audit: type=1400 audit(1549745932.922:3796): avc: denied { net_admin } for pid=2087 comm="syz-executor.5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 ====================================================== [ INFO: possible circular locking dependency detected ] 4.9.141+ #23 Not tainted ------------------------------------------------------- syz-executor.2/18750 is trying to acquire lock: (&newdev->mutex){+.+.+.}, at: [] uinput_request_send drivers/input/misc/uinput.c:116 [inline] (&newdev->mutex){+.+.+.}, at: [] uinput_request_submit.part.2+0x29/0x200 drivers/input/misc/uinput.c:147 but task is already holding lock: (&ff->mutex){+.+...}, at: [] input_ff_upload+0x10a/0xa00 drivers/input/ff-core.c:135 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&ff->mutex){+.+...}: lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621 flush_effects+0x58/0x110 drivers/input/ff-core.c:249 input_flush_device+0x8e/0xd0 drivers/input/input.c:632 evdev_flush+0xfb/0x120 drivers/input/evdev.c:353 filp_close+0xa7/0x140 fs/open.c:1129 __close_fd+0x156/0x230 fs/file.c:651 SYSC_close fs/open.c:1148 [inline] SyS_close+0x4c/0x90 fs/open.c:1146 do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline] do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 -> #1 (&dev->mutex#2){+.+...}: lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621 input_disconnect_device drivers/input/input.c:704 [inline] __input_unregister_device+0x2a/0x490 drivers/input/input.c:2018 input_unregister_device+0xa6/0xf0 drivers/input/input.c:2197 uinput_destroy_device+0x1cf/0x220 drivers/input/misc/uinput.c:246 uinput_ioctl_handler.isra.4+0xffb/0x1980 drivers/input/misc/uinput.c:821 uinput_compat_ioctl+0x5f/0x80 drivers/input/misc/uinput.c:1001 C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline] compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549 do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline] do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 -> #0 (&newdev->mutex){+.+.+.}: check_prev_add kernel/locking/lockdep.c:1828 [inline] check_prevs_add kernel/locking/lockdep.c:1938 [inline] validate_chain kernel/locking/lockdep.c:2265 [inline] __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345 lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_interruptible_nested+0xcc/0x9c0 kernel/locking/mutex.c:650 uinput_request_send drivers/input/misc/uinput.c:116 [inline] uinput_request_submit.part.2+0x29/0x200 drivers/input/misc/uinput.c:147 uinput_request_submit drivers/input/misc/uinput.c:144 [inline] uinput_dev_upload_effect+0x14a/0x1c0 drivers/input/misc/uinput.c:216 input_ff_upload+0x528/0xa00 drivers/input/ff-core.c:165 evdev_do_ioctl drivers/input/evdev.c:1213 [inline] evdev_ioctl_handler+0xe62/0x1820 drivers/input/evdev.c:1302 evdev_ioctl_compat+0x29/0x30 drivers/input/evdev.c:1318 C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline] compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549 do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline] do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 other info that might help us debug this: Chain exists of: &newdev->mutex --> &dev->mutex#2 --> &ff->mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&ff->mutex); lock(&dev->mutex#2); lock(&ff->mutex); lock(&newdev->mutex); *** DEADLOCK *** 2 locks held by syz-executor.2/18750: #0: (&evdev->mutex){+.+.+.}, at: [] evdev_ioctl_handler+0x112/0x1820 drivers/input/evdev.c:1293 #1: (&ff->mutex){+.+...}, at: [] input_ff_upload+0x10a/0xa00 drivers/input/ff-core.c:135 stack backtrace: CPU: 1 PID: 18750 Comm: syz-executor.2 Not tainted 4.9.141+ #23 ffff8801a3187778 ffffffff81b42e79 ffffffff83c98560 ffffffff83ce93b0 ffffffff83cd4c50 ffff8801a9c808f8 ffff8801a9c80000 ffff8801a31877c0 ffffffff813fee40 0000000000000002 00000000a9c808d8 0000000000000002 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug.cold.36+0x2f7/0x432 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345 [] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_interruptible_nested+0xcc/0x9c0 kernel/locking/mutex.c:650 [] uinput_request_send drivers/input/misc/uinput.c:116 [inline] [] uinput_request_submit.part.2+0x29/0x200 drivers/input/misc/uinput.c:147 [] uinput_request_submit drivers/input/misc/uinput.c:144 [inline] [] uinput_dev_upload_effect+0x14a/0x1c0 drivers/input/misc/uinput.c:216 [] input_ff_upload+0x528/0xa00 drivers/input/ff-core.c:165 [] evdev_do_ioctl drivers/input/evdev.c:1213 [inline] [] evdev_ioctl_handler+0xe62/0x1820 drivers/input/evdev.c:1302 [] evdev_ioctl_compat+0x29/0x30 drivers/input/evdev.c:1318 [] C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline] [] compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549 [] do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline] [] do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390 [] entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 audit: type=1400 audit(1549745932.942:3797): avc: denied { dac_override } for pid=18749 comm="syz-executor.2" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1549745932.962:3798): avc: denied { net_admin } for pid=2087 comm="syz-executor.5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1549745932.962:3799): avc: denied { net_admin } for pid=2087 comm="syz-executor.5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1549745932.962:3800): avc: denied { net_admin } for pid=2087 comm="syz-executor.5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1549745932.962:3801): avc: denied { net_admin } for pid=2087 comm="syz-executor.5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1549745932.972:3802): avc: denied { net_admin } for pid=2087 comm="syz-executor.5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1549745932.982:3803): avc: denied { prog_load } for pid=18754 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 audit: type=1400 audit(1549745932.992:3804): avc: denied { sys_admin } for pid=2086 comm="syz-executor.4" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1