====================================================== WARNING: possible circular locking dependency detected 4.14.231-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.5/19497 is trying to acquire lock: (&event->child_mutex){+.+.}, at: [] perf_event_read_value+0x78/0x410 kernel/events/core.c:4453 but task is already holding lock: (&cpuctx_mutex){+.+.}, at: [] perf_event_ctx_lock_nested+0x14d/0x2c0 kernel/events/core.c:1241 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #5 (&cpuctx_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 perf_event_init_cpu+0xb7/0x170 kernel/events/core.c:11250 perf_event_init+0x2cc/0x308 kernel/events/core.c:11297 start_kernel+0x46a/0x770 init/main.c:620 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:240 -> #4 (pmus_lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 perf_event_init_cpu+0x2c/0x170 kernel/events/core.c:11244 cpuhp_invoke_callback+0x1e6/0x1a80 kernel/cpu.c:184 cpuhp_up_callbacks kernel/cpu.c:572 [inline] _cpu_up+0x219/0x500 kernel/cpu.c:1144 do_cpu_up+0x9a/0x160 kernel/cpu.c:1179 smp_init+0x197/0x1ac kernel/smp.c:578 kernel_init_freeable+0x3f4/0x614 init/main.c:1068 kernel_init+0xd/0x164 init/main.c:1000 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 -> #3 (cpu_hotplug_lock.rw_sem){++++}: percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x39/0xc0 kernel/cpu.c:295 static_key_slow_inc+0xe/0x20 kernel/jump_label.c:123 tracepoint_add_func+0x747/0xa40 kernel/tracepoint.c:269 tracepoint_probe_register_prio kernel/tracepoint.c:331 [inline] tracepoint_probe_register+0x8c/0xc0 kernel/tracepoint.c:352 trace_event_reg+0x272/0x330 kernel/trace/trace_events.c:305 perf_trace_event_reg kernel/trace/trace_event_perf.c:122 [inline] perf_trace_event_init kernel/trace/trace_event_perf.c:197 [inline] perf_trace_init+0x424/0xa30 kernel/trace/trace_event_perf.c:221 perf_tp_event_init+0x79/0xf0 kernel/events/core.c:8138 perf_try_init_event+0x15b/0x1f0 kernel/events/core.c:9369 perf_init_event kernel/events/core.c:9407 [inline] perf_event_alloc.part.0+0xe2d/0x2640 kernel/events/core.c:9667 perf_event_alloc kernel/events/core.c:10020 [inline] SYSC_perf_event_open kernel/events/core.c:10124 [inline] SyS_perf_event_open+0x67f/0x24b0 kernel/events/core.c:10010 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #2 (tracepoints_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 tracepoint_probe_register_prio kernel/tracepoint.c:327 [inline] tracepoint_probe_register+0x68/0xc0 kernel/tracepoint.c:352 trace_event_reg+0x272/0x330 kernel/trace/trace_events.c:305 perf_trace_event_reg kernel/trace/trace_event_perf.c:122 [inline] perf_trace_event_init kernel/trace/trace_event_perf.c:197 [inline] perf_trace_init+0x424/0xa30 kernel/trace/trace_event_perf.c:221 perf_tp_event_init+0x79/0xf0 kernel/events/core.c:8138 perf_try_init_event+0x15b/0x1f0 kernel/events/core.c:9369 perf_init_event kernel/events/core.c:9407 [inline] perf_event_alloc.part.0+0xe2d/0x2640 kernel/events/core.c:9667 perf_event_alloc kernel/events/core.c:10020 [inline] SYSC_perf_event_open kernel/events/core.c:10124 [inline] SyS_perf_event_open+0x67f/0x24b0 kernel/events/core.c:10010 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #1 (event_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 perf_trace_destroy+0x23/0xf0 kernel/trace/trace_event_perf.c:234 _free_event+0x321/0xe20 kernel/events/core.c:4244 free_event+0x32/0x40 kernel/events/core.c:4271 perf_event_release_kernel+0x368/0x8a0 kernel/events/core.c:4415 perf_release+0x33/0x40 kernel/events/core.c:4441 __fput+0x25f/0x7a0 fs/file_table.c:210 task_work_run+0x11f/0x190 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:270 [inline] do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #0 (&event->child_mutex){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 perf_event_read_value+0x78/0x410 kernel/events/core.c:4453 perf_read_one kernel/events/core.c:4575 [inline] __perf_read kernel/events/core.c:4626 [inline] perf_read+0x3e2/0x7c0 kernel/events/core.c:4639 do_loop_readv_writev fs/read_write.c:695 [inline] do_loop_readv_writev fs/read_write.c:682 [inline] do_iter_read+0x3eb/0x5b0 fs/read_write.c:919 vfs_readv+0xc8/0x120 fs/read_write.c:981 do_readv+0xfc/0x2c0 fs/read_write.c:1014 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb other info that might help us debug this: Chain exists of: &event->child_mutex --> pmus_lock --> &cpuctx_mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&cpuctx_mutex); lock(pmus_lock); lock(&cpuctx_mutex); lock(&event->child_mutex); *** DEADLOCK *** 1 lock held by syz-executor.5/19497: #0: (&cpuctx_mutex){+.+.}, at: [] perf_event_ctx_lock_nested+0x14d/0x2c0 kernel/events/core.c:1241 stack backtrace: CPU: 1 PID: 19497 Comm: syz-executor.5 Not tainted 4.14.231-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 perf_event_read_value+0x78/0x410 kernel/events/core.c:4453 perf_read_one kernel/events/core.c:4575 [inline] __perf_read kernel/events/core.c:4626 [inline] perf_read+0x3e2/0x7c0 kernel/events/core.c:4639 do_loop_readv_writev fs/read_write.c:695 [inline] do_loop_readv_writev fs/read_write.c:682 [inline] do_iter_read+0x3eb/0x5b0 fs/read_write.c:919 vfs_readv+0xc8/0x120 fs/read_write.c:981 do_readv+0xfc/0x2c0 fs/read_write.c:1014 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x466459 RSP: 002b:00007f71b6c76188 EFLAGS: 00000246 ORIG_RAX: 0000000000000013 RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000466459 RDX: 0000000000000001 RSI: 00000000200002c0 RDI: 0000000000000005 RBP: 00000000004bf9fb R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 R13: 00007ffc14f6cf3f R14: 00007f71b6c76300 R15: 0000000000022000 audit: type=1804 audit(1619041477.752:141): pid=19532 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir771531380/syzkaller.0JoeS9/295/bus" dev="sda1" ino=14162 res=1 audit: type=1804 audit(1619041477.802:142): pid=19533 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir791424094/syzkaller.hko63V/282/bus" dev="sda1" ino=14241 res=1 ion_mmap: failure mapping buffer to userspace new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored ion_mmap: failure mapping buffer to userspace ion_mmap: failure mapping buffer to userspace new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored ion_mmap: failure mapping buffer to userspace ion_mmap: failure mapping buffer to userspace new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored ion_mmap: failure mapping buffer to userspace ion_mmap: failure mapping buffer to userspace new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored ip_tables: iptables: counters copy to user failed while replacing table new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored input: syz1 as /devices/virtual/input/input11 input: syz1 as /devices/virtual/input/input12 input: syz1 as /devices/virtual/input/input13 ip_tables: iptables: counters copy to user failed while replacing table netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'. input: syz1 as /devices/virtual/input/input14 input: syz1 as /devices/virtual/input/input15 ip_tables: iptables: counters copy to user failed while replacing table kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns ip_tables: iptables: counters copy to user failed while replacing table netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'. kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns ip_tables: iptables: counters copy to user failed while replacing table kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'. ip_tables: iptables: counters copy to user failed while replacing table ip_tables: iptables: counters copy to user failed while replacing table kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'. kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280 batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280 batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280 batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280 batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280 batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280 batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280 batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280 batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280 batman_adv: batadv0: adding TT local entry ba:0e:72:00:ff:ff to non-existent VLAN 1280