./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3131561942 <...> Warning: Permanently added '10.128.0.25' (ED25519) to the list of known hosts. execve("./syz-executor3131561942", ["./syz-executor3131561942"], 0x7ffe8f433cc0 /* 10 vars */) = 0 brk(NULL) = 0x55556c241000 brk(0x55556c241d00) = 0x55556c241d00 arch_prctl(ARCH_SET_FS, 0x55556c241380) = 0 set_tid_address(0x55556c241650) = 5084 set_robust_list(0x55556c241660, 24) = 0 rseq(0x55556c241ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3131561942", 4096) = 28 getrandom("\xdc\x02\xb0\xcb\xe0\xf2\x0e\xb9", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55556c241d00 brk(0x55556c262d00) = 0x55556c262d00 brk(0x55556c263000) = 0x55556c263000 mprotect(0x7f845941d000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/dev/uinput", O_RDONLY) = 3 ioctl(3, UI_DEV_SETUP, 0x20000180) = 0 ioctl(3, UI_SET_FFBIT, 0x51) = 0 ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 openat(AT_FDCWD, "/dev/input/event4", O_RDONLY) = 4 [ 73.518727][ T5084] input: syz1 as /devices/virtual/input/input5 [ 73.544140][ T5084] [ 73.546527][ T5084] ====================================================== [ 73.553647][ T5084] WARNING: possible circular locking dependency detected [ 73.560662][ T5084] 6.9.0-rc6-syzkaller-00227-g3d25a941ea50 #0 Not tainted [ 73.567699][ T5084] ------------------------------------------------------ [ 73.574706][ T5084] syz-executor313/5084 is trying to acquire lock: [ 73.581109][ T5084] ffff88802f5ad070 (&newdev->mutex){+.+.}-{3:3}, at: uinput_request_submit+0x19c/0x740 [ 73.590868][ T5084] [ 73.590868][ T5084] but task is already holding lock: [ 73.598237][ T5084] ffff88802f5a98b0 (&ff->mutex){+.+.}-{3:3}, at: input_ff_upload+0x3e4/0xb00 [ 73.607073][ T5084] [ 73.607073][ T5084] which lock already depends on the new lock. [ 73.607073][ T5084] [ 73.617500][ T5084] [ 73.617500][ T5084] the existing dependency chain (in reverse order) is: [ 73.626511][ T5084] [ 73.626511][ T5084] -> #3 (&ff->mutex){+.+.}-{3:3}: [ 73.633727][ T5084] lock_acquire+0x1ed/0x550 [ 73.638756][ T5084] __mutex_lock+0x136/0xd70 [ 73.643797][ T5084] input_ff_flush+0x5e/0x140 [ 73.648928][ T5084] input_flush_device+0x9c/0xc0 [ 73.654306][ T5084] evdev_release+0xf9/0x7d0 [ 73.659330][ T5084] __fput+0x429/0x8a0 [ 73.663839][ T5084] __x64_sys_close+0x7f/0x110 [ 73.669059][ T5084] do_syscall_64+0xf5/0x240 [ 73.674091][ T5084] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.680544][ T5084] [ 73.680544][ T5084] -> #2 (&dev->mutex#2){+.+.}-{3:3}: [ 73.688037][ T5084] lock_acquire+0x1ed/0x550 [ 73.693171][ T5084] __mutex_lock+0x136/0xd70 [ 73.698227][ T5084] input_register_handle+0x6d/0x3b0 [ 73.703980][ T5084] kbd_connect+0xbf/0x130 [ 73.708840][ T5084] input_register_device+0xcfa/0x1090 [ 73.714745][ T5084] acpi_button_add+0x6c6/0xb90 [ 73.720038][ T5084] acpi_device_probe+0xa5/0x2b0 [ 73.725412][ T5084] really_probe+0x2b8/0xad0 [ 73.730448][ T5084] __driver_probe_device+0x1a2/0x390 [ 73.736261][ T5084] driver_probe_device+0x50/0x430 [ 73.742253][ T5084] __driver_attach+0x45f/0x710 [ 73.747547][ T5084] bus_for_each_dev+0x239/0x2b0 [ 73.752921][ T5084] bus_add_driver+0x347/0x620 [ 73.758118][ T5084] driver_register+0x23a/0x320 [ 73.763413][ T5084] do_one_initcall+0x248/0x880 [ 73.768876][ T5084] do_initcall_level+0x157/0x210 [ 73.774355][ T5084] do_initcalls+0x3f/0x80 [ 73.779218][ T5084] kernel_init_freeable+0x435/0x5d0 [ 73.785029][ T5084] kernel_init+0x1d/0x2b0 [ 73.789965][ T5084] ret_from_fork+0x4b/0x80 [ 73.794911][ T5084] ret_from_fork_asm+0x1a/0x30 [ 73.800237][ T5084] [ 73.800237][ T5084] -> #1 (input_mutex){+.+.}-{3:3}: [ 73.807816][ T5084] lock_acquire+0x1ed/0x550 [ 73.812843][ T5084] __mutex_lock+0x136/0xd70 [ 73.817893][ T5084] input_register_device+0xae5/0x1090 [ 73.823802][ T5084] uinput_create_device+0x40e/0x630 [ 73.830043][ T5084] uinput_ioctl_handler+0x48b/0x1770 [ 73.835855][ T5084] __se_sys_ioctl+0xfc/0x170 [ 73.840978][ T5084] do_syscall_64+0xf5/0x240 [ 73.846012][ T5084] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.852431][ T5084] [ 73.852431][ T5084] -> #0 (&newdev->mutex){+.+.}-{3:3}: [ 73.860011][ T5084] validate_chain+0x18cb/0x58e0 [ 73.865388][ T5084] __lock_acquire+0x1346/0x1fd0 [ 73.870756][ T5084] lock_acquire+0x1ed/0x550 [ 73.875782][ T5084] __mutex_lock+0x136/0xd70 [ 73.880806][ T5084] uinput_request_submit+0x19c/0x740 [ 73.886616][ T5084] uinput_dev_upload_effect+0x199/0x240 [ 73.892684][ T5084] input_ff_upload+0x5df/0xb00 [ 73.897976][ T5084] evdev_ioctl_handler+0x17d0/0x21b0 [ 73.903785][ T5084] __se_sys_ioctl+0xfc/0x170 [ 73.908914][ T5084] do_syscall_64+0xf5/0x240 [ 73.913952][ T5084] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.920373][ T5084] [ 73.920373][ T5084] other info that might help us debug this: [ 73.920373][ T5084] [ 73.930615][ T5084] Chain exists of: [ 73.930615][ T5084] &newdev->mutex --> &dev->mutex#2 --> &ff->mutex [ 73.930615][ T5084] [ 73.943057][ T5084] Possible unsafe locking scenario: [ 73.943057][ T5084] [ 73.950504][ T5084] CPU0 CPU1 [ 73.955862][ T5084] ---- ---- [ 73.961222][ T5084] lock(&ff->mutex); [ 73.965198][ T5084] lock(&dev->mutex#2); [ 73.971962][ T5084] lock(&ff->mutex); [ 73.978483][ T5084] lock(&newdev->mutex); [ 73.982819][ T5084] [ 73.982819][ T5084] *** DEADLOCK *** [ 73.982819][ T5084] [ 73.990956][ T5084] 2 locks held by syz-executor313/5084: [ 73.996494][ T5084] #0: ffff888022e4b110 (&evdev->mutex){+.+.}-{3:3}, at: evdev_ioctl_handler+0x125/0x21b0 [ 74.006523][ T5084] #1: ffff88802f5a98b0 (&ff->mutex){+.+.}-{3:3}, at: input_ff_upload+0x3e4/0xb00 [ 74.015761][ T5084] [ 74.015761][ T5084] stack backtrace: [ 74.021648][ T5084] CPU: 1 PID: 5084 Comm: syz-executor313 Not tainted 6.9.0-rc6-syzkaller-00227-g3d25a941ea50 #0 [ 74.032050][ T5084] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 74.042101][ T5084] Call Trace: [ 74.045415][ T5084] [ 74.048353][ T5084] dump_stack_lvl+0x241/0x360 [ 74.053054][ T5084] ? __pfx_dump_stack_lvl+0x10/0x10 [ 74.058263][ T5084] ? print_circular_bug+0x130/0x1a0 [ 74.063499][ T5084] check_noncircular+0x36a/0x4a0 [ 74.068444][ T5084] ? __pfx_check_noncircular+0x10/0x10 [ 74.073903][ T5084] ? lockdep_lock+0x123/0x2b0 [ 74.078581][ T5084] ? stack_trace_save+0x118/0x1d0 [ 74.083619][ T5084] ? __pfx_stack_trace_save+0x10/0x10 [ 74.089001][ T5084] ? _find_first_zero_bit+0xd4/0x100 [ 74.094297][ T5084] validate_chain+0x18cb/0x58e0 [ 74.099168][ T5084] ? validate_chain+0x15a2/0x58e0 [ 74.104203][ T5084] ? __pfx_validate_chain+0x10/0x10 [ 74.109423][ T5084] ? __pfx_validate_chain+0x10/0x10 [ 74.114629][ T5084] ? stack_trace_save+0x118/0x1d0 [ 74.119670][ T5084] ? __pfx_stack_trace_save+0x10/0x10 [ 74.125061][ T5084] ? mark_lock+0x9a/0x350 [ 74.129484][ T5084] __lock_acquire+0x1346/0x1fd0 [ 74.134433][ T5084] lock_acquire+0x1ed/0x550 [ 74.138941][ T5084] ? uinput_request_submit+0x19c/0x740 [ 74.144409][ T5084] ? __pfx_lock_acquire+0x10/0x10 [ 74.149438][ T5084] ? __pfx___might_resched+0x10/0x10 [ 74.154753][ T5084] __mutex_lock+0x136/0xd70 [ 74.159262][ T5084] ? uinput_request_submit+0x19c/0x740 [ 74.164742][ T5084] ? uinput_request_alloc_id+0x3c5/0x3f0 [ 74.170383][ T5084] ? do_raw_spin_lock+0x14f/0x370 [ 74.175415][ T5084] ? __pfx_lock_release+0x10/0x10 [ 74.180441][ T5084] ? uinput_request_submit+0x19c/0x740 [ 74.185904][ T5084] ? __pfx___mutex_lock+0x10/0x10 [ 74.190934][ T5084] ? _raw_spin_unlock+0x28/0x50 [ 74.195790][ T5084] ? uinput_request_alloc_id+0x3c5/0x3f0 [ 74.201429][ T5084] uinput_request_submit+0x19c/0x740 [ 74.206724][ T5084] ? __pfx_uinput_request_submit+0x10/0x10 [ 74.212544][ T5084] ? __pfx___mutex_trylock_common+0x10/0x10 [ 74.218450][ T5084] ? rcu_is_watching+0x15/0xb0 [ 74.223224][ T5084] uinput_dev_upload_effect+0x199/0x240 [ 74.228775][ T5084] ? __pfx_uinput_dev_upload_effect+0x10/0x10 [ 74.234857][ T5084] input_ff_upload+0x5df/0xb00 [ 74.239630][ T5084] evdev_ioctl_handler+0x17d0/0x21b0 [ 74.244922][ T5084] ? tomoyo_path_number_perm+0x208/0x880 [ 74.250589][ T5084] ? __pfx_evdev_ioctl_handler+0x10/0x10 [ 74.256244][ T5084] ? __pfx_ptrace_notify+0x10/0x10 [ 74.261364][ T5084] ? bpf_lsm_file_ioctl+0x9/0x10 [ 74.266310][ T5084] ? security_file_ioctl+0x87/0xb0 [ 74.271429][ T5084] ? __pfx_evdev_ioctl+0x10/0x10 [ 74.276368][ T5084] __se_sys_ioctl+0xfc/0x170 [ 74.280968][ T5084] do_syscall_64+0xf5/0x240 [ 74.285512][ T5084] ? clear_bhb_loop+0x35/0x90 [ 74.290201][ T5084] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.296102][ T5084] RIP: 0033:0x7f84593aa269 [ 74.300519][ T5084] Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 74.320234][ T5084] RSP: 002b:00007fff3bc1b2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 74.328653][ T5084] RAX: ffffffffffffffda RBX: 00007fff3bc1b4a8 RCX: 00007f84593aa269 [ 74.336718][ T5084] RDX: 0000000020000300 RSI: 0000000040304580 RDI: 0000000000000004 [ 74.344694][ T5084] RBP: 00007f845941d610 R08: 0000000000000000 R09: 00007fff3bc1b4a8 [ 74.352667][ T5084] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 74.360644][ T5084] R13: 00007fff3bc1b498 R14: 0000000000000001 R15: 0000000000000001 [ 74.368633][ T5084]