./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1401934752 <...> Warning: Permanently added '10.128.1.6' (ED25519) to the list of known hosts. execve("./syz-executor1401934752", ["./syz-executor1401934752"], 0x7ffe54cb6b70 /* 10 vars */) = 0 brk(NULL) = 0x5555613e9000 brk(0x5555613e9e00) = 0x5555613e9e00 arch_prctl(ARCH_SET_FS, 0x5555613e9480) = 0 set_tid_address(0x5555613e9750) = 5087 set_robust_list(0x5555613e9760, 24) = 0 rseq(0x5555613e9da0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1401934752", 4096) = 28 getrandom("\x55\x91\xeb\x1f\xb5\xa6\x1f\x47", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555613e9e00 brk(0x55556140ae00) = 0x55556140ae00 brk(0x55556140b000) = 0x55556140b000 mprotect(0x7fa43ca53000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7fa43c9addc0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7fa43c9b5020}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7fa43c9addc0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7fa43c9b5020}, NULL, 8) = 0 openat(AT_FDCWD, "/dev/uinput", O_RDONLY) = 3 ioctl(3, UI_DEV_SETUP, 0x20000180) = 0 ioctl(3, UI_SET_FFBIT, 0x51) = 0 ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 openat(AT_FDCWD, "/dev/input/event4", O_RDONLY) = 4 [ 72.723667][ T5087] input: syz1 as /devices/virtual/input/input5 [ 72.747965][ T5087] [ 72.750339][ T5087] ====================================================== [ 72.757359][ T5087] WARNING: possible circular locking dependency detected [ 72.764389][ T5087] 6.9.0-rc6-syzkaller-00227-g3d25a941ea50 #0 Not tainted [ 72.771427][ T5087] ------------------------------------------------------ [ 72.778443][ T5087] syz-executor140/5087 is trying to acquire lock: [ 72.784857][ T5087] ffff8880225f7870 (&newdev->mutex){+.+.}-{3:3}, at: uinput_request_submit+0x19c/0x740 [ 72.794545][ T5087] [ 72.794545][ T5087] but task is already holding lock: [ 72.801900][ T5087] ffff8880225f30b0 (&ff->mutex){+.+.}-{3:3}, at: input_ff_upload+0x3e4/0xb00 [ 72.810684][ T5087] [ 72.810684][ T5087] which lock already depends on the new lock. [ 72.810684][ T5087] [ 72.821073][ T5087] [ 72.821073][ T5087] the existing dependency chain (in reverse order) is: [ 72.830072][ T5087] [ 72.830072][ T5087] -> #3 (&ff->mutex){+.+.}-{3:3}: [ 72.837286][ T5087] lock_acquire+0x1ed/0x550 [ 72.842323][ T5087] __mutex_lock+0x136/0xd70 [ 72.847352][ T5087] input_ff_flush+0x5e/0x140 [ 72.852464][ T5087] input_flush_device+0x9c/0xc0 [ 72.857836][ T5087] evdev_release+0xf9/0x7d0 [ 72.862859][ T5087] __fput+0x429/0x8a0 [ 72.867355][ T5087] __x64_sys_close+0x7f/0x110 [ 72.872556][ T5087] do_syscall_64+0xf5/0x240 [ 72.877578][ T5087] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.883994][ T5087] [ 72.883994][ T5087] -> #2 (&dev->mutex#2){+.+.}-{3:3}: [ 72.891505][ T5087] lock_acquire+0x1ed/0x550 [ 72.896521][ T5087] __mutex_lock+0x136/0xd70 [ 72.901537][ T5087] input_register_handle+0x6d/0x3b0 [ 72.907255][ T5087] kbd_connect+0xbf/0x130 [ 72.912121][ T5087] input_register_device+0xcfa/0x1090 [ 72.918039][ T5087] acpi_button_add+0x6c6/0xb90 [ 72.923344][ T5087] acpi_device_probe+0xa5/0x2b0 [ 72.928710][ T5087] really_probe+0x2b8/0xad0 [ 72.933734][ T5087] __driver_probe_device+0x1a2/0x390 [ 72.939536][ T5087] driver_probe_device+0x50/0x430 [ 72.945094][ T5087] __driver_attach+0x45f/0x710 [ 72.950372][ T5087] bus_for_each_dev+0x239/0x2b0 [ 72.955738][ T5087] bus_add_driver+0x347/0x620 [ 72.961028][ T5087] driver_register+0x23a/0x320 [ 72.966342][ T5087] do_one_initcall+0x248/0x880 [ 72.971625][ T5087] do_initcall_level+0x157/0x210 [ 72.977088][ T5087] do_initcalls+0x3f/0x80 [ 72.981942][ T5087] kernel_init_freeable+0x435/0x5d0 [ 72.987654][ T5087] kernel_init+0x1d/0x2b0 [ 72.992601][ T5087] ret_from_fork+0x4b/0x80 [ 72.997560][ T5087] ret_from_fork_asm+0x1a/0x30 [ 73.002856][ T5087] [ 73.002856][ T5087] -> #1 (input_mutex){+.+.}-{3:3}: [ 73.010149][ T5087] lock_acquire+0x1ed/0x550 [ 73.015167][ T5087] __mutex_lock+0x136/0xd70 [ 73.020201][ T5087] input_register_device+0xae5/0x1090 [ 73.026087][ T5087] uinput_create_device+0x40e/0x630 [ 73.031977][ T5087] uinput_ioctl_handler+0x48b/0x1770 [ 73.037781][ T5087] __se_sys_ioctl+0xfc/0x170 [ 73.042885][ T5087] do_syscall_64+0xf5/0x240 [ 73.047906][ T5087] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.054312][ T5087] [ 73.054312][ T5087] -> #0 (&newdev->mutex){+.+.}-{3:3}: [ 73.061863][ T5087] validate_chain+0x18cb/0x58e0 [ 73.067238][ T5087] __lock_acquire+0x1346/0x1fd0 [ 73.072600][ T5087] lock_acquire+0x1ed/0x550 [ 73.077613][ T5087] __mutex_lock+0x136/0xd70 [ 73.082626][ T5087] uinput_request_submit+0x19c/0x740 [ 73.088433][ T5087] uinput_dev_upload_effect+0x199/0x240 [ 73.094497][ T5087] input_ff_upload+0x5df/0xb00 [ 73.099778][ T5087] evdev_ioctl_handler+0x17d0/0x21b0 [ 73.105578][ T5087] __se_sys_ioctl+0xfc/0x170 [ 73.110685][ T5087] do_syscall_64+0xf5/0x240 [ 73.115726][ T5087] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.122134][ T5087] [ 73.122134][ T5087] other info that might help us debug this: [ 73.122134][ T5087] [ 73.132349][ T5087] Chain exists of: [ 73.132349][ T5087] &newdev->mutex --> &dev->mutex#2 --> &ff->mutex [ 73.132349][ T5087] [ 73.144692][ T5087] Possible unsafe locking scenario: [ 73.144692][ T5087] [ 73.152139][ T5087] CPU0 CPU1 [ 73.157501][ T5087] ---- ---- [ 73.162850][ T5087] lock(&ff->mutex); [ 73.166822][ T5087] lock(&dev->mutex#2); [ 73.173582][ T5087] lock(&ff->mutex); [ 73.180092][ T5087] lock(&newdev->mutex); [ 73.184448][ T5087] [ 73.184448][ T5087] *** DEADLOCK *** [ 73.184448][ T5087] [ 73.192577][ T5087] 2 locks held by syz-executor140/5087: [ 73.198107][ T5087] #0: ffff888022893110 (&evdev->mutex){+.+.}-{3:3}, at: evdev_ioctl_handler+0x125/0x21b0 [ 73.208032][ T5087] #1: ffff8880225f30b0 (&ff->mutex){+.+.}-{3:3}, at: input_ff_upload+0x3e4/0xb00 [ 73.217261][ T5087] [ 73.217261][ T5087] stack backtrace: [ 73.223141][ T5087] CPU: 0 PID: 5087 Comm: syz-executor140 Not tainted 6.9.0-rc6-syzkaller-00227-g3d25a941ea50 #0 [ 73.233540][ T5087] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 73.243593][ T5087] Call Trace: [ 73.246881][ T5087] [ 73.249809][ T5087] dump_stack_lvl+0x241/0x360 [ 73.254504][ T5087] ? __pfx_dump_stack_lvl+0x10/0x10 [ 73.259724][ T5087] ? print_circular_bug+0x130/0x1a0 [ 73.264925][ T5087] check_noncircular+0x36a/0x4a0 [ 73.269881][ T5087] ? __pfx_check_noncircular+0x10/0x10 [ 73.275394][ T5087] ? lockdep_lock+0x123/0x2b0 [ 73.280097][ T5087] ? stack_trace_save+0x118/0x1d0 [ 73.285135][ T5087] ? __pfx_stack_trace_save+0x10/0x10 [ 73.290538][ T5087] ? _find_first_zero_bit+0xd4/0x100 [ 73.295846][ T5087] validate_chain+0x18cb/0x58e0 [ 73.300717][ T5087] ? validate_chain+0x15a2/0x58e0 [ 73.305741][ T5087] ? __pfx_validate_chain+0x10/0x10 [ 73.310947][ T5087] ? __pfx_validate_chain+0x10/0x10 [ 73.316234][ T5087] ? stack_trace_save+0x118/0x1d0 [ 73.321279][ T5087] ? __pfx_stack_trace_save+0x10/0x10 [ 73.326743][ T5087] ? mark_lock+0x9a/0x350 [ 73.331071][ T5087] __lock_acquire+0x1346/0x1fd0 [ 73.335976][ T5087] lock_acquire+0x1ed/0x550 [ 73.340500][ T5087] ? uinput_request_submit+0x19c/0x740 [ 73.345975][ T5087] ? __pfx_lock_acquire+0x10/0x10 [ 73.351173][ T5087] ? __pfx___might_resched+0x10/0x10 [ 73.356637][ T5087] __mutex_lock+0x136/0xd70 [ 73.361152][ T5087] ? uinput_request_submit+0x19c/0x740 [ 73.366716][ T5087] ? uinput_request_alloc_id+0x3c5/0x3f0 [ 73.372360][ T5087] ? do_raw_spin_lock+0x14f/0x370 [ 73.377483][ T5087] ? __pfx_lock_release+0x10/0x10 [ 73.382505][ T5087] ? uinput_request_submit+0x19c/0x740 [ 73.387968][ T5087] ? __pfx___mutex_lock+0x10/0x10 [ 73.392997][ T5087] ? _raw_spin_unlock+0x28/0x50 [ 73.397848][ T5087] ? uinput_request_alloc_id+0x3c5/0x3f0 [ 73.403519][ T5087] uinput_request_submit+0x19c/0x740 [ 73.408845][ T5087] ? __pfx_uinput_request_submit+0x10/0x10 [ 73.414665][ T5087] ? __pfx___mutex_trylock_common+0x10/0x10 [ 73.420556][ T5087] ? rcu_is_watching+0x15/0xb0 [ 73.425322][ T5087] uinput_dev_upload_effect+0x199/0x240 [ 73.430872][ T5087] ? __pfx_uinput_dev_upload_effect+0x10/0x10 [ 73.436949][ T5087] input_ff_upload+0x5df/0xb00 [ 73.441714][ T5087] evdev_ioctl_handler+0x17d0/0x21b0 [ 73.446989][ T5087] ? tomoyo_path_number_perm+0x208/0x880 [ 73.452635][ T5087] ? __pfx_evdev_ioctl_handler+0x10/0x10 [ 73.458293][ T5087] ? __pfx_ptrace_notify+0x10/0x10 [ 73.463402][ T5087] ? bpf_lsm_file_ioctl+0x9/0x10 [ 73.468396][ T5087] ? security_file_ioctl+0x87/0xb0 [ 73.473532][ T5087] ? __pfx_evdev_ioctl+0x10/0x10 [ 73.478493][ T5087] __se_sys_ioctl+0xfc/0x170 [ 73.483097][ T5087] do_syscall_64+0xf5/0x240 [ 73.487621][ T5087] ? clear_bhb_loop+0x35/0x90 [ 73.492312][ T5087] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.498212][ T5087] RIP: 0033:0x7fa43c9e0c29 [ 73.502623][ T5087] Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 73.522229][ T5087] RSP: 002b:00007ffe2839ef98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 73.530636][ T5087] RAX: ffffffffffffffda RBX: 00007ffe2839efb0 RCX: 00007fa43c9e0c29 [ 73.538601][ T5087] RDX: 0000000020000300 RSI: 0000000040304580 RDI: 0000000000000004 [ 73.546593][ T5087] RBP: 00007ffe2839efb8 R08: 0000000000000000 R09: 0000000000000000 [ 73.554560][ T5087] R10: 000000000000001f R11: 0000000000000246 R12: 0000000000000000 [ 73.562524][ T5087] R13: 00007ffe2839f218 R14: 0000000000000001 R15: 0000000000000001 [ 73.570536][ T5087]