./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1823331683 <...> Warning: Permanently added '10.128.1.166' (ED25519) to the list of known hosts. execve("./syz-executor1823331683", ["./syz-executor1823331683"], 0x7ffde7202f20 /* 10 vars */) = 0 brk(NULL) = 0x55557ec1b000 brk(0x55557ec1bd00) = 0x55557ec1bd00 arch_prctl(ARCH_SET_FS, 0x55557ec1b380) = 0 set_tid_address(0x55557ec1b650) = 5849 set_robust_list(0x55557ec1b660, 24) = 0 rseq(0x55557ec1bca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1823331683", 4096) = 28 getrandom("\xea\xe8\x2f\xc9\x91\x4d\xd1\x0c", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55557ec1bd00 brk(0x55557ec3cd00) = 0x55557ec3cd00 brk(0x55557ec3d000) = 0x55557ec3d000 mprotect(0x7f68266f0000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5850 attached [pid 5850] set_robust_list(0x55557ec1b660, 24 [pid 5849] <... clone resumed>, child_tidptr=0x55557ec1b650) = 5850 [pid 5850] <... set_robust_list resumed>) = 0 [pid 5850] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5850] setpgid(0, 0) = 0 [pid 5850] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5850] write(3, "1000", 4) = 4 [pid 5850] close(3) = 0 executing program [pid 5850] write(1, "executing program\n", 18) = 18 [pid 5850] openat(AT_FDCWD, "/dev/uinput", O_RDWR|O_NONBLOCK) = 3 [pid 5850] ioctl(3, UI_DEV_SETUP, 0x200000000280) = 0 [pid 5850] ioctl(3, UI_SET_FFBIT, 0x51) = 0 [pid 5850] ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 [pid 5850] openat(AT_FDCWD, "/dev/input/event4", O_RDONLY) = 4 [ 88.373418][ T5850] input: syz1 as /devices/virtual/input/input5 [ 88.409774][ T5850] [ 88.412148][ T5850] ====================================================== [ 88.419154][ T5850] WARNING: possible circular locking dependency detected [ 88.426188][ T5850] 6.16.0-rc6-next-20250717-syzkaller #0 Not tainted [ 88.432764][ T5850] ------------------------------------------------------ [ 88.439788][ T5850] syz-executor182/5850 is trying to acquire lock: [ 88.446208][ T5850] ffff888056962070 (&newdev->mutex){+.+.}-{4:4}, at: uinput_request_submit+0x188/0x6f0 [ 88.455896][ T5850] [ 88.455896][ T5850] but task is already holding lock: [ 88.463254][ T5850] ffff8880203c20b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_upload+0x398/0xb30 [ 88.472047][ T5850] [ 88.472047][ T5850] which lock already depends on the new lock. [ 88.472047][ T5850] [ 88.482438][ T5850] [ 88.482438][ T5850] the existing dependency chain (in reverse order) is: [ 88.491450][ T5850] [ 88.491450][ T5850] -> #3 (&ff->mutex){+.+.}-{4:4}: [ 88.498654][ T5850] lock_acquire+0x120/0x360 [ 88.503683][ T5850] __mutex_lock+0x182/0xe80 [ 88.508711][ T5850] input_ff_flush+0x5d/0x170 [ 88.513836][ T5850] input_flush_device+0xb4/0x110 [ 88.519377][ T5850] evdev_release+0xe1/0x800 [ 88.524397][ T5850] __fput+0x449/0xa70 [ 88.528895][ T5850] fput_close_sync+0x119/0x200 [ 88.534176][ T5850] __x64_sys_close+0x7f/0x110 [ 88.539369][ T5850] do_syscall_64+0xfa/0x3b0 [ 88.544387][ T5850] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.550797][ T5850] [ 88.550797][ T5850] -> #2 (&dev->mutex#2){+.+.}-{4:4}: [ 88.558275][ T5850] lock_acquire+0x120/0x360 [ 88.563295][ T5850] __mutex_lock+0x182/0xe80 [ 88.568311][ T5850] input_register_handle+0x18f/0x530 [ 88.574110][ T5850] kbd_connect+0xc3/0x140 [ 88.578963][ T5850] input_register_device+0xcfd/0x1140 [ 88.584851][ T5850] acpi_button_add+0x6b1/0xb50 [ 88.590137][ T5850] acpi_device_probe+0xa5/0x2d0 [ 88.595502][ T5850] really_probe+0x26a/0x9e0 [ 88.600520][ T5850] __driver_probe_device+0x18c/0x2f0 [ 88.606322][ T5850] driver_probe_device+0x4f/0x430 [ 88.611864][ T5850] __driver_attach+0x452/0x700 [ 88.617141][ T5850] bus_for_each_dev+0x230/0x2b0 [ 88.622512][ T5850] bus_add_driver+0x345/0x640 [ 88.627708][ T5850] driver_register+0x23a/0x320 [ 88.632989][ T5850] do_one_initcall+0x233/0x820 [ 88.638288][ T5850] do_initcall_level+0x137/0x1f0 [ 88.643738][ T5850] do_initcalls+0x69/0xd0 [ 88.648591][ T5850] kernel_init_freeable+0x3d9/0x590 [ 88.654312][ T5850] kernel_init+0x1d/0x1d0 [ 88.659155][ T5850] ret_from_fork+0x3f9/0x770 [ 88.664273][ T5850] ret_from_fork_asm+0x1a/0x30 [ 88.669557][ T5850] [ 88.669557][ T5850] -> #1 (input_mutex){+.+.}-{4:4}: [ 88.676851][ T5850] lock_acquire+0x120/0x360 [ 88.681872][ T5850] __mutex_lock+0x182/0xe80 [ 88.686897][ T5850] input_register_device+0xa76/0x1140 [ 88.692792][ T5850] uinput_create_device+0x422/0x670 [ 88.698516][ T5850] uinput_ioctl_handler+0x3f0/0x1570 [ 88.704316][ T5850] __se_sys_ioctl+0xf9/0x170 [ 88.709442][ T5850] do_syscall_64+0xfa/0x3b0 [ 88.714475][ T5850] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.720901][ T5850] [ 88.720901][ T5850] -> #0 (&newdev->mutex){+.+.}-{4:4}: [ 88.728457][ T5850] validate_chain+0xb9b/0x2140 [ 88.733743][ T5850] __lock_acquire+0xab9/0xd20 [ 88.738942][ T5850] lock_acquire+0x120/0x360 [ 88.743959][ T5850] __mutex_lock+0x182/0xe80 [ 88.748986][ T5850] uinput_request_submit+0x188/0x6f0 [ 88.754785][ T5850] uinput_dev_upload_effect+0x150/0x1e0 [ 88.760844][ T5850] input_ff_upload+0x5f8/0xb30 [ 88.766124][ T5850] evdev_ioctl_handler+0x1644/0x1f10 [ 88.771923][ T5850] __se_sys_ioctl+0xf9/0x170 [ 88.777025][ T5850] do_syscall_64+0xfa/0x3b0 [ 88.782059][ T5850] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.788462][ T5850] [ 88.788462][ T5850] other info that might help us debug this: [ 88.788462][ T5850] [ 88.798675][ T5850] Chain exists of: [ 88.798675][ T5850] &newdev->mutex --> &dev->mutex#2 --> &ff->mutex [ 88.798675][ T5850] [ 88.811012][ T5850] Possible unsafe locking scenario: [ 88.811012][ T5850] [ 88.818449][ T5850] CPU0 CPU1 [ 88.823804][ T5850] ---- ---- [ 88.829273][ T5850] lock(&ff->mutex); [ 88.833253][ T5850] lock(&dev->mutex#2); [ 88.840011][ T5850] lock(&ff->mutex); [ 88.846510][ T5850] lock(&newdev->mutex); [ 88.850855][ T5850] [ 88.850855][ T5850] *** DEADLOCK *** [ 88.850855][ T5850] [ 88.858985][ T5850] 2 locks held by syz-executor182/5850: [ 88.864517][ T5850] #0: ffff8881427af118 (&evdev->mutex){+.+.}-{4:4}, at: evdev_ioctl_handler+0x121/0x1f10 [ 88.874450][ T5850] #1: ffff8880203c20b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_upload+0x398/0xb30 [ 88.883684][ T5850] [ 88.883684][ T5850] stack backtrace: [ 88.889579][ T5850] CPU: 0 UID: 0 PID: 5850 Comm: syz-executor182 Not tainted 6.16.0-rc6-next-20250717-syzkaller #0 PREEMPT(full) [ 88.889598][ T5850] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 88.889615][ T5850] Call Trace: [ 88.889623][ T5850] [ 88.889629][ T5850] dump_stack_lvl+0x189/0x250 [ 88.889654][ T5850] ? __pfx_dump_stack_lvl+0x10/0x10 [ 88.889675][ T5850] ? __pfx__printk+0x10/0x10 [ 88.889696][ T5850] ? print_lock_name+0xde/0x100 [ 88.889716][ T5850] print_circular_bug+0x2ee/0x310 [ 88.889738][ T5850] check_noncircular+0x134/0x160 [ 88.889759][ T5850] validate_chain+0xb9b/0x2140 [ 88.889780][ T5850] ? stack_trace_save+0x9c/0xe0 [ 88.889801][ T5850] ? __pfx_stack_trace_save+0x10/0x10 [ 88.889821][ T5850] ? __pfx_hlock_conflict+0x10/0x10 [ 88.889844][ T5850] __lock_acquire+0xab9/0xd20 [ 88.889861][ T5850] ? uinput_request_submit+0x188/0x6f0 [ 88.889876][ T5850] lock_acquire+0x120/0x360 [ 88.889890][ T5850] ? uinput_request_submit+0x188/0x6f0 [ 88.889909][ T5850] __mutex_lock+0x182/0xe80 [ 88.889928][ T5850] ? uinput_request_submit+0x188/0x6f0 [ 88.889943][ T5850] ? __lock_acquire+0xab9/0xd20 [ 88.889964][ T5850] ? uinput_request_submit+0x188/0x6f0 [ 88.889979][ T5850] ? __pfx___mutex_lock+0x10/0x10 [ 88.890000][ T5850] ? do_raw_spin_unlock+0x122/0x240 [ 88.890022][ T5850] ? _raw_spin_unlock+0x28/0x50 [ 88.890036][ T5850] ? uinput_request_alloc_id+0x3cf/0x400 [ 88.890052][ T5850] uinput_request_submit+0x188/0x6f0 [ 88.890066][ T5850] ? __pfx_preempt_schedule+0x10/0x10 [ 88.890082][ T5850] ? __mutex_trylock_common+0x153/0x260 [ 88.890102][ T5850] ? __pfx_uinput_request_submit+0x10/0x10 [ 88.890117][ T5850] ? preempt_schedule_thunk+0x16/0x30 [ 88.890135][ T5850] ? __mutex_lock+0x344/0xe80 [ 88.890155][ T5850] uinput_dev_upload_effect+0x150/0x1e0 [ 88.890171][ T5850] ? __pfx_uinput_dev_upload_effect+0x10/0x10 [ 88.890194][ T5850] input_ff_upload+0x5f8/0xb30 [ 88.890211][ T5850] evdev_ioctl_handler+0x1644/0x1f10 [ 88.890245][ T5850] ? do_vfs_ioctl+0xbe8/0x1430 [ 88.890262][ T5850] ? __pfx_evdev_ioctl_handler+0x10/0x10 [ 88.890282][ T5850] ? _raw_spin_lock_irq+0xae/0xf0 [ 88.890305][ T5850] ? __pfx_ptrace_notify+0x10/0x10 [ 88.890323][ T5850] ? bpf_lsm_file_ioctl+0x9/0x20 [ 88.890336][ T5850] ? __pfx_evdev_ioctl+0x10/0x10 [ 88.890353][ T5850] __se_sys_ioctl+0xf9/0x170 [ 88.890369][ T5850] do_syscall_64+0xfa/0x3b0 [ 88.890386][ T5850] ? lockdep_hardirqs_on+0x9c/0x150 [ 88.890402][ T5850] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.890414][ T5850] ? clear_bhb_loop+0x60/0xb0 [ 88.890429][ T5850] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.890442][ T5850] RIP: 0033:0x7f682667d9b9 [ 88.890457][ T5850] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 88.890468][ T5850] RSP: 002b:00007ffd4d829528 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 88.890482][ T5850] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f682667d9b9 [ 88.890491][ T5850] RDX: 0000200000000500 RSI: 0000000040304580 RDI: 0000000000000004 [ 88.890500][ T5850] RBP: 00007f68266f05f0 R08: 0000000000000006 R09: 0000000000000006 [ 88.890507][ T5850] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000001 [ 88.890515][ T5850] R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 [ 88.890528][ T5850] [ 91.883911][ T891] cfg80211: failed to load regulatory.db [pid 5850] ioctl(4, EVIOCSFF, {type=FF_RUMBLE, id=-1, direction=13, ...} [pid 5849] kill(-5850, SIGKILL) = 0 [pid 5849] kill(5850, SIGKILL) = 0 [pid 5849] openat(AT_FDCWD, "/sys/fs/fuse/connections", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 5849] newfstatat(3, "", {st_mode=S_IFDIR|0755, st_size=0, ...}, AT_EMPTY_PATH) = 0 [pid 5849] getdents64(3, 0x55557ec1c6f0 /* 2 entries */, 32768) = 48 [pid 5849] getdents64(3, 0x55557ec1c6f0 /* 0 entries */, 32768) = 0 [pid 5849] close(3) = 0