====================================================== WARNING: possible circular locking dependency detected 4.20.0-rc7+ #284 Not tainted ------------------------------------------------------ kobject: 'input52' (0000000034dcf646): kobject_cleanup, parent (null) syz-executor4/6381 is trying to acquire lock: 00000000c3e2a42e ((wq_completion)"events"){+.+.}, at: flush_workqueue+0x2db/0x1e10 kernel/workqueue.c:2652 but task is already holding lock: 00000000efab8080 (&dev->dev_mutex){+.+.}, at: __video_do_ioctl+0x461/0x1050 drivers/media/v4l2-core/v4l2-ioctl.c:2821 which lock already depends on the new lock. kobject: 'input52' (0000000034dcf646): calling ktype release the existing dependency chain (in reverse order) is: -> #3 (&dev->dev_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:925 [inline] __mutex_lock+0x166/0x16f0 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 vim2m_release+0xbc/0x150 drivers/media/platform/vim2m.c:976 v4l2_release+0x224/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:456 kobject: 'input52': free name __fput+0x385/0xa30 fs/file_table.c:278 ____fput+0x15/0x20 fs/file_table.c:309 task_work_run+0x1e8/0x2a0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #2 (&mdev->req_queue_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:925 [inline] __mutex_lock+0x166/0x16f0 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 v4l2_release+0x1d7/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:455 __fput+0x385/0xa30 fs/file_table.c:278 delayed_fput+0x55/0x80 fs/file_table.c:304 process_one_work+0xc90/0x1c40 kernel/workqueue.c:2153 worker_thread+0x17f/0x1390 kernel/workqueue.c:2296 kthread+0x35a/0x440 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 -> #1 ((delayed_fput_work).work){+.+.}: process_one_work+0xc0a/0x1c40 kernel/workqueue.c:2129 worker_thread+0x17f/0x1390 kernel/workqueue.c:2296 kthread+0x35a/0x440 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 -> #0 ((wq_completion)"events"){+.+.}: lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844 flush_workqueue+0x30a/0x1e10 kernel/workqueue.c:2655 flush_scheduled_work include/linux/workqueue.h:599 [inline] vim2m_stop_streaming+0x7c/0x2c0 drivers/media/platform/vim2m.c:811 __vb2_queue_cancel+0x14f/0xd50 drivers/media/common/videobuf2/videobuf2-core.c:1843 vb2_core_streamoff+0x60/0x140 drivers/media/common/videobuf2/videobuf2-core.c:2006 vb2_streamoff+0x4a/0x90 drivers/media/common/videobuf2/videobuf2-v4l2.c:789 v4l2_m2m_streamoff+0xd0/0x720 drivers/media/v4l2-core/v4l2-mem2mem.c:563 v4l2_m2m_ioctl_streamoff+0x6b/0x80 drivers/media/v4l2-core/v4l2-mem2mem.c:1081 v4l_streamoff+0x76/0x90 drivers/media/v4l2-core/v4l2-ioctl.c:1698 __video_do_ioctl+0x8b1/0x1050 drivers/media/v4l2-core/v4l2-ioctl.c:2853 video_usercopy+0x5c1/0x1760 drivers/media/v4l2-core/v4l2-ioctl.c:3035 video_ioctl2+0x2c/0x33 drivers/media/v4l2-core/v4l2-ioctl.c:3079 v4l2_ioctl+0x154/0x1b0 drivers/media/v4l2-core/v4l2-dev.c:364 native_ioctl drivers/media/v4l2-core/v4l2-compat-ioctl32.c:116 [inline] do_video_ioctl drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1354 [inline] v4l2_compat_ioctl32+0x3e5/0x5cf0 drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1461 __do_compat_sys_ioctl fs/compat_ioctl.c:1052 [inline] __se_compat_sys_ioctl fs/compat_ioctl.c:998 [inline] __ia32_compat_sys_ioctl+0x20e/0x630 fs/compat_ioctl.c:998 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline] do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 other info that might help us debug this: Chain exists of: (wq_completion)"events" --> &mdev->req_queue_mutex --> &dev->dev_mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&dev->dev_mutex); lock(&mdev->req_queue_mutex); lock(&dev->dev_mutex); lock((wq_completion)"events"); *** DEADLOCK *** 2 locks held by syz-executor4/6381: #0: 0000000035ec957c (&mdev->req_queue_mutex){+.+.}, at: __video_do_ioctl+0xb6c/0x1050 drivers/media/v4l2-core/v4l2-ioctl.c:2815 #1: 00000000efab8080 (&dev->dev_mutex){+.+.}, at: __video_do_ioctl+0x461/0x1050 drivers/media/v4l2-core/v4l2-ioctl.c:2821 stack backtrace: CPU: 0 PID: 6381 Comm: syz-executor4 Not tainted 4.20.0-rc7+ #284 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 print_circular_bug.isra.35.cold.54+0x1bd/0x27d kernel/locking/lockdep.c:1221 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2347 [inline] __lock_acquire+0x3399/0x4c20 kernel/locking/lockdep.c:3341 lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844 flush_workqueue+0x30a/0x1e10 kernel/workqueue.c:2655 flush_scheduled_work include/linux/workqueue.h:599 [inline] vim2m_stop_streaming+0x7c/0x2c0 drivers/media/platform/vim2m.c:811 __vb2_queue_cancel+0x14f/0xd50 drivers/media/common/videobuf2/videobuf2-core.c:1843 vb2_core_streamoff+0x60/0x140 drivers/media/common/videobuf2/videobuf2-core.c:2006 vb2_streamoff+0x4a/0x90 drivers/media/common/videobuf2/videobuf2-v4l2.c:789 v4l2_m2m_streamoff+0xd0/0x720 drivers/media/v4l2-core/v4l2-mem2mem.c:563 v4l2_m2m_ioctl_streamoff+0x6b/0x80 drivers/media/v4l2-core/v4l2-mem2mem.c:1081 v4l_streamoff+0x76/0x90 drivers/media/v4l2-core/v4l2-ioctl.c:1698 __video_do_ioctl+0x8b1/0x1050 drivers/media/v4l2-core/v4l2-ioctl.c:2853 video_usercopy+0x5c1/0x1760 drivers/media/v4l2-core/v4l2-ioctl.c:3035 kobject: 'nullb0' (000000006e0a85cf): kobject_uevent_env kobject: 'nullb0' (000000006e0a85cf): fill_kobj_path: path = '/devices/virtual/block/nullb0' video_ioctl2+0x2c/0x33 drivers/media/v4l2-core/v4l2-ioctl.c:3079 v4l2_ioctl+0x154/0x1b0 drivers/media/v4l2-core/v4l2-dev.c:364 native_ioctl drivers/media/v4l2-core/v4l2-compat-ioctl32.c:116 [inline] do_video_ioctl drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1354 [inline] v4l2_compat_ioctl32+0x3e5/0x5cf0 drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1461 __do_compat_sys_ioctl fs/compat_ioctl.c:1052 [inline] __se_compat_sys_ioctl fs/compat_ioctl.c:998 [inline] __ia32_compat_sys_ioctl+0x20e/0x630 fs/compat_ioctl.c:998 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline] do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f7da29 Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:00000000f5f790cc EFLAGS: 00000296 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000040045613 RDX: 0000000020000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 kobject: 'bluetooth' (0000000084b8fc1f): kobject_add_internal: parent: 'virtual', set: '(null)' kobject: 'loop2' (0000000033431ad7): kobject_uevent_env kobject: 'hci0' (000000001213fa47): kobject_add_internal: parent: 'bluetooth', set: 'devices' kobject: 'input53' (000000009c695b49): kobject_cleanup, parent (null) kobject: 'loop2' (0000000033431ad7): fill_kobj_path: path = '/devices/virtual/block/loop2' kobject: 'hci0' (000000001213fa47): kobject_uevent_env kobject: 'loop1' (000000004f90ad97): kobject_uevent_env kobject: 'hci0' (000000001213fa47): fill_kobj_path: path = '/devices/virtual/bluetooth/hci0' kobject: 'input53' (000000009c695b49): calling ktype release kobject: 'loop1' (000000004f90ad97): fill_kobj_path: path = '/devices/virtual/block/loop1' kobject: 'input53': free name kobject: 'rfkill49' (00000000d945d9e2): kobject_add_internal: parent: 'hci0', set: 'devices' kobject: 'loop5' (000000000e880ee8): kobject_uevent_env kobject: 'loop5' (000000000e880ee8): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'rfkill49' (00000000d945d9e2): kobject_uevent_env kobject: 'rfkill49' (00000000d945d9e2): fill_kobj_path: path = '/devices/virtual/bluetooth/hci0/rfkill49' kobject: 'loop1' (000000004f90ad97): kobject_uevent_env kobject: 'loop1' (000000004f90ad97): fill_kobj_path: path = '/devices/virtual/block/loop1' kobject: 'rfkill49' (00000000d945d9e2): kobject_uevent_env kobject: 'rfkill49' (00000000d945d9e2): fill_kobj_path: path = '/devices/virtual/bluetooth/hci0/rfkill49' kobject: 'nullb0' (000000006e0a85cf): kobject_uevent_env kobject: 'nullb0' (000000006e0a85cf): fill_kobj_path: path = '/devices/virtual/block/nullb0' kobject: 'loop0' (0000000024369581): kobject_uevent_env kobject: 'loop0' (0000000024369581): fill_kobj_path: path = '/devices/virtual/block/loop0' kobject: 'loop1' (000000004f90ad97): kobject_uevent_env kobject: 'loop1' (000000004f90ad97): fill_kobj_path: path = '/devices/virtual/block/loop1' kobject: 'nullb0' (000000006e0a85cf): kobject_uevent_env kobject: 'nullb0' (000000006e0a85cf): fill_kobj_path: path = '/devices/virtual/block/nullb0' kobject: 'loop0' (0000000024369581): kobject_uevent_env kobject: 'loop0' (0000000024369581): fill_kobj_path: path = '/devices/virtual/block/loop0' kobject: 'loop5' (000000000e880ee8): kobject_uevent_env kobject: 'loop5' (000000000e880ee8): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'nullb0' (000000006e0a85cf): kobject_uevent_env kobject: 'nullb0' (000000006e0a85cf): fill_kobj_path: path = '/devices/virtual/block/nullb0' kobject: 'loop4' (000000000df0a101): kobject_uevent_env kobject: 'loop4' (000000000df0a101): fill_kobj_path: path = '/devices/virtual/block/loop4' kobject: 'loop2' (0000000033431ad7): kobject_uevent_env kobject: 'loop2' (0000000033431ad7): fill_kobj_path: path = '/devices/virtual/block/loop2' kobject: 'hci1' (000000004807ae08): kobject_add_internal: parent: 'bluetooth', set: 'devices' kobject: 'hci1' (000000004807ae08): kobject_uevent_env kobject: 'hci1' (000000004807ae08): fill_kobj_path: path = '/devices/virtual/bluetooth/hci1' kobject: 'rfkill50' (000000003473a693): kobject_add_internal: parent: 'hci1', set: 'devices' kobject: 'rfkill50' (000000003473a693): kobject_uevent_env kobject: 'rfkill50' (000000003473a693): fill_kobj_path: path = '/devices/virtual/bluetooth/hci1/rfkill50' kobject: 'rfkill50' (000000003473a693): kobject_uevent_env kobject: 'rfkill50' (000000003473a693): fill_kobj_path: path = '/devices/virtual/bluetooth/hci1/rfkill50'