====================================================== [ INFO: possible circular locking dependency detected ] 4.9.141+ #23 Not tainted ------------------------------------------------------- syz-executor.0/15878 is trying to acquire lock: (&newdev->mutex){+.+.+.}, at: [] uinput_request_send drivers/input/misc/uinput.c:116 [inline] (&newdev->mutex){+.+.+.}, at: [] uinput_request_submit.part.2+0x29/0x200 drivers/input/misc/uinput.c:147 but task is already holding lock: (&ff->mutex){+.+...}, at: [] input_ff_upload+0x10a/0xa00 drivers/input/ff-core.c:135 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621 flush_effects+0x58/0x110 drivers/input/ff-core.c:249 input_flush_device+0x8e/0xd0 drivers/input/input.c:632 evdev_cleanup+0x158/0x1a0 drivers/input/evdev.c:1361 evdev_disconnect+0x43/0xa0 drivers/input/evdev.c:1446 __input_unregister_device+0x1ec/0x490 drivers/input/input.c:2023 input_unregister_device+0xa6/0xf0 drivers/input/input.c:2197 uinput_destroy_device+0x1cf/0x220 drivers/input/misc/uinput.c:246 uinput_release+0x3a/0x50 drivers/input/misc/uinput.c:658 __fput+0x263/0x700 fs/file_table.c:208 ____fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x10c/0x180 kernel/task_work.c:116 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x129/0x150 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] syscall_return_slowpath arch/x86/entry/common.c:263 [inline] do_syscall_32_irqs_on arch/x86/entry/common.c:334 [inline] do_fast_syscall_32+0x6dc/0xa10 arch/x86/entry/common.c:390 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621 input_disconnect_device drivers/input/input.c:704 [inline] __input_unregister_device+0x2a/0x490 drivers/input/input.c:2018 input_unregister_device+0xa6/0xf0 drivers/input/input.c:2197 uinput_destroy_device+0x1cf/0x220 drivers/input/misc/uinput.c:246 uinput_ioctl_handler.isra.4+0xffb/0x1980 drivers/input/misc/uinput.c:821 uinput_compat_ioctl+0x5f/0x80 drivers/input/misc/uinput.c:1001 C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline] compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549 do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline] do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 check_prev_add kernel/locking/lockdep.c:1828 [inline] check_prevs_add kernel/locking/lockdep.c:1938 [inline] validate_chain kernel/locking/lockdep.c:2265 [inline] __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345 lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_interruptible_nested+0xcc/0x9c0 kernel/locking/mutex.c:650 uinput_request_send drivers/input/misc/uinput.c:116 [inline] uinput_request_submit.part.2+0x29/0x200 drivers/input/misc/uinput.c:147 uinput_request_submit drivers/input/misc/uinput.c:144 [inline] uinput_dev_upload_effect+0x14a/0x1c0 drivers/input/misc/uinput.c:216 input_ff_upload+0x528/0xa00 drivers/input/ff-core.c:165 evdev_do_ioctl drivers/input/evdev.c:1213 [inline] evdev_ioctl_handler+0xe62/0x1820 drivers/input/evdev.c:1302 evdev_ioctl_compat+0x29/0x30 drivers/input/evdev.c:1318 C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline] compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549 do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline] do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 other info that might help us debug this: Chain exists of: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&ff->mutex); lock(&dev->mutex#2); lock(&ff->mutex); lock(&newdev->mutex); *** DEADLOCK *** 2 locks held by syz-executor.0/15878: #0: (&evdev->mutex){+.+.+.}, at: [] evdev_ioctl_handler+0x112/0x1820 drivers/input/evdev.c:1293 #1: (&ff->mutex){+.+...}, at: [] input_ff_upload+0x10a/0xa00 drivers/input/ff-core.c:135 stack backtrace: CPU: 1 PID: 15878 Comm: syz-executor.0 Not tainted 4.9.141+ #23 ffff8801aae0f778 ffffffff81b42e79 ffffffff83c98560 ffffffff83cd9f00 ffffffff83cd43e0 ffff8801cf6220b8 ffff8801cf6217c0 ffff8801aae0f7c0 ffffffff813fee40 0000000000000002 00000000cf622098 0000000000000002 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug.cold.36+0x2f7/0x432 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345 [] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_interruptible_nested+0xcc/0x9c0 kernel/locking/mutex.c:650 [] uinput_request_send drivers/input/misc/uinput.c:116 [inline] [] uinput_request_submit.part.2+0x29/0x200 drivers/input/misc/uinput.c:147 [] uinput_request_submit drivers/input/misc/uinput.c:144 [inline] [] uinput_dev_upload_effect+0x14a/0x1c0 drivers/input/misc/uinput.c:216 [] input_ff_upload+0x528/0xa00 drivers/input/ff-core.c:165 [] evdev_do_ioctl drivers/input/evdev.c:1213 [inline] [] evdev_ioctl_handler+0xe62/0x1820 drivers/input/evdev.c:1302 [] evdev_ioctl_compat+0x29/0x30 drivers/input/evdev.c:1318 [] C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline] [] compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549 [] do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline] [] do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390 [] entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137