       task_work_run+0x11f/0x190 kernel/task_work.c:113
       tracehook_notify_resume include/linux/tracehook.h:191 [inline]
       exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
       prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
       syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
       do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #0 (&event->child_mutex){+.+.}:
       lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       perf_event_read_value+0x78/0x410 kernel/events/core.c:4453
       perf_read_one kernel/events/core.c:4575 [inline]
       __perf_read kernel/events/core.c:4626 [inline]
       perf_read+0x3e2/0x7c0 kernel/events/core.c:4639
       do_loop_readv_writev fs/read_write.c:695 [inline]
       do_loop_readv_writev fs/read_write.c:682 [inline]
       do_iter_read+0x3eb/0x5b0 fs/read_write.c:919
       vfs_readv+0xc8/0x120 fs/read_write.c:981
       do_readv+0xfc/0x2c0 fs/read_write.c:1014
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

other info that might help us debug this:

Chain exists of:
  &event->child_mutex --> pmus_lock --> &cpuctx_mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&cpuctx_mutex);
                               lock(pmus_lock);
                               lock(&cpuctx_mutex);
  lock(&event->child_mutex);

 *** DEADLOCK ***

1 lock held by syz-executor.5/19497:
 #0:  (&cpuctx_mutex){+.+.}, at: [<ffffffff816334ed>] perf_event_ctx_lock_nested+0x14d/0x2c0 kernel/events/core.c:1241

stack backtrace:
CPU: 1 PID: 19497 Comm: syz-executor.5 Not tainted 4.14.231-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1905 [inline]
 check_prevs_add kernel/locking/lockdep.c:2022 [inline]
 validate_chain kernel/locking/lockdep.c:2464 [inline]
 __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 __mutex_lock_common kernel/locking/mutex.c:756 [inline]
 __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
 perf_event_read_value+0x78/0x410 kernel/events/core.c:4453
 perf_read_one kernel/events/core.c:4575 [inline]
 __perf_read kernel/events/core.c:4626 [inline]
 perf_read+0x3e2/0x7c0 kernel/events/core.c:4639
 do_loop_readv_writev fs/read_write.c:695 [inline]
 do_loop_readv_writev fs/read_write.c:682 [inline]
 do_iter_read+0x3eb/0x5b0 fs/read_write.c:919
 vfs_readv+0xc8/0x120 fs/read_write.c:981
 do_readv+0xfc/0x2c0 fs/read_write.c:1014
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x466459
RSP: 002b:00007f71b6c76188 EFLAGS: 00000246 ORIG_RAX: 0000000000000013
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000466459
RDX: 0000000000000001 RSI: 00000000200002c0 RDI: 0000000000000005
RBP: 00000000004bf9fb R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffc14f6cf3f R14: 00007f71b6c76300 R15: 0000000000022000
audit: type=1804 audit(1619041477.752:141): pid=19532 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir771531380/syzkaller.0JoeS9/295/bus" dev="sda1" ino=14162 res=1
audit: type=1804 audit(1619041477.802:142): pid=19533 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir791424094/syzkaller.hko63V/282/bus" dev="sda1" ino=14241 res=1
ion_mmap: failure mapping buffer to userspace
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
ion_mmap: failure mapping buffer to userspace
ion_mmap: failure mapping buffer to userspace
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
ion_mmap: failure mapping buffer to userspace
ion_mmap: failure mapping buffer to userspace
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
ion_mmap: failure mapping buffer to userspace
ion_mmap: failure mapping buffer to userspace
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
ip_tables: iptables: counters copy to user failed while replacing table
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
input: syz1 as /devices/virtual/input/input11
input: syz1 as /devices/virtual/input/input12
input: syz1 as /devices/virtual/input/input13
ip_tables: iptables: counters copy to user failed while replacing table
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'.
input: syz1 as /devices/virtual/input/input14
input: syz1 as /devices/virtual/input/input15
ip_tables: iptables: counters copy to user failed while replacing table
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
ip_tables: iptables: counters copy to user failed while replacing table
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'.
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
ip_tables: iptables: counters copy to user failed while replacing table
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'.
ip_tables: iptables: counters copy to user failed while replacing table
ip_tables: iptables: counters copy to user failed while replacing table
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'.
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280
batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280
batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280
batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280
batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280
batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280
batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280
batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280
batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280
batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280