input: syz0 as /devices/virtual/input/input49 input: syz0 as /devices/virtual/input/input50 input: syz0 as /devices/virtual/input/input51 input: syz0 as /devices/virtual/input/input52 ====================================================== [ INFO: possible circular locking dependency detected ] 4.9.141+ #23 Not tainted ------------------------------------------------------- syz-executor116/2216 is trying to acquire lock: (&newdev->mutex){+.+.+.}, at: [] uinput_request_send drivers/input/misc/uinput.c:116 [inline] (&newdev->mutex){+.+.+.}, at: [] uinput_request_submit.part.2+0x29/0x200 drivers/input/misc/uinput.c:147 but task is already holding lock: (&ff->mutex){+.+...}, at: [] input_ff_upload+0x10a/0xa00 drivers/input/ff-core.c:135 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621 input_ff_upload+0x10a/0xa00 drivers/input/ff-core.c:135 evdev_do_ioctl drivers/input/evdev.c:1213 [inline] evdev_ioctl_handler+0xe62/0x1820 drivers/input/evdev.c:1302 evdev_ioctl_compat+0x29/0x30 drivers/input/evdev.c:1318 C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline] compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549 do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline] do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621 evdev_mark_dead drivers/input/evdev.c:1345 [inline] evdev_cleanup+0x26/0x1a0 drivers/input/evdev.c:1354 evdev_disconnect+0x43/0xa0 drivers/input/evdev.c:1446 __input_unregister_device+0x1ec/0x490 drivers/input/input.c:2023 input_unregister_device+0xa6/0xf0 drivers/input/input.c:2197 uinput_destroy_device+0x1cf/0x220 drivers/input/misc/uinput.c:246 uinput_release+0x3a/0x50 drivers/input/misc/uinput.c:658 __fput+0x263/0x700 fs/file_table.c:208 ____fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x10c/0x180 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x78d/0x2a50 kernel/exit.c:833 do_group_exit+0x111/0x300 kernel/exit.c:937 SYSC_exit_group kernel/exit.c:948 [inline] SyS_exit_group+0x1d/0x20 kernel/exit.c:946 do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline] do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_interruptible_nested+0xcc/0x9c0 kernel/locking/mutex.c:650 input_register_device.cold.13+0x39/0x204 drivers/input/input.c:2146 uinput_create_device drivers/input/misc/uinput.c:302 [inline] uinput_ioctl_handler.isra.4+0x84a/0x1980 drivers/input/misc/uinput.c:817 uinput_compat_ioctl+0x5f/0x80 drivers/input/misc/uinput.c:1001 C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline] compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549 do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline] do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 check_prev_add kernel/locking/lockdep.c:1828 [inline] check_prevs_add kernel/locking/lockdep.c:1938 [inline] validate_chain kernel/locking/lockdep.c:2265 [inline] __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345 lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_interruptible_nested+0xcc/0x9c0 kernel/locking/mutex.c:650 uinput_request_send drivers/input/misc/uinput.c:116 [inline] uinput_request_submit.part.2+0x29/0x200 drivers/input/misc/uinput.c:147 uinput_request_submit drivers/input/misc/uinput.c:144 [inline] uinput_dev_upload_effect+0x14a/0x1c0 drivers/input/misc/uinput.c:216 input_ff_upload+0x528/0xa00 drivers/input/ff-core.c:165 evdev_do_ioctl drivers/input/evdev.c:1213 [inline] evdev_ioctl_handler+0xe62/0x1820 drivers/input/evdev.c:1302 evdev_ioctl_compat+0x29/0x30 drivers/input/evdev.c:1318 C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline] compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549 do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline] do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 other info that might help us debug this: Chain exists of: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&ff->mutex); lock(&evdev->mutex); lock(&ff->mutex); lock(&newdev->mutex); *** DEADLOCK *** 2 locks held by syz-executor116/2216: #0: (&evdev->mutex){+.+...}, at: [] evdev_ioctl_handler+0x112/0x1820 drivers/input/evdev.c:1293 #1: (&ff->mutex){+.+...}, at: [] input_ff_upload+0x10a/0xa00 drivers/input/ff-core.c:135 stack backtrace: CPU: 1 PID: 2216 Comm: syz-executor116 Not tainted 4.9.141+ #23 ffff8801c9dc7778 ffffffff81b42e79 ffffffff83cc2500 ffffffff83cc4bd0 ffffffff83cc10c0 ffff8801c9b120b8 ffff8801c9b117c0 ffff8801c9dc77c0 ffffffff813fee40 0000000000000002 00000000c9b12098 0000000000000002 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug.cold.36+0x2f7/0x432 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345 [] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_interruptible_nested+0xcc/0x9c0 kernel/locking/mutex.c:650 [] uinput_request_send drivers/input/misc/uinput.c:116 [inline] [] uinput_request_submit.part.2+0x29/0x200 drivers/input/misc/uinput.c:147 [] uinput_request_submit drivers/input/misc/uinput.c:144 [inline] [] uinput_dev_upload_effect+0x14a/0x1c0 drivers/input/misc/uinput.c:216 [] input_ff_upload+0x528/0xa00 drivers/input/ff-core.c:165 [] evdev_do_ioctl drivers/input/evdev.c:1213 [inline] [] evdev_ioctl_handler+0xe62/0x1820 drivers/input/evdev.c:1302 [] evdev_ioctl_compat+0x29/0x30 drivers/input/evdev.c:1318 [] C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline] [] compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549 [] do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline] [] do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390 [] entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137