./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2437827371 <...> Warning: Permanently added '10.128.1.33' (ED25519) to the list of known hosts. execve("./syz-executor2437827371", ["./syz-executor2437827371"], 0x7ffde21f4e80 /* 10 vars */) = 0 brk(NULL) = 0x55555a8ea000 brk(0x55555a8ead40) = 0x55555a8ead40 arch_prctl(ARCH_SET_FS, 0x55555a8ea3c0) = 0 set_tid_address(0x55555a8ea690) = 5836 set_robust_list(0x55555a8ea6a0, 24) = 0 rseq(0x55555a8eace0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2437827371", 4096) = 28 getrandom("\xc4\x5b\x1d\x54\x5e\x72\xb7\x1d", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55555a8ead40 brk(0x55555a90bd40) = 0x55555a90bd40 brk(0x55555a90c000) = 0x55555a90c000 mprotect(0x7f832fdcf000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 write(1, "executing program\n", 18executing program ) = 18 futex(0x7f832fdd532c, FUTEX_WAKE_PRIVATE, 1000000) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f832fd74a60, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f832fd660e0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f832fce6000 mprotect(0x7f832fce7000, 131072, PROT_READ|PROT_WRITE) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f832fd06990, parent_tid=0x7f832fd06990, exit_signal=0, stack=0x7f832fce6000, stack_size=0x20300, tls=0x7f832fd066c0}./strace-static-x86_64: Process 5837 attached [pid 5837] rseq(0x7f832fd06fe0, 0x20, 0, 0x53053053 [pid 5836] <... clone3 resumed> => {parent_tid=[5837]}, 88) = 5837 [pid 5837] <... rseq resumed>) = 0 [pid 5837] set_robust_list(0x7f832fd069a0, 24) = 0 [pid 5837] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5837] futex(0x7f832fdd5328, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5836] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5836] futex(0x7f832fdd5328, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5837] <... futex resumed>) = 0 [pid 5836] futex(0x7f832fdd532c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5837] openat(AT_FDCWD, "/dev/uinput", O_RDONLY) = 3 [pid 5837] futex(0x7f832fdd532c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5836] <... futex resumed>) = 0 [pid 5837] <... futex resumed>) = 1 [pid 5836] futex(0x7f832fdd5328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5837] ioctl(3, UI_DEV_SETUP [pid 5836] futex(0x7f832fdd532c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5837] <... ioctl resumed>, 0x200000000180) = 0 [pid 5837] futex(0x7f832fdd532c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5836] <... futex resumed>) = 0 [pid 5837] <... futex resumed>) = 1 [pid 5836] futex(0x7f832fdd5328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5837] ioctl(3, UI_SET_FFBIT [pid 5836] futex(0x7f832fdd532c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5837] <... ioctl resumed>, 0x51) = 0 [pid 5837] futex(0x7f832fdd532c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5836] <... futex resumed>) = 0 [pid 5837] <... futex resumed>) = 1 [pid 5836] futex(0x7f832fdd5328, FUTEX_WAKE_PRIVATE, 1000000 [pid 5837] futex(0x7f832fdd5328, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5836] <... futex resumed>) = 0 [pid 5837] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5836] futex(0x7f832fdd532c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5837] ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 [pid 5837] futex(0x7f832fdd532c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5836] <... futex resumed>) = 0 [pid 5837] <... futex resumed>) = 1 [pid 5836] futex(0x7f832fdd5328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5837] openat(AT_FDCWD, "/dev/input/event4", O_RDONLY [pid 5836] futex(0x7f832fdd532c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5837] <... openat resumed>) = 4 [pid 5837] futex(0x7f832fdd532c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5836] <... futex resumed>) = 0 [pid 5836] futex(0x7f832fdd5328, FUTEX_WAKE_PRIVATE, 1000000 [pid 5837] <... futex resumed>) = 1 [pid 5836] <... futex resumed>) = 0 [pid 5837] ioctl(4, EVIOCSFF, {type=FF_RUMBLE, id=-1, direction=0, ...} [ 81.820844][ T5837] input: syz1 as /devices/virtual/input/input5 [ 81.865254][ T5837] [ 81.867621][ T5837] ====================================================== [ 81.874635][ T5837] WARNING: possible circular locking dependency detected [ 81.881675][ T5837] 6.16.0-rc7-syzkaller #0 Not tainted [ 81.887037][ T5837] ------------------------------------------------------ [ 81.894041][ T5837] syz-executor243/5837 is trying to acquire lock: [ 81.900442][ T5837] ffff888035f9e070 (&newdev->mutex){+.+.}-{4:4}, at: uinput_request_submit+0x188/0x6f0 [ 81.910123][ T5837] [ 81.910123][ T5837] but task is already holding lock: [ 81.917475][ T5837] ffff888035f9b0b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_upload+0x398/0xae0 [ 81.926258][ T5837] [ 81.926258][ T5837] which lock already depends on the new lock. [ 81.926258][ T5837] [ 81.936685][ T5837] [ 81.936685][ T5837] the existing dependency chain (in reverse order) is: [ 81.945769][ T5837] [ 81.945769][ T5837] -> #3 (&ff->mutex){+.+.}-{4:4}: [ 81.952977][ T5837] lock_acquire+0x120/0x360 [ 81.958026][ T5837] __mutex_lock+0x182/0xe80 [ 81.963056][ T5837] input_ff_flush+0x5e/0x140 [ 81.968169][ T5837] input_flush_device+0xa6/0xd0 [ 81.973577][ T5837] evdev_release+0xe1/0x800 [ 81.978638][ T5837] __fput+0x44c/0xa70 [ 81.983154][ T5837] fput_close_sync+0x119/0x200 [ 81.988445][ T5837] __x64_sys_close+0x7f/0x110 [ 81.993653][ T5837] do_syscall_64+0xfa/0x3b0 [ 81.998679][ T5837] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 82.005092][ T5837] [ 82.005092][ T5837] -> #2 (&dev->mutex#2){+.+.}-{4:4}: [ 82.012572][ T5837] lock_acquire+0x120/0x360 [ 82.017593][ T5837] __mutex_lock+0x182/0xe80 [ 82.022627][ T5837] input_register_handle+0x18f/0x4c0 [ 82.028451][ T5837] kbd_connect+0xc3/0x140 [ 82.033399][ T5837] input_register_device+0xcee/0x10b0 [ 82.039299][ T5837] acpi_button_add+0x6b1/0xb50 [ 82.044592][ T5837] acpi_device_probe+0xa5/0x2d0 [ 82.049966][ T5837] really_probe+0x26a/0x9a0 [ 82.054994][ T5837] __driver_probe_device+0x18c/0x2f0 [ 82.060927][ T5837] driver_probe_device+0x4f/0x430 [ 82.066497][ T5837] __driver_attach+0x452/0x700 [ 82.071787][ T5837] bus_for_each_dev+0x230/0x2b0 [ 82.077159][ T5837] bus_add_driver+0x345/0x640 [ 82.082359][ T5837] driver_register+0x23a/0x320 [ 82.087641][ T5837] do_one_initcall+0x233/0x820 [ 82.092924][ T5837] do_initcall_level+0x137/0x1f0 [ 82.098389][ T5837] do_initcalls+0x69/0xd0 [ 82.103262][ T5837] kernel_init_freeable+0x3d9/0x570 [ 82.108987][ T5837] kernel_init+0x1d/0x1d0 [ 82.113845][ T5837] ret_from_fork+0x3fc/0x770 [ 82.118962][ T5837] ret_from_fork_asm+0x1a/0x30 [ 82.124346][ T5837] [ 82.124346][ T5837] -> #1 (input_mutex){+.+.}-{4:4}: [ 82.131655][ T5837] lock_acquire+0x120/0x360 [ 82.136676][ T5837] __mutex_lock+0x182/0xe80 [ 82.141694][ T5837] input_register_device+0xa74/0x10b0 [ 82.147594][ T5837] uinput_create_device+0x422/0x670 [ 82.153331][ T5837] uinput_ioctl_handler+0x3f0/0x1570 [ 82.159227][ T5837] __se_sys_ioctl+0xf9/0x170 [ 82.164358][ T5837] do_syscall_64+0xfa/0x3b0 [ 82.169387][ T5837] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 82.175802][ T5837] [ 82.175802][ T5837] -> #0 (&newdev->mutex){+.+.}-{4:4}: [ 82.183363][ T5837] validate_chain+0xb9b/0x2140 [ 82.188650][ T5837] __lock_acquire+0xab9/0xd20 [ 82.193849][ T5837] lock_acquire+0x120/0x360 [ 82.198873][ T5837] __mutex_lock+0x182/0xe80 [ 82.203901][ T5837] uinput_request_submit+0x188/0x6f0 [ 82.209709][ T5837] uinput_dev_upload_effect+0x150/0x1e0 [ 82.215792][ T5837] input_ff_upload+0x5fc/0xae0 [ 82.221081][ T5837] evdev_ioctl_handler+0x1644/0x1f10 [ 82.226883][ T5837] __se_sys_ioctl+0xf9/0x170 [ 82.231998][ T5837] do_syscall_64+0xfa/0x3b0 [ 82.237023][ T5837] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 82.243429][ T5837] [ 82.243429][ T5837] other info that might help us debug this: [ 82.243429][ T5837] [ 82.253650][ T5837] Chain exists of: [ 82.253650][ T5837] &newdev->mutex --> &dev->mutex#2 --> &ff->mutex [ 82.253650][ T5837] [ 82.266003][ T5837] Possible unsafe locking scenario: [ 82.266003][ T5837] [ 82.273443][ T5837] CPU0 CPU1 [ 82.278860][ T5837] ---- ---- [ 82.284320][ T5837] lock(&ff->mutex); [ 82.288315][ T5837] lock(&dev->mutex#2); [ 82.295093][ T5837] lock(&ff->mutex); [ 82.301601][ T5837] lock(&newdev->mutex); [ 82.306026][ T5837] [ 82.306026][ T5837] *** DEADLOCK *** [ 82.306026][ T5837] [ 82.314174][ T5837] 2 locks held by syz-executor243/5837: [ 82.319727][ T5837] #0: ffff888146fee118 (&evdev->mutex){+.+.}-{4:4}, at: evdev_ioctl_handler+0x121/0x1f10 [ 82.329667][ T5837] #1: ffff888035f9b0b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_upload+0x398/0xae0 [ 82.338913][ T5837] [ 82.338913][ T5837] stack backtrace: [ 82.344815][ T5837] CPU: 1 UID: 0 PID: 5837 Comm: syz-executor243 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full) [ 82.344832][ T5837] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 82.344847][ T5837] Call Trace: [ 82.344857][ T5837] [ 82.344864][ T5837] dump_stack_lvl+0x189/0x250 [ 82.344883][ T5837] ? __pfx_dump_stack_lvl+0x10/0x10 [ 82.344899][ T5837] ? __pfx__printk+0x10/0x10 [ 82.344917][ T5837] ? print_lock_name+0xde/0x100 [ 82.344936][ T5837] print_circular_bug+0x2ee/0x310 [ 82.344954][ T5837] check_noncircular+0x134/0x160 [ 82.344973][ T5837] validate_chain+0xb9b/0x2140 [ 82.344992][ T5837] ? stack_trace_save+0x9c/0xe0 [ 82.345010][ T5837] ? __pfx_stack_trace_save+0x10/0x10 [ 82.345027][ T5837] ? __pfx_hlock_conflict+0x10/0x10 [ 82.345046][ T5837] __lock_acquire+0xab9/0xd20 [ 82.345061][ T5837] ? uinput_request_submit+0x188/0x6f0 [ 82.345079][ T5837] lock_acquire+0x120/0x360 [ 82.345091][ T5837] ? uinput_request_submit+0x188/0x6f0 [ 82.345112][ T5837] __mutex_lock+0x182/0xe80 [ 82.345128][ T5837] ? uinput_request_submit+0x188/0x6f0 [ 82.345146][ T5837] ? uinput_request_alloc_id+0x2f/0x400 [ 82.345165][ T5837] ? uinput_request_submit+0x188/0x6f0 [ 82.345183][ T5837] ? __pfx___mutex_lock+0x10/0x10 [ 82.345201][ T5837] ? do_raw_spin_unlock+0x122/0x240 [ 82.345220][ T5837] ? _raw_spin_unlock+0x28/0x50 [ 82.345242][ T5837] ? uinput_request_alloc_id+0x3cf/0x400 [ 82.345260][ T5837] uinput_request_submit+0x188/0x6f0 [ 82.345277][ T5837] ? __mutex_trylock_common+0x153/0x260 [ 82.345296][ T5837] ? __pfx_uinput_request_submit+0x10/0x10 [ 82.345314][ T5837] ? rcu_is_watching+0x15/0xb0 [ 82.345329][ T5837] ? trace_contention_end+0x39/0x120 [ 82.345347][ T5837] ? __mutex_lock+0x330/0xe80 [ 82.345364][ T5837] uinput_dev_upload_effect+0x150/0x1e0 [ 82.345382][ T5837] ? __pfx_uinput_dev_upload_effect+0x10/0x10 [ 82.345408][ T5837] input_ff_upload+0x5fc/0xae0 [ 82.345428][ T5837] evdev_ioctl_handler+0x1644/0x1f10 [ 82.345444][ T5837] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 82.345459][ T5837] ? __pfx_evdev_ioctl_handler+0x10/0x10 [ 82.345473][ T5837] ? __pfx_smack_log+0x10/0x10 [ 82.345493][ T5837] ? smk_access+0x14c/0x4e0 [ 82.345514][ T5837] ? smk_tskacc+0x2fc/0x370 [ 82.345535][ T5837] ? smack_file_ioctl+0x24a/0x340 [ 82.345548][ T5837] ? __pfx_smack_file_ioctl+0x10/0x10 [ 82.345565][ T5837] ? __fget_files+0x2a/0x420 [ 82.345582][ T5837] ? bpf_lsm_file_ioctl+0x9/0x20 [ 82.345603][ T5837] ? __pfx_evdev_ioctl+0x10/0x10 [ 82.345615][ T5837] __se_sys_ioctl+0xf9/0x170 [ 82.345637][ T5837] do_syscall_64+0xfa/0x3b0 [ 82.345653][ T5837] ? lockdep_hardirqs_on+0x9c/0x150 [ 82.345666][ T5837] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 82.345680][ T5837] ? clear_bhb_loop+0x60/0xb0 [ 82.345696][ T5837] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 82.345709][ T5837] RIP: 0033:0x7f832fd4ebb9 [ 82.345725][ T5837] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 82.345737][ T5837] RSP: 002b:00007f832fd06218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 82.345751][ T5837] RAX: ffffffffffffffda RBX: 00007f832fdd5328 RCX: 00007f832fd4ebb9 [ 82.345762][ T5837] RDX: 0000200000000300 RSI: 0000000040304580 RDI: 0000000000000004 [pid 5836] futex(0x7f832fdd532c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 82.345771][ T5837] RBP: 00007f832fdd5320 R08: 0000000000000000 R09: 0000000000000000 [ 82.345780][ T5837] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f832fda3004 [ 82.345789][ T5837] R13: 0000200000000180 R14: 00002000000000c0 R15: 0000200000000300 [ 82.345804][ T5837] [pid 5836] exit_group(0) = ? [ 91.636459][ T1208] cfg80211: failed to load regulatory.db