syzbot

 sign-in | mailing list | source | docs
🐞 Open [1592]
Subsystems
🐞 Fixed [6233]
🐞 Invalid [15780]
Missing Backports [183]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

possible deadlock in input_ff_flush

Status: upstream: reported syz repro on 2025/01/05 12:40
Subsystems: input
[Documentation on labels]
Reported-by: syzbot+ed7c6209f62eba1565aa@syzkaller.appspotmail.com
First crash: 135d, last: 13d
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [input?] possible deadlock in input_ff_flush 2 (5) 2025/01/07 10:45
Last patch testing requests (4)
Created Duration User Patch Repo Result
2025/03/26 13:09 31m retest repro upstream report log
2025/01/15 12:45 17m retest repro upstream report log
2025/01/06 11:08 17m hdanton@sina.com patch upstream report log
2025/01/06 10:29 19m hdanton@sina.com patch upstream error

Sample crash report:
======================================================
WARNING: possible circular locking dependency detected
6.15.0-rc4-syzkaller-00256-g95d3481af6dc #0 Not tainted
------------------------------------------------------
acpid/5328 is trying to acquire lock:
ffff8880324cc8b0 (&ff->mutex){+.+.}-{4:4}, at: class_mutex_constructor include/linux/mutex.h:201 [inline]
ffff8880324cc8b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_flush+0x63/0x180 drivers/input/ff-core.c:231

but task is already holding lock:
ffff88804fb482c0 (&dev->mutex#2){+.+.}-{4:4}, at: class_mutex_intr_constructor include/linux/mutex.h:203 [inline]
ffff88804fb482c0 (&dev->mutex#2){+.+.}-{4:4}, at: input_flush_device+0x55/0x110 drivers/input/input.c:625

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (&dev->mutex#2){+.+.}-{4:4}:
       __mutex_lock_common kernel/locking/mutex.c:601 [inline]
       __mutex_lock+0x199/0xb90 kernel/locking/mutex.c:746
       class_mutex_intr_constructor include/linux/mutex.h:203 [inline]
       input_register_handle+0xdc/0x620 drivers/input/input.c:2653
       kbd_connect+0xca/0x160 drivers/tty/vt/keyboard.c:1587
       input_attach_handler.isra.0+0x181/0x260 drivers/input/input.c:993
       input_register_device+0xa84/0x1130 drivers/input/input.c:2412
       acpi_button_add+0x582/0xb70 drivers/acpi/button.c:621
       acpi_device_probe+0xc6/0x330 drivers/acpi/bus.c:1076
       call_driver_probe drivers/base/dd.c:579 [inline]
       really_probe+0x23e/0xa90 drivers/base/dd.c:657
       __driver_probe_device+0x1de/0x440 drivers/base/dd.c:799
       driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:829
       __driver_attach+0x283/0x580 drivers/base/dd.c:1215
       bus_for_each_dev+0x13b/0x1d0 drivers/base/bus.c:370
       bus_add_driver+0x2e9/0x690 drivers/base/bus.c:678
       driver_register+0x15c/0x4b0 drivers/base/driver.c:249
       __acpi_bus_register_driver+0xdf/0x130 drivers/acpi/bus.c:1027
       acpi_button_register_driver drivers/acpi/button.c:751 [inline]
       acpi_button_driver_init+0x82/0x110 drivers/acpi/button.c:760
       do_one_initcall+0x120/0x6e0 init/main.c:1257
       do_initcall_level init/main.c:1319 [inline]
       do_initcalls init/main.c:1335 [inline]
       do_basic_setup init/main.c:1354 [inline]
       kernel_init_freeable+0x5c2/0x900 init/main.c:1567
       kernel_init+0x1c/0x2b0 init/main.c:1457
       ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

-> #2 (input_mutex){+.+.}-{4:4}:
       __mutex_lock_common kernel/locking/mutex.c:601 [inline]
       __mutex_lock+0x199/0xb90 kernel/locking/mutex.c:746
       class_mutex_intr_constructor include/linux/mutex.h:203 [inline]
       input_register_device+0x98a/0x1130 drivers/input/input.c:2408
       uinput_create_device drivers/input/misc/uinput.c:365 [inline]
       uinput_ioctl_handler.isra.0+0x1357/0x1df0 drivers/input/misc/uinput.c:918
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:906 [inline]
       __se_sys_ioctl fs/ioctl.c:892 [inline]
       __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #1 (&newdev->mutex){+.+.}-{4:4}:
       __mutex_lock_common kernel/locking/mutex.c:601 [inline]
       __mutex_lock+0x199/0xb90 kernel/locking/mutex.c:746
       uinput_request_send drivers/input/misc/uinput.c:151 [inline]
       uinput_request_submit.part.0+0x25/0x2e0 drivers/input/misc/uinput.c:182
       uinput_request_submit drivers/input/misc/uinput.c:179 [inline]
       uinput_dev_upload_effect+0x174/0x1f0 drivers/input/misc/uinput.c:257
       input_ff_upload+0x568/0xc10 drivers/input/ff-core.c:148
       evdev_do_ioctl+0xf40/0x1b30 drivers/input/evdev.c:1181
       evdev_ioctl_handler drivers/input/evdev.c:1270 [inline]
       evdev_ioctl+0x16f/0x1a0 drivers/input/evdev.c:1279
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:906 [inline]
       __se_sys_ioctl fs/ioctl.c:892 [inline]
       __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 (&ff->mutex){+.+.}-{4:4}:
       check_prev_add kernel/locking/lockdep.c:3166 [inline]
       check_prevs_add kernel/locking/lockdep.c:3285 [inline]
       validate_chain kernel/locking/lockdep.c:3909 [inline]
       __lock_acquire+0x1173/0x1ba0 kernel/locking/lockdep.c:5235
       lock_acquire kernel/locking/lockdep.c:5866 [inline]
       lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5823
       __mutex_lock_common kernel/locking/mutex.c:601 [inline]
       __mutex_lock+0x199/0xb90 kernel/locking/mutex.c:746
       class_mutex_constructor include/linux/mutex.h:201 [inline]
       input_ff_flush+0x63/0x180 drivers/input/ff-core.c:231
       uinput_dev_flush+0x2a/0x40 drivers/input/misc/uinput.c:283
       input_flush_device+0xa1/0x110 drivers/input/input.c:627
       evdev_release+0x344/0x420 drivers/input/evdev.c:435
       __fput+0x3ff/0xb70 fs/file_table.c:465
       fput_close_sync+0x118/0x260 fs/file_table.c:570
       __do_sys_close fs/open.c:1581 [inline]
       __se_sys_close fs/open.c:1566 [inline]
       __x64_sys_close+0x8b/0x120 fs/open.c:1566
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

Chain exists of:
  &ff->mutex --> input_mutex --> &dev->mutex#2

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&dev->mutex#2);
                               lock(input_mutex);
                               lock(&dev->mutex#2);
  lock(&ff->mutex);

 *** DEADLOCK ***

2 locks held by acpid/5328:
 #0: ffff88804fb6a118 (&evdev->mutex){+.+.}-{4:4}, at: evdev_release+0x79/0x420 drivers/input/evdev.c:432
 #1: ffff88804fb482c0 (&dev->mutex#2){+.+.}-{4:4}, at: class_mutex_intr_constructor include/linux/mutex.h:203 [inline]
 #1: ffff88804fb482c0 (&dev->mutex#2){+.+.}-{4:4}, at: input_flush_device+0x55/0x110 drivers/input/input.c:625

stack backtrace:
CPU: 1 UID: 0 PID: 5328 Comm: acpid Not tainted 6.15.0-rc4-syzkaller-00256-g95d3481af6dc #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_circular_bug+0x275/0x350 kernel/locking/lockdep.c:2079
 check_noncircular+0x14c/0x170 kernel/locking/lockdep.c:2211
 check_prev_add kernel/locking/lockdep.c:3166 [inline]
 check_prevs_add kernel/locking/lockdep.c:3285 [inline]
 validate_chain kernel/locking/lockdep.c:3909 [inline]
 __lock_acquire+0x1173/0x1ba0 kernel/locking/lockdep.c:5235
 lock_acquire kernel/locking/lockdep.c:5866 [inline]
 lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5823
 __mutex_lock_common kernel/locking/mutex.c:601 [inline]
 __mutex_lock+0x199/0xb90 kernel/locking/mutex.c:746
 class_mutex_constructor include/linux/mutex.h:201 [inline]
 input_ff_flush+0x63/0x180 drivers/input/ff-core.c:231
 uinput_dev_flush+0x2a/0x40 drivers/input/misc/uinput.c:283
 input_flush_device+0xa1/0x110 drivers/input/input.c:627
 evdev_release+0x344/0x420 drivers/input/evdev.c:435
 __fput+0x3ff/0xb70 fs/file_table.c:465
 fput_close_sync+0x118/0x260 fs/file_table.c:570
 __do_sys_close fs/open.c:1581 [inline]
 __se_sys_close fs/open.c:1566 [inline]
 __x64_sys_close+0x8b/0x120 fs/open.c:1566
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe8c63e80a8
Code: 48 8b 05 83 9d 0d 00 64 c7 00 16 00 00 00 83 c8 ff 48 83 c4 20 5b c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 5b 48 8b 15 51 9d 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffd44928cf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 00007ffd44928f68 RCX: 00007fe8c63e80a8
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000009
RBP: 0000000000000009 R08: 0000000000000010 R09: 00007ffd44928e68
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd44928e68
R13: 0000000000000020 R14: 00007ffd44928f68 R15: 00007ffd44928e68
 </TASK>

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/05/03 22:36 upstream 95d3481af6dc b0714e37 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream possible deadlock in input_ff_flush
2025/01/01 12:32 upstream ccb98ccef0e5 d3ccff63 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream possible deadlock in input_ff_flush
* Struck through repros no longer work on HEAD.