syzbot

 sign-in | mailing list | source | docs
🐞 Open [196]
🐞 Fixed [42]
🐞 Invalid [470]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

possible deadlock in uinput_request_submit

Status: public: reported C repro on 2019/04/14 09:33
Reported-by: syzbot+aeecd8ac161c94ba9daa@syzkaller.appspotmail.com
First crash: 2391d, last: 2218d
Similar bugs (3)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 possible deadlock in uinput_request_submit origin:upstream missing-backport 4 C error 8 12d 480d 0/3 upstream: reported C repro on 2024/05/05 13:52
upstream possible deadlock in uinput_request_submit input 4 C error 55 2d21h 489d 0/29 upstream: reported C repro on 2024/04/26 04:42
linux-5.15 possible deadlock in uinput_request_submit origin:upstream 4 C 8 14d 480d 0/3 upstream: reported C repro on 2024/05/05 13:53

Sample crash report:
input: syz0 as /devices/virtual/input/input49
input: syz0 as /devices/virtual/input/input50
input: syz0 as /devices/virtual/input/input51
input: syz0 as /devices/virtual/input/input52
======================================================
[ INFO: possible circular locking dependency detected ]
4.9.141+ #23 Not tainted
-------------------------------------------------------
syz-executor116/2216 is trying to acquire lock:
 (&newdev->mutex){+.+.+.}, at: [<ffffffff8207f2e9>] uinput_request_send drivers/input/misc/uinput.c:116 [inline]
 (&newdev->mutex){+.+.+.}, at: [<ffffffff8207f2e9>] uinput_request_submit.part.2+0x29/0x200 drivers/input/misc/uinput.c:147
but task is already holding lock:
 (&ff->mutex){+.+...}, at: [<ffffffff8204aefa>] input_ff_upload+0x10a/0xa00 drivers/input/ff-core.c:135
which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

       lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
       __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621
       input_ff_upload+0x10a/0xa00 drivers/input/ff-core.c:135
       evdev_do_ioctl drivers/input/evdev.c:1213 [inline]
       evdev_ioctl_handler+0xe62/0x1820 drivers/input/evdev.c:1302
       evdev_ioctl_compat+0x29/0x30 drivers/input/evdev.c:1318
       C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
       compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
       do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
       do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
       entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137

       lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
       __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621
       evdev_mark_dead drivers/input/evdev.c:1345 [inline]
       evdev_cleanup+0x26/0x1a0 drivers/input/evdev.c:1354
       evdev_disconnect+0x43/0xa0 drivers/input/evdev.c:1446
       __input_unregister_device+0x1ec/0x490 drivers/input/input.c:2023
       input_unregister_device+0xa6/0xf0 drivers/input/input.c:2197
       uinput_destroy_device+0x1cf/0x220 drivers/input/misc/uinput.c:246
       uinput_release+0x3a/0x50 drivers/input/misc/uinput.c:658
       __fput+0x263/0x700 fs/file_table.c:208
       ____fput+0x15/0x20 fs/file_table.c:244
       task_work_run+0x10c/0x180 kernel/task_work.c:116
       exit_task_work include/linux/task_work.h:21 [inline]
       do_exit+0x78d/0x2a50 kernel/exit.c:833
       do_group_exit+0x111/0x300 kernel/exit.c:937
       SYSC_exit_group kernel/exit.c:948 [inline]
       SyS_exit_group+0x1d/0x20 kernel/exit.c:946
       do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
       do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
       entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137

       lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
       __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       mutex_lock_interruptible_nested+0xcc/0x9c0 kernel/locking/mutex.c:650
       input_register_device.cold.13+0x39/0x204 drivers/input/input.c:2146
       uinput_create_device drivers/input/misc/uinput.c:302 [inline]
       uinput_ioctl_handler.isra.4+0x84a/0x1980 drivers/input/misc/uinput.c:817
       uinput_compat_ioctl+0x5f/0x80 drivers/input/misc/uinput.c:1001
       C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
       compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
       do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
       do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
       entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137

       check_prev_add kernel/locking/lockdep.c:1828 [inline]
       check_prevs_add kernel/locking/lockdep.c:1938 [inline]
       validate_chain kernel/locking/lockdep.c:2265 [inline]
       __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345
       lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
       __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       mutex_lock_interruptible_nested+0xcc/0x9c0 kernel/locking/mutex.c:650
       uinput_request_send drivers/input/misc/uinput.c:116 [inline]
       uinput_request_submit.part.2+0x29/0x200 drivers/input/misc/uinput.c:147
       uinput_request_submit drivers/input/misc/uinput.c:144 [inline]
       uinput_dev_upload_effect+0x14a/0x1c0 drivers/input/misc/uinput.c:216
       input_ff_upload+0x528/0xa00 drivers/input/ff-core.c:165
       evdev_do_ioctl drivers/input/evdev.c:1213 [inline]
       evdev_ioctl_handler+0xe62/0x1820 drivers/input/evdev.c:1302
       evdev_ioctl_compat+0x29/0x30 drivers/input/evdev.c:1318
       C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
       compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
       do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
       do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
       entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137

other info that might help us debug this:

Chain exists of:
 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&ff->mutex);
                               lock(&evdev->mutex);
                               lock(&ff->mutex);
  lock(&newdev->mutex);

 *** DEADLOCK ***

2 locks held by syz-executor116/2216:
 #0:  (&evdev->mutex){+.+...}, at: [<ffffffff820577f2>] evdev_ioctl_handler+0x112/0x1820 drivers/input/evdev.c:1293
 #1:  (&ff->mutex){+.+...}, at: [<ffffffff8204aefa>] input_ff_upload+0x10a/0xa00 drivers/input/ff-core.c:135

stack backtrace:
CPU: 1 PID: 2216 Comm: syz-executor116 Not tainted 4.9.141+ #23
 ffff8801c9dc7778 ffffffff81b42e79 ffffffff83cc2500 ffffffff83cc4bd0
 ffffffff83cc10c0 ffff8801c9b120b8 ffff8801c9b117c0 ffff8801c9dc77c0
 ffffffff813fee40 0000000000000002 00000000c9b12098 0000000000000002
Call Trace:
 [<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff813fee40>] print_circular_bug.cold.36+0x2f7/0x432 kernel/locking/lockdep.c:1202
 [<ffffffff8120a539>] check_prev_add kernel/locking/lockdep.c:1828 [inline]
 [<ffffffff8120a539>] check_prevs_add kernel/locking/lockdep.c:1938 [inline]
 [<ffffffff8120a539>] validate_chain kernel/locking/lockdep.c:2265 [inline]
 [<ffffffff8120a539>] __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345
 [<ffffffff8120c8d0>] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
 [<ffffffff8280ce4c>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
 [<ffffffff8280ce4c>] mutex_lock_interruptible_nested+0xcc/0x9c0 kernel/locking/mutex.c:650
 [<ffffffff8207f2e9>] uinput_request_send drivers/input/misc/uinput.c:116 [inline]
 [<ffffffff8207f2e9>] uinput_request_submit.part.2+0x29/0x200 drivers/input/misc/uinput.c:147
 [<ffffffff8208237a>] uinput_request_submit drivers/input/misc/uinput.c:144 [inline]
 [<ffffffff8208237a>] uinput_dev_upload_effect+0x14a/0x1c0 drivers/input/misc/uinput.c:216
 [<ffffffff8204b318>] input_ff_upload+0x528/0xa00 drivers/input/ff-core.c:165
 [<ffffffff82058542>] evdev_do_ioctl drivers/input/evdev.c:1213 [inline]
 [<ffffffff82058542>] evdev_ioctl_handler+0xe62/0x1820 drivers/input/evdev.c:1302
 [<ffffffff82058f29>] evdev_ioctl_compat+0x29/0x30 drivers/input/evdev.c:1318
 [<ffffffff81619c8d>] C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
 [<ffffffff81619c8d>] compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
 [<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
 [<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
 [<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/05/24 14:58 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 0dadcd9d .config console log report syz C ci-android-49-kasan-gce-386
2019/08/01 22:49 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 835dffe7 .config console log report ci-android-49-kasan-gce-386
2019/06/23 20:52 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 472f0082 .config console log report ci-android-49-kasan-gce-386
2019/05/24 12:38 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 0dadcd9d .config console log report ci-android-49-kasan-gce-386
2019/02/09 20:59 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 d75f7686 .config console log report ci-android-49-kasan-gce-386
* Struck through repros no longer work on HEAD.