./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1342415784 <...> Warning: Permanently added '10.128.0.152' (ED25519) to the list of known hosts. execve("./syz-executor1342415784", ["./syz-executor1342415784"], 0x7ffe7ca850f0 /* 10 vars */) = 0 brk(NULL) = 0x5555815f6000 brk(0x5555815f6e00) = 0x5555815f6e00 arch_prctl(ARCH_SET_FS, 0x5555815f6480) = 0 [ 63.031252][ T30] audit: type=1400 audit(1753594228.767:62): avc: denied { write } for pid=5828 comm="strace-static-x" path="pipe:[3713]" dev="pipefs" ino=3713 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 set_tid_address(0x5555815f6750) = 5831 set_robust_list(0x5555815f6760, 24) = 0 rseq(0x5555815f6da0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1342415784", 4096) = 28 getrandom("\xd8\xc2\xee\x15\x6b\x92\x20\xa9", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555815f6e00 brk(0x555581617e00) = 0x555581617e00 brk(0x555581618000) = 0x555581618000 mprotect(0x7f8ef0b86000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7f8ef0ae0e50, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f8ef0ae80a0}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7f8ef0ae0e50, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f8ef0ae80a0}, NULL, 8) = 0 executing program write(1, "executing program\n", 18) = 18 [ 63.198116][ T30] audit: type=1400 audit(1753594228.927:63): avc: denied { execmem } for pid=5831 comm="syz-executor134" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 openat(AT_FDCWD, "/dev/uinput", O_RDONLY) = 3 [ 63.230270][ T30] audit: type=1400 audit(1753594228.967:64): avc: denied { read } for pid=5831 comm="syz-executor134" name="uinput" dev="devtmpfs" ino=920 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 63.253686][ T30] audit: type=1400 audit(1753594228.967:65): avc: denied { open } for pid=5831 comm="syz-executor134" path="/dev/uinput" dev="devtmpfs" ino=920 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 ioctl(3, UI_DEV_SETUP, 0x200000000180) = 0 ioctl(3, UI_SET_FFBIT, 0x51) = 0 ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 openat(AT_FDCWD, "/dev/input/event4", O_RDONLY) = 4 [ 63.278158][ T30] audit: type=1400 audit(1753594229.007:66): avc: denied { ioctl } for pid=5831 comm="syz-executor134" path="/dev/uinput" dev="devtmpfs" ino=920 ioctlcmd=0x5503 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 63.280283][ T5831] input: syz1 as /devices/virtual/input/input5 [ 63.316450][ T30] audit: type=1400 audit(1753594229.047:67): avc: denied { read } for pid=5831 comm="syz-executor134" name="event4" dev="devtmpfs" ino=2787 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 63.329967][ T5831] [ 63.339680][ T30] audit: type=1400 audit(1753594229.047:68): avc: denied { open } for pid=5831 comm="syz-executor134" path="/dev/input/event4" dev="devtmpfs" ino=2787 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 63.341661][ T5831] ====================================================== [ 63.341668][ T5831] WARNING: possible circular locking dependency detected [ 63.341675][ T5831] 6.16.0-rc7-syzkaller-00140-gec2df4364666 #0 Not tainted [ 63.341684][ T5831] ------------------------------------------------------ [ 63.365666][ T30] audit: type=1400 audit(1753594229.057:69): avc: denied { ioctl } for pid=5831 comm="syz-executor134" path="/dev/input/event4" dev="devtmpfs" ino=2787 ioctlcmd=0x4580 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 63.372495][ T5831] syz-executor134/5831 is trying to acquire lock: [ 63.372505][ T5831] ffff88802a78a870 (&newdev->mutex){+.+.}-{4:4}, at: uinput_request_submit.part.0+0x25/0x2e0 [ 63.435401][ T5831] [ 63.435401][ T5831] but task is already holding lock: [ 63.442735][ T5831] ffff88802a7888b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_upload+0x1dd/0xc10 [ 63.451483][ T5831] [ 63.451483][ T5831] which lock already depends on the new lock. [ 63.451483][ T5831] [ 63.461854][ T5831] [ 63.461854][ T5831] the existing dependency chain (in reverse order) is: [ 63.470835][ T5831] [ 63.470835][ T5831] -> #3 (&ff->mutex){+.+.}-{4:4}: [ 63.478021][ T5831] __mutex_lock+0x199/0xb90 [ 63.483017][ T5831] input_ff_flush+0x63/0x180 [ 63.488098][ T5831] uinput_dev_flush+0x2a/0x40 [ 63.493267][ T5831] input_flush_device+0xa1/0x110 [ 63.498710][ T5831] evdev_release+0x344/0x420 [ 63.503796][ T5831] __fput+0x3ff/0xb70 [ 63.508270][ T5831] fput_close_sync+0x118/0x260 [ 63.513528][ T5831] __x64_sys_close+0x8b/0x120 [ 63.518709][ T5831] do_syscall_64+0xcd/0x4c0 [ 63.523703][ T5831] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 63.530098][ T5831] [ 63.530098][ T5831] -> #2 (&dev->mutex#2){+.+.}-{4:4}: [ 63.537534][ T5831] __mutex_lock+0x199/0xb90 [ 63.542528][ T5831] input_register_handle+0xdc/0x620 [ 63.548221][ T5831] kbd_connect+0xca/0x160 [ 63.553048][ T5831] input_attach_handler.isra.0+0x184/0x260 [ 63.559360][ T5831] input_register_device+0xa84/0x1130 [ 63.565254][ T5831] acpi_button_add+0x582/0xb70 [ 63.570567][ T5831] acpi_device_probe+0xc6/0x330 [ 63.575922][ T5831] really_probe+0x23e/0xa90 [ 63.580919][ T5831] __driver_probe_device+0x1de/0x440 [ 63.586721][ T5831] driver_probe_device+0x4c/0x1b0 [ 63.592245][ T5831] __driver_attach+0x283/0x580 [ 63.597511][ T5831] bus_for_each_dev+0x13e/0x1d0 [ 63.602857][ T5831] bus_add_driver+0x2e9/0x690 [ 63.608029][ T5831] driver_register+0x15c/0x4b0 [ 63.613290][ T5831] __acpi_bus_register_driver+0xdf/0x130 [ 63.619418][ T5831] acpi_button_driver_init+0x82/0x110 [ 63.625291][ T5831] do_one_initcall+0x120/0x6e0 [ 63.630548][ T5831] kernel_init_freeable+0x5c2/0x900 [ 63.636250][ T5831] kernel_init+0x1c/0x2b0 [ 63.641076][ T5831] ret_from_fork+0x5d4/0x6f0 [ 63.646160][ T5831] ret_from_fork_asm+0x1a/0x30 [ 63.651416][ T5831] [ 63.651416][ T5831] -> #1 (input_mutex){+.+.}-{4:4}: [ 63.658682][ T5831] __mutex_lock+0x199/0xb90 [ 63.663677][ T5831] input_register_device+0x98a/0x1130 [ 63.669549][ T5831] uinput_ioctl_handler.isra.0+0x1357/0x1df0 [ 63.676038][ T5831] __x64_sys_ioctl+0x18e/0x210 [ 63.681302][ T5831] do_syscall_64+0xcd/0x4c0 [ 63.686297][ T5831] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 63.692682][ T5831] [ 63.692682][ T5831] -> #0 (&newdev->mutex){+.+.}-{4:4}: [ 63.700205][ T5831] __lock_acquire+0x126f/0x1c90 [ 63.705545][ T5831] lock_acquire+0x179/0x350 [ 63.710538][ T5831] __mutex_lock+0x199/0xb90 [ 63.715531][ T5831] uinput_request_submit.part.0+0x25/0x2e0 [ 63.721828][ T5831] uinput_dev_upload_effect+0x174/0x1f0 [ 63.727865][ T5831] input_ff_upload+0x568/0xc10 [ 63.733120][ T5831] evdev_do_ioctl+0xf40/0x1b30 [ 63.738378][ T5831] evdev_ioctl+0x16f/0x1a0 [ 63.743289][ T5831] __x64_sys_ioctl+0x18e/0x210 [ 63.748545][ T5831] do_syscall_64+0xcd/0x4c0 [ 63.753538][ T5831] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 63.759923][ T5831] [ 63.759923][ T5831] other info that might help us debug this: [ 63.759923][ T5831] [ 63.770120][ T5831] Chain exists of: [ 63.770120][ T5831] &newdev->mutex --> &dev->mutex#2 --> &ff->mutex [ 63.770120][ T5831] [ 63.782427][ T5831] Possible unsafe locking scenario: [ 63.782427][ T5831] [ 63.789850][ T5831] CPU0 CPU1 [ 63.795193][ T5831] ---- ---- [ 63.800527][ T5831] lock(&ff->mutex); [ 63.804478][ T5831] lock(&dev->mutex#2); [ 63.811212][ T5831] lock(&ff->mutex); [ 63.817680][ T5831] lock(&newdev->mutex); [ 63.821979][ T5831] [ 63.821979][ T5831] *** DEADLOCK *** [ 63.821979][ T5831] [ 63.830091][ T5831] 2 locks held by syz-executor134/5831: [ 63.835600][ T5831] #0: ffff888024e04118 (&evdev->mutex){+.+.}-{4:4}, at: evdev_ioctl+0x7f/0x1a0 [ 63.844616][ T5831] #1: ffff88802a7888b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_upload+0x1dd/0xc10 [ 63.853799][ T5831] [ 63.853799][ T5831] stack backtrace: [ 63.859658][ T5831] CPU: 0 UID: 0 PID: 5831 Comm: syz-executor134 Not tainted 6.16.0-rc7-syzkaller-00140-gec2df4364666 #0 PREEMPT(full) [ 63.859671][ T5831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 63.859677][ T5831] Call Trace: [ 63.859682][ T5831] [ 63.859686][ T5831] dump_stack_lvl+0x116/0x1f0 [ 63.859703][ T5831] print_circular_bug+0x275/0x350 [ 63.859718][ T5831] check_noncircular+0x14c/0x170 [ 63.859734][ T5831] __lock_acquire+0x126f/0x1c90 [ 63.859745][ T5831] lock_acquire+0x179/0x350 [ 63.859753][ T5831] ? uinput_request_submit.part.0+0x25/0x2e0 [ 63.859765][ T5831] ? __pfx___might_resched+0x10/0x10 [ 63.859779][ T5831] __mutex_lock+0x199/0xb90 [ 63.859788][ T5831] ? uinput_request_submit.part.0+0x25/0x2e0 [ 63.859799][ T5831] ? uinput_request_reserve_slot+0x3ca/0x4d0 [ 63.859810][ T5831] ? uinput_request_submit.part.0+0x25/0x2e0 [ 63.859821][ T5831] ? __pfx___mutex_lock+0x10/0x10 [ 63.859832][ T5831] ? _raw_spin_unlock+0x28/0x50 [ 63.859853][ T5831] ? __mutex_trylock_common+0xe9/0x250 [ 63.859864][ T5831] ? __pfx_uinput_request_reserve_slot+0x10/0x10 [ 63.859875][ T5831] ? __pfx___might_resched+0x10/0x10 [ 63.859888][ T5831] ? uinput_request_submit.part.0+0x25/0x2e0 [ 63.859899][ T5831] uinput_request_submit.part.0+0x25/0x2e0 [ 63.859910][ T5831] uinput_dev_upload_effect+0x174/0x1f0 [ 63.859921][ T5831] ? __pfx_uinput_dev_upload_effect+0x10/0x10 [ 63.859934][ T5831] ? __might_fault+0x13b/0x190 [ 63.859950][ T5831] input_ff_upload+0x568/0xc10 [ 63.859961][ T5831] evdev_do_ioctl+0xf40/0x1b30 [ 63.859976][ T5831] ? __pfx_evdev_do_ioctl+0x10/0x10 [ 63.859994][ T5831] evdev_ioctl+0x16f/0x1a0 [ 63.860009][ T5831] ? __pfx_evdev_ioctl+0x10/0x10 [ 63.860023][ T5831] __x64_sys_ioctl+0x18e/0x210 [ 63.860036][ T5831] do_syscall_64+0xcd/0x4c0 [ 63.860046][ T5831] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 63.860059][ T5831] RIP: 0033:0x7f8ef0b13ca9 [ 63.860068][ T5831] Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 63.860077][ T5831] RSP: 002b:00007ffd2042fae8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 63.860086][ T5831] RAX: ffffffffffffffda RBX: 6e69752f7665642f RCX: 00007f8ef0b13ca9 [ 63.860092][ T5831] RDX: 0000200000000300 RSI: 0000000040304580 RDI: 0000000000000004 [ 63.860098][ T5831] RBP: 00007ffd2042fb08 R08: 0000000000000000 R09: 0000000000000000 [ 63.860104][ T5831] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000000 [ 63.860109][ T5831] R13: 00007ffd2042fd68 R14: 0000000000000001 R15: 0000000000000001 [ 63.860117][ T5831]