./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2283495792 <...> Warning: Permanently added '10.128.0.189' (ED25519) to the list of known hosts. execve("./syz-executor2283495792", ["./syz-executor2283495792"], 0x7ffd6d833d10 /* 10 vars */) = 0 brk(NULL) = 0x55558f841000 brk(0x55558f841d40) = 0x55558f841d40 arch_prctl(ARCH_SET_FS, 0x55558f8413c0) = 0 set_tid_address(0x55558f841690) = 5832 set_robust_list(0x55558f8416a0, 24) = 0 rseq(0x55558f841ce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2283495792", 4096) = 28 getrandom("\x17\x05\xe2\x00\x67\x03\x97\x39", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55558f841d40 brk(0x55558f862d40) = 0x55558f862d40 brk(0x55558f863000) = 0x55558f863000 mprotect(0x7f4f94b9d000, 16384, PROT_READ) = 0 mmap(0x3ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3ffffffff000 mmap(0x400000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400000000000 mmap(0x400001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400001000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5833 attached , child_tidptr=0x55558f841690) = 5833 [pid 5833] set_robust_list(0x55558f8416a0, 24) = 0 [pid 5833] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5833] setpgid(0, 0) = 0 [pid 5833] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5833] write(3, "1000", 4) = 4 [pid 5833] close(3) = 0 [pid 5833] write(1, "executing program\n", 18executing program ) = 18 [pid 5833] futex(0x7f4f94ba332c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5833] rt_sigaction(SIGRT_1, {sa_handler=0x7f4f94b421e0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f4f94b33860}, NULL, 8) = 0 [pid 5833] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5833] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f4f94ab4000 [pid 5833] mprotect(0x7f4f94ab5000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5833] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5833] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f4f94ad4990, parent_tid=0x7f4f94ad4990, exit_signal=0, stack=0x7f4f94ab4000, stack_size=0x20300, tls=0x7f4f94ad46c0}./strace-static-x86_64: Process 5834 attached [pid 5834] rseq(0x7f4f94ad4fe0, 0x20, 0, 0x53053053) = 0 [pid 5833] <... clone3 resumed> => {parent_tid=[5834]}, 88) = 5834 [pid 5834] set_robust_list(0x7f4f94ad49a0, 24 [pid 5833] rt_sigprocmask(SIG_SETMASK, [], [pid 5834] <... set_robust_list resumed>) = 0 [pid 5833] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5834] rt_sigprocmask(SIG_SETMASK, [], [pid 5833] futex(0x7f4f94ba3328, FUTEX_WAKE_PRIVATE, 1000000 [pid 5834] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5834] openat(AT_FDCWD, "/dev/uinput", O_RDONLY [pid 5833] <... futex resumed>) = 0 [pid 5834] <... openat resumed>) = 3 [pid 5833] futex(0x7f4f94ba332c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5834] futex(0x7f4f94ba332c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5833] <... futex resumed>) = 0 [pid 5834] futex(0x7f4f94ba3328, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5833] futex(0x7f4f94ba3328, FUTEX_WAKE_PRIVATE, 1000000 [pid 5834] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5833] <... futex resumed>) = 0 [pid 5834] ioctl(3, UI_DEV_SETUP [pid 5833] futex(0x7f4f94ba332c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5834] <... ioctl resumed>, 0x400000000280) = 0 [pid 5834] futex(0x7f4f94ba332c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5833] <... futex resumed>) = 0 [pid 5834] futex(0x7f4f94ba3328, FUTEX_WAIT_PRIVATE, 0, NULL) = -1 EAGAIN (Resource temporarily unavailable) [pid 5833] futex(0x7f4f94ba3328, FUTEX_WAKE_PRIVATE, 1000000 [pid 5834] ioctl(3, UI_SET_FFBIT [pid 5833] <... futex resumed>) = 0 [pid 5834] <... ioctl resumed>, 0x51) = 0 [pid 5833] futex(0x7f4f94ba332c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5834] futex(0x7f4f94ba332c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5833] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5833] futex(0x7f4f94ba3328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5833] futex(0x7f4f94ba332c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5834] <... futex resumed>) = 1 [pid 5833] <... futex resumed>) = 0 [pid 5834] ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN [pid 5833] futex(0x7f4f94ba332c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5834] <... ioctl resumed>, 0) = 0 [pid 5834] futex(0x7f4f94ba332c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5833] <... futex resumed>) = 0 [pid 5833] futex(0x7f4f94ba3328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5833] futex(0x7f4f94ba332c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5834] openat(AT_FDCWD, "/dev/input/event4", O_RDONLY) = 4 [pid 5834] futex(0x7f4f94ba332c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5833] <... futex resumed>) = 0 [pid 5834] <... futex resumed>) = 1 [pid 5833] futex(0x7f4f94ba3328, FUTEX_WAKE_PRIVATE, 1000000 [pid 5834] ioctl(4, EVIOCSFF, {type=FF_RUMBLE, id=-1, direction=2, ...} [pid 5833] <... futex resumed>) = 0 [ 78.495425][ T5834] input: syz0 as /devices/virtual/input/input5 [ 78.536079][ T5834] [ 78.538461][ T5834] ====================================================== [ 78.545507][ T5834] WARNING: possible circular locking dependency detected [ 78.552542][ T5834] 6.14.0-rc5-syzkaller-00137-g00a7d39898c8 #0 Not tainted [ 78.559663][ T5834] ------------------------------------------------------ [ 78.566684][ T5834] syz-executor228/5834 is trying to acquire lock: [ 78.573192][ T5834] ffff888028755070 (&newdev->mutex){+.+.}-{4:4}, at: uinput_request_submit+0x19c/0x740 [ 78.582917][ T5834] [ 78.582917][ T5834] but task is already holding lock: [ 78.590297][ T5834] ffff8880287510b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_upload+0x3ea/0xb20 [ 78.599110][ T5834] [ 78.599110][ T5834] which lock already depends on the new lock. [ 78.599110][ T5834] [ 78.609509][ T5834] [ 78.609509][ T5834] the existing dependency chain (in reverse order) is: [ 78.618524][ T5834] [ 78.618524][ T5834] -> #3 (&ff->mutex){+.+.}-{4:4}: [ 78.625749][ T5834] lock_acquire+0x1ed/0x550 [ 78.630790][ T5834] __mutex_lock+0x19c/0x1010 [ 78.635932][ T5834] input_ff_flush+0x5e/0x150 [ 78.641081][ T5834] input_flush_device+0xb2/0xe0 [ 78.646475][ T5834] evdev_release+0xf6/0x7d0 [ 78.651518][ T5834] __fput+0x3e9/0x9f0 [ 78.656041][ T5834] __x64_sys_close+0x7f/0x110 [ 78.661261][ T5834] do_syscall_64+0xf3/0x230 [ 78.666296][ T5834] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 78.672718][ T5834] [ 78.672718][ T5834] -> #2 (&dev->mutex#2){+.+.}-{4:4}: [ 78.680211][ T5834] lock_acquire+0x1ed/0x550 [ 78.685254][ T5834] __mutex_lock+0x19c/0x1010 [ 78.690461][ T5834] input_register_handle+0x1a5/0x500 [ 78.696375][ T5834] kbd_connect+0xbf/0x130 [ 78.701274][ T5834] input_register_device+0xce2/0x10c0 [ 78.707195][ T5834] acpi_button_add+0x6c6/0xb90 [ 78.712501][ T5834] acpi_device_probe+0xa5/0x2b0 [ 78.717886][ T5834] really_probe+0x2b9/0xad0 [ 78.722915][ T5834] __driver_probe_device+0x1a2/0x390 [ 78.728727][ T5834] driver_probe_device+0x50/0x430 [ 78.734271][ T5834] __driver_attach+0x45f/0x710 [ 78.739558][ T5834] bus_for_each_dev+0x239/0x2b0 [ 78.744937][ T5834] bus_add_driver+0x346/0x670 [ 78.750141][ T5834] driver_register+0x23a/0x320 [ 78.755430][ T5834] do_one_initcall+0x248/0x930 [ 78.760720][ T5834] do_initcall_level+0x157/0x210 [ 78.766183][ T5834] do_initcalls+0x71/0xd0 [ 78.771034][ T5834] kernel_init_freeable+0x435/0x5d0 [ 78.776760][ T5834] kernel_init+0x1d/0x2b0 [ 78.781620][ T5834] ret_from_fork+0x4b/0x80 [ 78.786570][ T5834] ret_from_fork_asm+0x1a/0x30 [ 78.791866][ T5834] [ 78.791866][ T5834] -> #1 (input_mutex){+.+.}-{4:4}: [ 78.799180][ T5834] lock_acquire+0x1ed/0x550 [ 78.804213][ T5834] __mutex_lock+0x19c/0x1010 [ 78.809334][ T5834] input_register_device+0xa8f/0x10c0 [ 78.815240][ T5834] uinput_create_device+0x40e/0x630 [ 78.821587][ T5834] uinput_ioctl_handler+0x488/0x1770 [ 78.827398][ T5834] __se_sys_ioctl+0xf5/0x170 [ 78.832514][ T5834] do_syscall_64+0xf3/0x230 [ 78.837555][ T5834] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 78.843977][ T5834] [ 78.843977][ T5834] -> #0 (&newdev->mutex){+.+.}-{4:4}: [ 78.851545][ T5834] validate_chain+0x18ef/0x5920 [ 78.856927][ T5834] __lock_acquire+0x1397/0x2100 [ 78.862311][ T5834] lock_acquire+0x1ed/0x550 [ 78.867347][ T5834] __mutex_lock+0x19c/0x1010 [ 78.872466][ T5834] uinput_request_submit+0x19c/0x740 [ 78.878283][ T5834] uinput_dev_upload_effect+0x199/0x240 [ 78.884445][ T5834] input_ff_upload+0x5ef/0xb20 [ 78.889751][ T5834] evdev_ioctl_handler+0x17c7/0x21b0 [ 78.895564][ T5834] __se_sys_ioctl+0xf5/0x170 [ 78.900677][ T5834] do_syscall_64+0xf3/0x230 [ 78.905713][ T5834] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 78.912135][ T5834] [ 78.912135][ T5834] other info that might help us debug this: [ 78.912135][ T5834] [ 78.922364][ T5834] Chain exists of: [ 78.922364][ T5834] &newdev->mutex --> &dev->mutex#2 --> &ff->mutex [ 78.922364][ T5834] [ 78.935442][ T5834] Possible unsafe locking scenario: [ 78.935442][ T5834] [ 78.942987][ T5834] CPU0 CPU1 [ 78.948357][ T5834] ---- ---- [ 78.953722][ T5834] lock(&ff->mutex); [ 78.957713][ T5834] lock(&dev->mutex#2); [ 78.964601][ T5834] lock(&ff->mutex); [ 78.971124][ T5834] lock(&newdev->mutex); [ 78.975463][ T5834] [ 78.975463][ T5834] *** DEADLOCK *** [ 78.975463][ T5834] [pid 5833] futex(0x7f4f94ba332c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 78.983610][ T5834] 2 locks held by syz-executor228/5834: [ 78.989151][ T5834] #0: ffff888147aef118 (&evdev->mutex){+.+.}-{4:4}, at: evdev_ioctl_handler+0x122/0x21b0 [ 78.999096][ T5834] #1: ffff8880287510b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_upload+0x3ea/0xb20 [ 79.008346][ T5834] [ 79.008346][ T5834] stack backtrace: [ 79.014248][ T5834] CPU: 0 UID: 0 PID: 5834 Comm: syz-executor228 Not tainted 6.14.0-rc5-syzkaller-00137-g00a7d39898c8 #0 [ 79.014267][ T5834] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 79.014280][ T5834] Call Trace: [ 79.014288][ T5834] [ 79.014296][ T5834] dump_stack_lvl+0x241/0x360 [ 79.014318][ T5834] ? __pfx_dump_stack_lvl+0x10/0x10 [ 79.014335][ T5834] ? __pfx__printk+0x10/0x10 [ 79.014354][ T5834] print_circular_bug+0x13a/0x1b0 [ 79.014374][ T5834] check_noncircular+0x36a/0x4a0 [ 79.014392][ T5834] ? kernel_text_address+0xa7/0xe0 [ 79.014412][ T5834] ? __pfx_check_noncircular+0x10/0x10 [ 79.014430][ T5834] ? lockdep_lock+0x123/0x2b0 [ 79.014455][ T5834] ? stack_trace_save+0x118/0x1d0 [ 79.014477][ T5834] validate_chain+0x18ef/0x5920 [ 79.014499][ T5834] ? lockdep_unlock+0x16a/0x300 [ 79.014524][ T5834] ? __pfx_validate_chain+0x10/0x10 [ 79.014541][ T5834] ? validate_chain+0x15c0/0x5920 [ 79.014567][ T5834] ? __pfx_validate_chain+0x10/0x10 [ 79.014586][ T5834] ? mark_lock+0x9a/0x360 [ 79.014600][ T5834] ? __pfx_stack_trace_save+0x10/0x10 [ 79.014621][ T5834] __lock_acquire+0x1397/0x2100 [ 79.014651][ T5834] lock_acquire+0x1ed/0x550 [ 79.014675][ T5834] ? uinput_request_submit+0x19c/0x740 [ 79.014702][ T5834] ? __pfx_lock_acquire+0x10/0x10 [ 79.014727][ T5834] ? __pfx___might_resched+0x10/0x10 [ 79.014754][ T5834] __mutex_lock+0x19c/0x1010 [ 79.014778][ T5834] ? uinput_request_submit+0x19c/0x740 [ 79.014804][ T5834] ? uinput_request_submit+0x19c/0x740 [ 79.014827][ T5834] ? __pfx_lock_release+0x10/0x10 [ 79.014851][ T5834] ? __pfx___mutex_lock+0x10/0x10 [ 79.014882][ T5834] ? _raw_spin_unlock+0x28/0x50 [ 79.014900][ T5834] ? uinput_request_alloc_id+0x3c5/0x3f0 [ 79.014924][ T5834] uinput_request_submit+0x19c/0x740 [ 79.014948][ T5834] ? __pfx___might_resched+0x10/0x10 [ 79.014970][ T5834] ? __pfx_uinput_request_submit+0x10/0x10 [ 79.014994][ T5834] ? rcu_is_watching+0x15/0xb0 [ 79.015012][ T5834] ? trace_contention_end+0x3c/0x120 [ 79.015030][ T5834] ? __mutex_lock+0x397/0x1010 [ 79.015055][ T5834] uinput_dev_upload_effect+0x199/0x240 [ 79.015079][ T5834] ? __pfx_uinput_dev_upload_effect+0x10/0x10 [ 79.015110][ T5834] input_ff_upload+0x5ef/0xb20 [ 79.015136][ T5834] evdev_ioctl_handler+0x17c7/0x21b0 [ 79.015157][ T5834] ? __pfx_evdev_ioctl_handler+0x10/0x10 [ 79.015189][ T5834] ? __fget_files+0x2a/0x410 [ 79.015213][ T5834] ? __fget_files+0x2a/0x410 [ 79.015237][ T5834] ? __pfx_evdev_ioctl+0x10/0x10 [ 79.015254][ T5834] __se_sys_ioctl+0xf5/0x170 [ 79.015272][ T5834] do_syscall_64+0xf3/0x230 [ 79.015296][ T5834] ? clear_bhb_loop+0x35/0x90 [ 79.015321][ T5834] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 79.015349][ T5834] RIP: 0033:0x7f4f94b1c2a9 [ 79.015367][ T5834] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 79.015380][ T5834] RSP: 002b:00007f4f94ad4218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 79.015396][ T5834] RAX: ffffffffffffffda RBX: 00007f4f94ba3328 RCX: 00007f4f94b1c2a9 [ 79.015408][ T5834] RDX: 0000400000000180 RSI: 0000000040304580 RDI: 0000000000000004 [ 79.015419][ T5834] RBP: 00007f4f94ba3320 R08: 0000000000000001 R09: 0000000000000000 [ 79.015429][ T5834] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4f94b70074 [ 79.015439][ T5834] R13: 0000400000000280 R14: 00004000000000c0 R15: 0000400000000180 [ 79.015457][ T5834] [pid 5833] exit_group(0) = ? [pid 5832] kill(-5833, SIGKILL) = 0 [pid 5832] kill(5833, SIGKILL) = 0 [pid 5832] openat(AT_FDCWD, "/sys/fs/fuse/connections", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 5832] newfstatat(3, "", {st_mode=S_IFDIR|0755, st_size=0, ...}, AT_EMPTY_PATH) = 0 [pid 5832] getdents64(3, 0x55558f842730 /* 2 entries */, 32768) = 48 [pid 5832] getdents64(3, 0x55558f842730 /* 0 entries */, 32768) = 0 [pid 5832] close(3) = 0