./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3222801550 <...> Warning: Permanently added '10.128.1.39' (ED25519) to the list of known hosts. execve("./syz-executor3222801550", ["./syz-executor3222801550"], 0x7fffdd3ebc40 /* 10 vars */) = 0 brk(NULL) = 0x55557f5ed000 brk(0x55557f5edd00) = 0x55557f5edd00 [ 65.686652][ T30] audit: type=1400 audit(1753553488.120:62): avc: denied { write } for pid=5828 comm="strace-static-x" path="pipe:[4670]" dev="pipefs" ino=4670 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 arch_prctl(ARCH_SET_FS, 0x55557f5ed380) = 0 set_tid_address(0x55557f5ed650) = 5831 set_robust_list(0x55557f5ed660, 24) = 0 rseq(0x55557f5edca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3222801550", 4096) = 28 getrandom("\x72\x84\x58\x45\x53\xda\xb3\xb0", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55557f5edd00 brk(0x55557f60ed00) = 0x55557f60ed00 brk(0x55557f60f000) = 0x55557f60f000 mprotect(0x7fa0e93a8000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5832 attached , child_tidptr=0x55557f5ed650) = 5832 [pid 5832] set_robust_list(0x55557f5ed660, 24) = 0 [pid 5831] openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3 [pid 5831] write(3, "10000000000", 11) = 11 [ 65.868548][ T30] audit: type=1400 audit(1753553488.300:63): avc: denied { execmem } for pid=5831 comm="syz-executor322" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [pid 5831] close(3) = 0 [pid 5831] openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3 [pid 5831] write(3, "20", 2) = 2 [pid 5831] close(3) = 0 [pid 5831] openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3 [pid 5831] write(3, "1", 1) = 1 [pid 5831] close(3) = 0 [pid 5831] openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3 [pid 5831] write(3, "0", 1) = 1 [pid 5831] close(3) = 0 [pid 5831] openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3 [pid 5831] write(3, "0", 1) = 1 [pid 5831] close(3) = 0 [pid 5831] openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3 [pid 5831] write(3, "1", 1) = 1 [pid 5831] close(3) = 0 [pid 5831] openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 [pid 5831] write(3, "100", 3) = 3 [pid 5831] close(3) = 0 [pid 5831] openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3 [pid 5831] write(3, "0", 1) = 1 [pid 5831] close(3) = 0 [pid 5831] openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3 [pid 5831] write(3, "0", 1) = 1 [pid 5831] close(3) = 0 [pid 5831] openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3 [pid 5831] write(3, "7 4 1 3", 7) = 7 [pid 5831] close(3) = 0 [pid 5831] openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3 [pid 5831] write(3, "1", 1) = 1 [pid 5831] close(3) = 0 [pid 5831] openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3 [pid 5831] write(3, "1", 1) = 1 [pid 5831] close(3) = 0 [pid 5831] openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3 [pid 5831] write(3, "0", 1) = 1 [pid 5831] close(3) = 0 [pid 5831] openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3 [pid 5831] write(3, "5832", 4) = 4 [pid 5831] close(3) = 0 [pid 5831] kill(5832, SIGKILL) = 0 [pid 5832] +++ killed by SIGKILL +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=5832, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} --- executing program write(1, "executing program\n", 18) = 18 openat(AT_FDCWD, "/dev/uinput", O_RDONLY) = 3 ioctl(3, UI_DEV_SETUP, 0x200000000180) = 0 ioctl(3, UI_SET_FFBIT, 0x51) = 0 [ 66.389348][ T30] audit: type=1400 audit(1753553488.820:64): avc: denied { read } for pid=5831 comm="syz-executor322" name="uinput" dev="devtmpfs" ino=920 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 66.413192][ T30] audit: type=1400 audit(1753553488.830:65): avc: denied { open } for pid=5831 comm="syz-executor322" path="/dev/uinput" dev="devtmpfs" ino=920 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 openat(AT_FDCWD, "/dev/input/event4", O_RDONLY) = 4 [ 66.437209][ T30] audit: type=1400 audit(1753553488.830:66): avc: denied { ioctl } for pid=5831 comm="syz-executor322" path="/dev/uinput" dev="devtmpfs" ino=920 ioctlcmd=0x5503 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 66.462938][ T5831] input: syz1 as /devices/virtual/input/input5 [ 66.484964][ T30] audit: type=1400 audit(1753553488.920:67): avc: denied { read } for pid=5831 comm="syz-executor322" name="event4" dev="devtmpfs" ino=2787 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 66.496599][ T5831] [ 66.510215][ T5831] ====================================================== [ 66.517209][ T5831] WARNING: possible circular locking dependency detected [ 66.524201][ T5831] 6.16.0-rc7-syzkaller-00120-g5f33ebd2018c #0 Not tainted [ 66.531280][ T5831] ------------------------------------------------------ [ 66.538270][ T5831] syz-executor322/5831 is trying to acquire lock: [ 66.544663][ T5831] ffff888029b74870 (&newdev->mutex){+.+.}-{4:4}, at: uinput_request_submit.part.0+0x25/0x2e0 [ 66.554836][ T5831] [ 66.554836][ T5831] but task is already holding lock: [ 66.562178][ T5831] ffff888029b758b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_upload+0x1dd/0xc10 [ 66.570947][ T5831] [ 66.570947][ T5831] which lock already depends on the new lock. [ 66.570947][ T5831] [ 66.581327][ T5831] [ 66.581327][ T5831] the existing dependency chain (in reverse order) is: [ 66.590317][ T5831] [ 66.590317][ T5831] -> #3 (&ff->mutex){+.+.}-{4:4}: [ 66.597503][ T5831] __mutex_lock+0x199/0xb90 [ 66.602505][ T5831] input_ff_flush+0x63/0x180 [ 66.607603][ T5831] uinput_dev_flush+0x2a/0x40 [ 66.612778][ T5831] input_flush_device+0xa1/0x110 [ 66.618224][ T5831] evdev_release+0x344/0x420 [ 66.623319][ T5831] __fput+0x3ff/0xb70 [ 66.627805][ T5831] fput_close_sync+0x118/0x260 [ 66.633073][ T5831] __x64_sys_close+0x8b/0x120 [ 66.638254][ T5831] do_syscall_64+0xcd/0x4c0 [ 66.643262][ T5831] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 66.649659][ T5831] [ 66.649659][ T5831] -> #2 (&dev->mutex#2){+.+.}-{4:4}: [ 66.657110][ T5831] __mutex_lock+0x199/0xb90 [ 66.662115][ T5831] input_register_handle+0xdc/0x620 [ 66.667819][ T5831] kbd_connect+0xca/0x160 [ 66.672666][ T5831] input_attach_handler.isra.0+0x184/0x260 [ 66.678978][ T5831] input_register_device+0xa84/0x1130 [ 66.684859][ T5831] acpi_button_add+0x582/0xb70 [ 66.690150][ T5831] acpi_device_probe+0xc6/0x330 [ 66.695511][ T5831] really_probe+0x23e/0xa90 [ 66.700529][ T5831] __driver_probe_device+0x1de/0x440 [ 66.706311][ T5831] driver_probe_device+0x4c/0x1b0 [ 66.711834][ T5831] __driver_attach+0x283/0x580 [ 66.717095][ T5831] bus_for_each_dev+0x13e/0x1d0 [ 66.722450][ T5831] bus_add_driver+0x2e9/0x690 [ 66.727632][ T5831] driver_register+0x15c/0x4b0 [ 66.732901][ T5831] __acpi_bus_register_driver+0xdf/0x130 [ 66.739039][ T5831] acpi_button_driver_init+0x82/0x110 [ 66.744926][ T5831] do_one_initcall+0x120/0x6e0 [ 66.750190][ T5831] kernel_init_freeable+0x5c2/0x900 [ 66.755888][ T5831] kernel_init+0x1c/0x2b0 [ 66.760723][ T5831] ret_from_fork+0x5d4/0x6f0 [ 66.765822][ T5831] ret_from_fork_asm+0x1a/0x30 [ 66.771102][ T5831] [ 66.771102][ T5831] -> #1 (input_mutex){+.+.}-{4:4}: [ 66.778376][ T5831] __mutex_lock+0x199/0xb90 [ 66.783382][ T5831] input_register_device+0x98a/0x1130 [ 66.789259][ T5831] uinput_ioctl_handler.isra.0+0x1357/0x1df0 [ 66.795740][ T5831] __x64_sys_ioctl+0x18e/0x210 [ 66.801007][ T5831] do_syscall_64+0xcd/0x4c0 [ 66.806007][ T5831] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 66.812400][ T5831] [ 66.812400][ T5831] -> #0 (&newdev->mutex){+.+.}-{4:4}: [ 66.819933][ T5831] __lock_acquire+0x126f/0x1c90 [ 66.825283][ T5831] lock_acquire+0x179/0x350 [ 66.830284][ T5831] __mutex_lock+0x199/0xb90 [ 66.835286][ T5831] uinput_request_submit.part.0+0x25/0x2e0 [ 66.841591][ T5831] uinput_dev_upload_effect+0x174/0x1f0 [ 66.847636][ T5831] input_ff_upload+0x568/0xc10 [ 66.852904][ T5831] evdev_do_ioctl+0xf40/0x1b30 [ 66.858180][ T5831] evdev_ioctl+0x16f/0x1a0 [ 66.863099][ T5831] __x64_sys_ioctl+0x18e/0x210 [ 66.868363][ T5831] do_syscall_64+0xcd/0x4c0 [ 66.873363][ T5831] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 66.879755][ T5831] [ 66.879755][ T5831] other info that might help us debug this: [ 66.879755][ T5831] [ 66.889958][ T5831] Chain exists of: [ 66.889958][ T5831] &newdev->mutex --> &dev->mutex#2 --> &ff->mutex [ 66.889958][ T5831] [ 66.902454][ T5831] Possible unsafe locking scenario: [ 66.902454][ T5831] [ 66.909881][ T5831] CPU0 CPU1 [ 66.915226][ T5831] ---- ---- [ 66.920584][ T5831] lock(&ff->mutex); [ 66.924552][ T5831] lock(&dev->mutex#2); [ 66.931314][ T5831] lock(&ff->mutex); [ 66.937798][ T5831] lock(&newdev->mutex); [ 66.942455][ T5831] [ 66.942455][ T5831] *** DEADLOCK *** [ 66.942455][ T5831] [ 66.950576][ T5831] 2 locks held by syz-executor322/5831: [ 66.956093][ T5831] #0: ffff8881436dd118 (&evdev->mutex){+.+.}-{4:4}, at: evdev_ioctl+0x7f/0x1a0 [ 66.965127][ T5831] #1: ffff888029b758b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_upload+0x1dd/0xc10 [ 66.974343][ T5831] [ 66.974343][ T5831] stack backtrace: [ 66.980225][ T5831] CPU: 1 UID: 0 PID: 5831 Comm: syz-executor322 Not tainted 6.16.0-rc7-syzkaller-00120-g5f33ebd2018c #0 PREEMPT(full) [ 66.980242][ T5831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 66.980249][ T5831] Call Trace: [ 66.980255][ T5831] [ 66.980261][ T5831] dump_stack_lvl+0x116/0x1f0 [ 66.980282][ T5831] print_circular_bug+0x275/0x350 [ 66.980302][ T5831] check_noncircular+0x14c/0x170 [ 66.980322][ T5831] __lock_acquire+0x126f/0x1c90 [ 66.980335][ T5831] lock_acquire+0x179/0x350 [ 66.980346][ T5831] ? uinput_request_submit.part.0+0x25/0x2e0 [ 66.980361][ T5831] ? __pfx___might_resched+0x10/0x10 [ 66.980379][ T5831] __mutex_lock+0x199/0xb90 [ 66.980390][ T5831] ? uinput_request_submit.part.0+0x25/0x2e0 [ 66.980405][ T5831] ? uinput_request_reserve_slot+0x3ca/0x4d0 [ 66.980418][ T5831] ? uinput_request_submit.part.0+0x25/0x2e0 [ 66.980432][ T5831] ? __pfx___mutex_lock+0x10/0x10 [ 66.980443][ T5831] ? _raw_spin_unlock+0x28/0x50 [ 66.980461][ T5831] ? __mutex_trylock_common+0xe9/0x250 [ 66.980473][ T5831] ? __pfx_uinput_request_reserve_slot+0x10/0x10 [ 66.980488][ T5831] ? __pfx___might_resched+0x10/0x10 [ 66.980505][ T5831] ? uinput_request_submit.part.0+0x25/0x2e0 [ 66.980518][ T5831] uinput_request_submit.part.0+0x25/0x2e0 [ 66.980532][ T5831] uinput_dev_upload_effect+0x174/0x1f0 [ 66.980546][ T5831] ? __pfx_uinput_dev_upload_effect+0x10/0x10 [ 66.980563][ T5831] ? __might_fault+0x13b/0x190 [ 66.980583][ T5831] input_ff_upload+0x568/0xc10 [ 66.980597][ T5831] evdev_do_ioctl+0xf40/0x1b30 [ 66.980616][ T5831] ? __pfx_evdev_do_ioctl+0x10/0x10 [ 66.980640][ T5831] evdev_ioctl+0x16f/0x1a0 [ 66.980662][ T5831] ? __pfx_evdev_ioctl+0x10/0x10 [ 66.980681][ T5831] __x64_sys_ioctl+0x18e/0x210 [ 66.980698][ T5831] do_syscall_64+0xcd/0x4c0 [ 66.980711][ T5831] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 66.980723][ T5831] RIP: 0033:0x7fa0e93355d9 [ 66.980735][ T5831] Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 66.980747][ T5831] RSP: 002b:00007ffc5ef32bc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 66.980759][ T5831] RAX: ffffffffffffffda RBX: 00007ffc5ef32cd0 RCX: 00007fa0e93355d9 [ 66.980767][ T5831] RDX: 0000200000000300 RSI: 0000000040304580 RDI: 0000000000000004 [ 66.980774][ T5831] RBP: 00000000000016c8 R08: 0000550032333835 R09: 0000550032333835 [ 66.980782][ T5831] R10: 000000000000000f R11: 0000000000000246 R12: 00007ffc5ef32cd0 [ 66.980789][ T5831] R13: 00007ffc5ef32e98 R14: 0000000000000001 R15: 0000000000000001 [ 66.980800][ T5831] [ 66.980847][ T30] audit: type=1400 audit(1753553488.920:68): avc: denied { open } for pid=5831 comm="syz-executor322" path="/dev/input/event4" dev="devtmpfs" ino=2787 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1