====================================================== WARNING: possible circular locking dependency detected 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Not tainted ------------------------------------------------------ syz-executor.3/14922 is trying to acquire lock: ffff8880287a4a18 (&sighand->siglock){-.-.}-{2:2}, at: __lock_task_sighand+0xc2/0x340 kernel/signal.c:1412 but task is already holding lock: ffff8880b9238ac0 (lock#10){+.+.}-{2:2}, at: local_lock_acquire include/linux/local_lock_internal.h:29 [inline] ffff8880b9238ac0 (lock#10){+.+.}-{2:2}, at: __mmap_lock_do_trace_acquire_returned+0x7f/0x790 mm/mmap_lock.c:237 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (lock#10){+.+.}-{2:2}: local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:164 [inline] stack_map_get_build_id_offset+0x5d9/0x7c0 kernel/bpf/stackmap.c:141 __bpf_get_stack+0x6bf/0x700 kernel/bpf/stackmap.c:449 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1994 [inline] bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1984 0xffffffffa00008ea bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline] __bpf_prog_run include/linux/filter.h:691 [inline] bpf_prog_run include/linux/filter.h:698 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2403 [inline] bpf_trace_run2+0x234/0x590 kernel/trace/bpf_trace.c:2444 __bpf_trace_tlb_flush+0xd2/0x110 include/trace/events/tlb.h:38 trace_tlb_flush+0xf3/0x170 include/trace/events/tlb.h:38 switch_mm_irqs_off+0x68b/0xbc0 arch/x86/mm/tlb.c:642 context_switch kernel/sched/core.c:5392 [inline] __schedule+0xd2b/0x5d00 kernel/sched/core.c:6745 preempt_schedule_irq+0x51/0x90 kernel/sched/core.c:7067 irqentry_exit+0x36/0x90 kernel/entry/common.c:354 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 __slab_alloc_node mm/slub.c:3786 [inline] slab_alloc_node mm/slub.c:3989 [inline] kmem_cache_alloc_noprof+0xa4/0x2f0 mm/slub.c:4008 lsm_file_alloc security/security.c:649 [inline] security_file_alloc+0x41/0x260 security/security.c:2710 init_file+0x99/0x260 fs/file_table.c:152 alloc_empty_file+0x91/0x1e0 fs/file_table.c:206 alloc_file fs/file_table.c:319 [inline] alloc_file_pseudo+0x147/0x210 fs/file_table.c:350 sock_alloc_file+0x50/0x1d0 net/socket.c:469 sock_map_fd net/socket.c:494 [inline] __sys_socket+0x1c2/0x260 net/socket.c:1715 __do_sys_socket net/socket.c:1720 [inline] __se_sys_socket net/socket.c:1718 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1718 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #1 (&rq->__lock){-.-.}-{2:2}: _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378 raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:559 raw_spin_rq_lock kernel/sched/sched.h:1406 [inline] _raw_spin_rq_lock_irqsave kernel/sched/sched.h:1425 [inline] rq_lock_irqsave kernel/sched/sched.h:1686 [inline] class_rq_lock_irqsave_constructor kernel/sched/sched.h:1740 [inline] sched_mm_cid_before_execve+0x114/0x5e0 kernel/sched/core.c:12026 exit_signals+0x34d/0x960 kernel/signal.c:3014 do_exit+0x54e/0x2ba0 kernel/exit.c:833 __do_sys_exit kernel/exit.c:990 [inline] __se_sys_exit kernel/exit.c:988 [inline] __x64_sys_exit+0x42/0x50 kernel/exit.c:988 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&sighand->siglock){-.-.}-{2:2}: check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain kernel/locking/lockdep.c:3869 [inline] __lock_acquire+0x2478/0x3b30 kernel/locking/lockdep.c:5137 lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162 __lock_task_sighand+0xc2/0x340 kernel/signal.c:1412 lock_task_sighand include/linux/sched/signal.h:746 [inline] do_send_sig_info kernel/signal.c:1300 [inline] group_send_sig_info+0x290/0x300 kernel/signal.c:1451 bpf_send_signal_common+0x2e8/0x3a0 kernel/trace/bpf_trace.c:881 ____bpf_send_signal kernel/trace/bpf_trace.c:886 [inline] bpf_send_signal+0x19/0x30 kernel/trace/bpf_trace.c:884 bpf_prog_9fbc3d1d47c9b36c+0x22/0x2d bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline] __bpf_prog_run include/linux/filter.h:691 [inline] bpf_prog_run include/linux/filter.h:698 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2403 [inline] bpf_trace_run4+0x248/0x5a0 kernel/trace/bpf_trace.c:2446 __bpf_trace_mmap_lock_acquire_returned+0x134/0x180 include/trace/events/mmap_lock.h:52 trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:52 [inline] __mmap_lock_do_trace_acquire_returned+0x456/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:164 [inline] get_mmap_lock_carefully mm/memory.c:5715 [inline] lock_mm_and_find_vma+0xeb/0x6a0 mm/memory.c:5775 do_user_addr_fault+0x29c/0xe50 arch/x86/mm/fault.c:1361 handle_page_fault arch/x86/mm/fault.c:1481 [inline] exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1539 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 copy_user_generic arch/x86/include/asm/uaccess_64.h:110 [inline] raw_copy_from_user arch/x86/include/asm/uaccess_64.h:125 [inline] _copy_from_user+0xc1/0xf0 lib/usercopy.c:28 copy_from_user include/linux/uaccess.h:183 [inline] input_event_from_user+0x134/0x3b0 drivers/input/input-compat.c:31 evdev_write+0x374/0x750 drivers/input/evdev.c:524 vfs_write+0x29d/0x1140 fs/read_write.c:588 ksys_write+0x1f8/0x260 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Chain exists of: &sighand->siglock --> &rq->__lock --> lock#10 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(lock#10); lock(&rq->__lock); lock(lock#10); lock(&sighand->siglock); *** DEADLOCK *** 6 locks held by syz-executor.3/14922: #0: ffff888024b55110 (&evdev->mutex){+.+.}-{3:3}, at: evdev_write+0x1ff/0x750 drivers/input/evdev.c:513 #1: ffff8880442d4d98 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:163 [inline] #1: ffff8880442d4d98 (&mm->mmap_lock){++++}-{3:3}, at: get_mmap_lock_carefully mm/memory.c:5715 [inline] #1: ffff8880442d4d98 (&mm->mmap_lock){++++}-{3:3}, at: lock_mm_and_find_vma+0x35/0x6a0 mm/memory.c:5775 #2: ffff8880b9238ac0 (lock#10){+.+.}-{2:2}, at: local_lock_acquire include/linux/local_lock_internal.h:29 [inline] #2: ffff8880b9238ac0 (lock#10){+.+.}-{2:2}, at: __mmap_lock_do_trace_acquire_returned+0x7f/0x790 mm/mmap_lock.c:237 #3: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #3: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #3: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: get_memcg_path_buf mm/mmap_lock.c:139 [inline] #3: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: get_mm_memcg_path+0xb1/0x6f0 mm/mmap_lock.c:209 #4: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #4: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #4: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2402 [inline] #4: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run4+0x1d6/0x5a0 kernel/trace/bpf_trace.c:2446 #5: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #5: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #5: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: __lock_task_sighand+0x3f/0x340 kernel/signal.c:1395 stack backtrace: CPU: 0 PID: 14922 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2187 check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain kernel/locking/lockdep.c:3869 [inline] __lock_acquire+0x2478/0x3b30 kernel/locking/lockdep.c:5137 lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162 __lock_task_sighand+0xc2/0x340 kernel/signal.c:1412 lock_task_sighand include/linux/sched/signal.h:746 [inline] do_send_sig_info kernel/signal.c:1300 [inline] group_send_sig_info+0x290/0x300 kernel/signal.c:1451 bpf_send_signal_common+0x2e8/0x3a0 kernel/trace/bpf_trace.c:881 ____bpf_send_signal kernel/trace/bpf_trace.c:886 [inline] bpf_send_signal+0x19/0x30 kernel/trace/bpf_trace.c:884 bpf_prog_9fbc3d1d47c9b36c+0x22/0x2d bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline] __bpf_prog_run include/linux/filter.h:691 [inline] bpf_prog_run include/linux/filter.h:698 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2403 [inline] bpf_trace_run4+0x248/0x5a0 kernel/trace/bpf_trace.c:2446 __bpf_trace_mmap_lock_acquire_returned+0x134/0x180 include/trace/events/mmap_lock.h:52 trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:52 [inline] __mmap_lock_do_trace_acquire_returned+0x456/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:164 [inline] get_mmap_lock_carefully mm/memory.c:5715 [inline] lock_mm_and_find_vma+0xeb/0x6a0 mm/memory.c:5775 do_user_addr_fault+0x29c/0xe50 arch/x86/mm/fault.c:1361 handle_page_fault arch/x86/mm/fault.c:1481 [inline] exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1539 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:110 [inline] RIP: 0010:raw_copy_from_user arch/x86/include/asm/uaccess_64.h:125 [inline] RIP: 0010:_copy_from_user+0xc1/0xf0 lib/usercopy.c:28 Code: 89 df e8 52 08 0b fd 4d 85 f6 75 9e e8 d8 0d 0b fd 0f ae e8 89 ee 4c 89 ef e8 3b 94 67 fd 0f 01 cb 48 89 e9 4c 89 ef 48 89 de a4 0f 1f 00 48 89 cb 0f 01 ca e9 73 ff ff ff e8 aa 0d 0b fd 48 RSP: 0018:ffffc900192a7b78 EFLAGS: 00050246 RAX: 0000000000000001 RBX: 0000000020aa7000 RCX: 0000000000000018 RDX: fffff52003254f95 RSI: 0000000020aa7000 RDI: ffffc900192a7c90 RBP: 0000000000000018 R08: 0000000000000001 R09: fffff52003254f94 R10: ffffc900192a7ca7 R11: 0000000000000001 R12: 0000000020aa7018 R13: ffffc900192a7c90 R14: 0000000000000000 R15: ffff88807eedbc00 copy_from_user include/linux/uaccess.h:183 [inline] input_event_from_user+0x134/0x3b0 drivers/input/input-compat.c:31 evdev_write+0x374/0x750 drivers/input/evdev.c:524 vfs_write+0x29d/0x1140 fs/read_write.c:588 ksys_write+0x1f8/0x260 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fd8b147cf69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd8b22050c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fd8b15b3f80 RCX: 00007fd8b147cf69 RDX: 0000000100000008 RSI: 0000000020000000 RDI: 0000000000000003 RBP: 00007fd8b14da6fe R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fd8b15b3f80 R15: 00007ffd8cbfde88 ---------------- Code disassembly (best guess): 0: 89 df mov %ebx,%edi 2: e8 52 08 0b fd call 0xfd0b0859 7: 4d 85 f6 test %r14,%r14 a: 75 9e jne 0xffffffaa c: e8 d8 0d 0b fd call 0xfd0b0de9 11: 0f ae e8 lfence 14: 89 ee mov %ebp,%esi 16: 4c 89 ef mov %r13,%rdi 19: e8 3b 94 67 fd call 0xfd679459 1e: 0f 01 cb stac 21: 48 89 e9 mov %rbp,%rcx 24: 4c 89 ef mov %r13,%rdi 27: 48 89 de mov %rbx,%rsi * 2a: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi) <-- trapping instruction 2c: 0f 1f 00 nopl (%rax) 2f: 48 89 cb mov %rcx,%rbx 32: 0f 01 ca clac 35: e9 73 ff ff ff jmp 0xffffffad 3a: e8 aa 0d 0b fd call 0xfd0b0de9 3f: 48 rex.W