program: syz_open_dev$vim2m(&(0x7f00000002c0), 0x2000000f5, 0x2) (async) r0 = syz_open_dev$vim2m(&(0x7f00000002c0), 0x2000000f5, 0x2) ioctl$vim2m_VIDIOC_S_CTRL(r0, 0xc008561c, &(0x7f0000000400)={0xf0f01e, 0x2}) r1 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000000), 0x802, 0x0) ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000280)={{0x0, 0x4, 0x0, 0x9}, 'syz1\x00', 0x9}) (async) ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000280)={{0x0, 0x4, 0x0, 0x9}, 'syz1\x00', 0x9}) ioctl$UI_SET_FFBIT(r1, 0x4004556b, 0x51) ioctl$UI_DEV_CREATE(r1, 0x5501) r2 = syz_open_dev$evdev(&(0x7f0000000100), 0x72, 0x0) ioctl$EVIOCSFF(r2, 0x40304580, &(0x7f0000000500)={0x50, 0xffff, 0xd, {0x2, 0x4}, {0x8000, 0x7}, @cond=[{0xeeb, 0x405, 0x5, 0x610b, 0x8, 0x2cf2}, {0x2, 0x2, 0x5, 0x2, 0x6, 0x3b7e}]}) [ 74.149562][ T4669] Bluetooth: hci0: command tx timeout [ 74.207750][ T5319] input: syz1 as /devices/virtual/input/input5 [ 74.227894][ T5319] [ 74.228948][ T5319] ====================================================== [ 74.231539][ T5319] WARNING: possible circular locking dependency detected [ 74.234673][ T5319] syzkaller #0 Not tainted [ 74.236393][ T5319] ------------------------------------------------------ [ 74.239034][ T5319] syz.0.0/5319 is trying to acquire lock: [ 74.241397][ T5319] ffff888052301070 (&newdev->mutex){+.+.}-{4:4}, at: uinput_request_submit+0x188/0x6f0 [ 74.245609][ T5319] [ 74.245609][ T5319] but task is already holding lock: [ 74.248646][ T5319] ffff88803faa20b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_upload+0x398/0xb30 [ 74.252379][ T5319] [ 74.252379][ T5319] which lock already depends on the new lock. [ 74.252379][ T5319] [ 74.256745][ T5319] [ 74.256745][ T5319] the existing dependency chain (in reverse order) is: [ 74.260648][ T5319] [ 74.260648][ T5319] -> #3 (&ff->mutex){+.+.}-{4:4}: [ 74.263782][ T5319] lock_acquire+0x120/0x360 [ 74.265968][ T5319] __mutex_lock+0x187/0x1350 [ 74.268234][ T5319] input_ff_flush+0x5d/0x170 [ 74.270433][ T5319] input_flush_device+0xb1/0x110 [ 74.272800][ T5319] evdev_release+0xe1/0x800 [ 74.275014][ T5319] __fput+0x449/0xa70 [ 74.277038][ T5319] fput_close_sync+0x119/0x200 [ 74.279276][ T5319] __x64_sys_close+0x7f/0x110 [ 74.281421][ T5319] do_syscall_64+0xfa/0xfa0 [ 74.283609][ T5319] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.286348][ T5319] [ 74.286348][ T5319] -> #2 (&dev->mutex#2){+.+.}-{4:4}: [ 74.289455][ T5319] lock_acquire+0x120/0x360 [ 74.291707][ T5319] __mutex_lock+0x187/0x1350 [ 74.293965][ T5319] input_register_handle+0x18f/0x530 [ 74.296474][ T5319] kbd_connect+0xc3/0x140 [ 74.298621][ T5319] input_register_device+0xd00/0x1140 [ 74.301207][ T5319] acpi_button_add+0x6b1/0xb50 [ 74.303501][ T5319] acpi_device_probe+0xa5/0x2d0 [ 74.305848][ T5319] really_probe+0x26d/0x9e0 [ 74.308011][ T5319] __driver_probe_device+0x18c/0x2f0 [ 74.310480][ T5319] driver_probe_device+0x4f/0x430 [ 74.312916][ T5319] __driver_attach+0x452/0x700 [ 74.315188][ T5319] bus_for_each_dev+0x233/0x2b0 [ 74.317418][ T5319] bus_add_driver+0x345/0x640 [ 74.319613][ T5319] driver_register+0x23a/0x320 [ 74.321876][ T5319] do_one_initcall+0x233/0x820 [ 74.324152][ T5319] do_initcall_level+0x104/0x190 [ 74.326531][ T5319] do_initcalls+0x59/0xa0 [ 74.328635][ T5319] kernel_init_freeable+0x334/0x4b0 [ 74.331043][ T5319] kernel_init+0x1d/0x1d0 [ 74.333199][ T5319] ret_from_fork+0x4bc/0x870 [ 74.335397][ T5319] ret_from_fork_asm+0x1a/0x30 [ 74.337695][ T5319] [ 74.337695][ T5319] -> #1 (input_mutex){+.+.}-{4:4}: [ 74.340822][ T5319] lock_acquire+0x120/0x360 [ 74.343056][ T5319] __mutex_lock+0x187/0x1350 [ 74.345273][ T5319] input_register_device+0xa76/0x1140 [ 74.347801][ T5319] uinput_create_device+0x422/0x670 [ 74.350301][ T5319] uinput_ioctl_handler+0x3f0/0x1570 [ 74.352848][ T5319] __se_sys_ioctl+0xfc/0x170 [ 74.355122][ T5319] do_syscall_64+0xfa/0xfa0 [ 74.357340][ T5319] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.360184][ T5319] [ 74.360184][ T5319] -> #0 (&newdev->mutex){+.+.}-{4:4}: [ 74.363610][ T5319] validate_chain+0xb9b/0x2140 [ 74.365951][ T5319] __lock_acquire+0xab9/0xd20 [ 74.368200][ T5319] lock_acquire+0x120/0x360 [ 74.370441][ T5319] __mutex_lock+0x187/0x1350 [ 74.372758][ T5319] uinput_request_submit+0x188/0x6f0 [ 74.375332][ T5319] uinput_dev_upload_effect+0x150/0x1e0 [ 74.378030][ T5319] input_ff_upload+0x5fb/0xb30 [ 74.380305][ T5319] evdev_ioctl_handler+0x1644/0x1f10 [ 74.382771][ T5319] __se_sys_ioctl+0xfc/0x170 [ 74.384918][ T5319] do_syscall_64+0xfa/0xfa0 [ 74.387119][ T5319] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.389884][ T5319] [ 74.389884][ T5319] other info that might help us debug this: [ 74.389884][ T5319] [ 74.394335][ T5319] Chain exists of: [ 74.394335][ T5319] &newdev->mutex --> &dev->mutex#2 --> &ff->mutex [ 74.394335][ T5319] [ 74.399617][ T5319] Possible unsafe locking scenario: [ 74.399617][ T5319] [ 74.402900][ T5319] CPU0 CPU1 [ 74.405240][ T5319] ---- ---- [ 74.407592][ T5319] lock(&ff->mutex); [ 74.409357][ T5319] lock(&dev->mutex#2); [ 74.412301][ T5319] lock(&ff->mutex); [ 74.415137][ T5319] lock(&newdev->mutex); [ 74.417060][ T5319] [ 74.417060][ T5319] *** DEADLOCK *** [ 74.417060][ T5319] [ 74.420593][ T5319] 2 locks held by syz.0.0/5319: [ 74.422829][ T5319] #0: ffff888052339118 (&evdev->mutex){+.+.}-{4:4}, at: evdev_ioctl_handler+0x121/0x1f10 [ 74.427078][ T5319] #1: ffff88803faa20b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_upload+0x398/0xb30 [ 74.431144][ T5319] [ 74.431144][ T5319] stack backtrace: [ 74.433785][ T5319] CPU: 0 UID: 0 PID: 5319 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 74.433799][ T5319] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.433806][ T5319] Call Trace: [ 74.433813][ T5319] [ 74.433819][ T5319] dump_stack_lvl+0x189/0x250 [ 74.433836][ T5319] ? __pfx_dump_stack_lvl+0x10/0x10 [ 74.433847][ T5319] ? __pfx__printk+0x10/0x10 [ 74.433859][ T5319] ? print_lock_name+0xde/0x100 [ 74.433871][ T5319] print_circular_bug+0x2ee/0x310 [ 74.433887][ T5319] check_noncircular+0x134/0x160 [ 74.433900][ T5319] validate_chain+0xb9b/0x2140 [ 74.433914][ T5319] ? stack_trace_save+0x9c/0xe0 [ 74.433928][ T5319] ? __pfx_stack_trace_save+0x10/0x10 [ 74.433943][ T5319] __lock_acquire+0xab9/0xd20 [ 74.433955][ T5319] ? uinput_request_submit+0x188/0x6f0 [ 74.433972][ T5319] lock_acquire+0x120/0x360 [ 74.433981][ T5319] ? uinput_request_submit+0x188/0x6f0 [ 74.434000][ T5319] __mutex_lock+0x187/0x1350 [ 74.434015][ T5319] ? uinput_request_submit+0x188/0x6f0 [ 74.434032][ T5319] ? __lock_acquire+0xab9/0xd20 [ 74.434043][ T5319] ? uinput_request_submit+0x188/0x6f0 [ 74.434059][ T5319] ? __pfx___mutex_lock+0x10/0x10 [ 74.434073][ T5319] ? do_raw_spin_unlock+0x4d/0x240 [ 74.434088][ T5319] ? _raw_spin_unlock+0x28/0x50 [ 74.434098][ T5319] ? uinput_request_alloc_id+0x3cf/0x400 [ 74.434114][ T5319] uinput_request_submit+0x188/0x6f0 [ 74.434131][ T5319] ? __pfx___mutex_trylock_common+0x10/0x10 [ 74.434144][ T5319] ? __pfx_uinput_request_submit+0x10/0x10 [ 74.434159][ T5319] ? rcu_is_watching+0x15/0xb0 [ 74.434171][ T5319] ? trace_contention_end+0x39/0x120 [ 74.434183][ T5319] ? __mutex_lock+0x335/0x1350 [ 74.434198][ T5319] uinput_dev_upload_effect+0x150/0x1e0 [ 74.434213][ T5319] ? input_ff_upload+0x398/0xb30 [ 74.434226][ T5319] ? __pfx_uinput_dev_upload_effect+0x10/0x10 [ 74.434243][ T5319] input_ff_upload+0x5fb/0xb30 [ 74.434257][ T5319] evdev_ioctl_handler+0x1644/0x1f10 [ 74.434272][ T5319] ? do_vfs_ioctl+0xbe8/0x1430 [ 74.434283][ T5319] ? tomoyo_path_number_perm+0x1bc/0x5a0 [ 74.434294][ T5319] ? __pfx_evdev_ioctl_handler+0x10/0x10 [ 74.434307][ T5319] ? __might_fault+0xb0/0x130 [ 74.434322][ T5319] ? __fget_files+0x2a/0x420 [ 74.434334][ T5319] ? __fget_files+0x3a0/0x420 [ 74.434345][ T5319] ? __fget_files+0x2a/0x420 [ 74.434357][ T5319] ? bpf_lsm_file_ioctl+0x9/0x20 [ 74.434366][ T5319] ? __pfx_evdev_ioctl+0x10/0x10 [ 74.434377][ T5319] __se_sys_ioctl+0xfc/0x170 [ 74.434387][ T5319] do_syscall_64+0xfa/0xfa0 [ 74.434398][ T5319] ? lockdep_hardirqs_on+0x9c/0x150 [ 74.434408][ T5319] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.434417][ T5319] ? clear_bhb_loop+0x60/0xb0 [ 74.434427][ T5319] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.434436][ T5319] RIP: 0033:0x7f932db8eec9 [ 74.434447][ T5319] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 74.434455][ T5319] RSP: 002b:00007f932ea48038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 74.434466][ T5319] RAX: ffffffffffffffda RBX: 00007f932dde5fa0 RCX: 00007f932db8eec9 [ 74.434473][ T5319] RDX: 0000200000000500 RSI: 0000000040304580 RDI: 0000000000000006 [ 74.434479][ T5319] RBP: 00007f932dc11f91 R08: 0000000000000000 R09: 0000000000000000 [ 74.434486][ T5319] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 74.434492][ T5319] R13: 00007f932dde6038 R14: 00007f932dde5fa0 R15: 00007ffd5d2fa838 [ 74.434504][ T5319]