./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1902458431 <...> Warning: Permanently added '10.128.0.144' (ED25519) to the list of known hosts. execve("./syz-executor1902458431", ["./syz-executor1902458431"], 0x7ffe976d81a0 /* 10 vars */) = 0 brk(NULL) = 0x55556be7b000 brk(0x55556be7bd00) = 0x55556be7bd00 arch_prctl(ARCH_SET_FS, 0x55556be7b380) = 0 set_tid_address(0x55556be7b650) = 5838 set_robust_list(0x55556be7b660, 24) = 0 rseq(0x55556be7bca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1902458431", 4096) = 28 getrandom("\x41\x70\xe2\x58\xb2\xda\x59\x2a", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55556be7bd00 brk(0x55556be9cd00) = 0x55556be9cd00 brk(0x55556be9d000) = 0x55556be9d000 mprotect(0x7f626c7d1000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556be7b650) = 5839 ./strace-static-x86_64: Process 5839 attached [pid 5839] set_robust_list(0x55556be7b660, 24) = 0 [pid 5839] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5839] setpgid(0, 0) = 0 [pid 5839] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5839] write(3, "1000", 4) = 4 [pid 5839] close(3) = 0 executing program [pid 5839] write(1, "executing program\n", 18) = 18 [pid 5839] openat(AT_FDCWD, "/dev/uinput", O_RDWR) = 3 [pid 5839] ioctl(3, UI_DEV_SETUP, 0x200000000280) = 0 [pid 5839] ioctl(3, UI_SET_FFBIT, 0x51) = 0 [pid 5839] ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 [pid 5839] openat(AT_FDCWD, "/dev/input/event4", O_RDONLY) = 4 [ 89.213162][ T5839] input: syz0 as /devices/virtual/input/input5 [ 89.250153][ T5839] [ 89.252515][ T5839] ====================================================== [ 89.259532][ T5839] WARNING: possible circular locking dependency detected [ 89.266564][ T5839] 6.15.0-next-20250605-syzkaller #0 Not tainted [ 89.272821][ T5839] ------------------------------------------------------ [ 89.279836][ T5839] syz-executor190/5839 is trying to acquire lock: [ 89.286251][ T5839] ffff88802771a870 (&newdev->mutex){+.+.}-{4:4}, at: uinput_request_submit+0x188/0x6f0 [ 89.295961][ T5839] [ 89.295961][ T5839] but task is already holding lock: [ 89.303323][ T5839] ffff8880284d90b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_upload+0x398/0xae0 [ 89.312117][ T5839] [ 89.312117][ T5839] which lock already depends on the new lock. [ 89.312117][ T5839] [ 89.322520][ T5839] [ 89.322520][ T5839] the existing dependency chain (in reverse order) is: [ 89.331535][ T5839] [ 89.331535][ T5839] -> #3 (&ff->mutex){+.+.}-{4:4}: [ 89.338751][ T5839] lock_acquire+0x120/0x360 [ 89.343785][ T5839] __mutex_lock+0x182/0xe80 [ 89.348818][ T5839] input_ff_flush+0x5e/0x140 [ 89.353930][ T5839] input_flush_device+0xa6/0xd0 [ 89.359300][ T5839] evdev_release+0xe1/0x800 [ 89.364330][ T5839] __fput+0x449/0xa70 [ 89.368845][ T5839] fput_close_sync+0x119/0x200 [ 89.374149][ T5839] __x64_sys_close+0x7f/0x110 [ 89.379347][ T5839] do_syscall_64+0xfa/0x3b0 [ 89.384375][ T5839] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.390786][ T5839] [ 89.390786][ T5839] -> #2 (&dev->mutex#2){+.+.}-{4:4}: [ 89.398270][ T5839] lock_acquire+0x120/0x360 [ 89.403315][ T5839] __mutex_lock+0x182/0xe80 [ 89.408338][ T5839] input_register_handle+0x18f/0x4c0 [ 89.414152][ T5839] kbd_connect+0xc3/0x140 [ 89.419003][ T5839] input_register_device+0xceb/0x10b0 [ 89.424895][ T5839] acpi_button_add+0x6b1/0xb50 [ 89.430268][ T5839] acpi_device_probe+0xa5/0x2d0 [ 89.435640][ T5839] really_probe+0x26a/0x9a0 [ 89.440667][ T5839] __driver_probe_device+0x18c/0x2f0 [ 89.446476][ T5839] driver_probe_device+0x4f/0x430 [ 89.452116][ T5839] __driver_attach+0x452/0x700 [ 89.457412][ T5839] bus_for_each_dev+0x230/0x2b0 [ 89.462794][ T5839] bus_add_driver+0x345/0x640 [ 89.467999][ T5839] driver_register+0x23a/0x320 [ 89.473292][ T5839] do_one_initcall+0x233/0x820 [ 89.478574][ T5839] do_initcall_level+0x137/0x1f0 [ 89.484074][ T5839] do_initcalls+0x69/0xd0 [ 89.488934][ T5839] kernel_init_freeable+0x3d9/0x570 [ 89.494661][ T5839] kernel_init+0x1d/0x1d0 [ 89.499604][ T5839] ret_from_fork+0x3f9/0x770 [ 89.504717][ T5839] ret_from_fork_asm+0x1a/0x30 [ 89.510003][ T5839] [ 89.510003][ T5839] -> #1 (input_mutex){+.+.}-{4:4}: [ 89.517310][ T5839] lock_acquire+0x120/0x360 [ 89.522338][ T5839] __mutex_lock+0x182/0xe80 [ 89.527362][ T5839] input_register_device+0xa74/0x10b0 [ 89.533259][ T5839] uinput_create_device+0x422/0x670 [ 89.538975][ T5839] uinput_ioctl_handler+0x3f0/0x1570 [ 89.544779][ T5839] __se_sys_ioctl+0xfc/0x170 [ 89.549902][ T5839] do_syscall_64+0xfa/0x3b0 [ 89.554942][ T5839] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.561357][ T5839] [ 89.561357][ T5839] -> #0 (&newdev->mutex){+.+.}-{4:4}: [ 89.568918][ T5839] validate_chain+0xb9b/0x2140 [ 89.574199][ T5839] __lock_acquire+0xab9/0xd20 [ 89.579413][ T5839] lock_acquire+0x120/0x360 [ 89.584435][ T5839] __mutex_lock+0x182/0xe80 [ 89.589478][ T5839] uinput_request_submit+0x188/0x6f0 [ 89.595292][ T5839] uinput_dev_upload_effect+0x150/0x1e0 [ 89.601356][ T5839] input_ff_upload+0x5fc/0xae0 [ 89.606740][ T5839] evdev_ioctl_handler+0x1644/0x1f10 [ 89.612569][ T5839] __se_sys_ioctl+0xfc/0x170 [ 89.617774][ T5839] do_syscall_64+0xfa/0x3b0 [ 89.622798][ T5839] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.629211][ T5839] [ 89.629211][ T5839] other info that might help us debug this: [ 89.629211][ T5839] [ 89.639468][ T5839] Chain exists of: [ 89.639468][ T5839] &newdev->mutex --> &dev->mutex#2 --> &ff->mutex [ 89.639468][ T5839] [ 89.651909][ T5839] Possible unsafe locking scenario: [ 89.651909][ T5839] [ 89.659360][ T5839] CPU0 CPU1 [ 89.664737][ T5839] ---- ---- [ 89.670096][ T5839] lock(&ff->mutex); [ 89.674081][ T5839] lock(&dev->mutex#2); [ 89.680853][ T5839] lock(&ff->mutex); [ 89.687358][ T5839] lock(&newdev->mutex); [ 89.691692][ T5839] [ 89.691692][ T5839] *** DEADLOCK *** [ 89.691692][ T5839] [ 89.699829][ T5839] 2 locks held by syz-executor190/5839: [ 89.705365][ T5839] #0: ffff888141688118 (&evdev->mutex){+.+.}-{4:4}, at: evdev_ioctl_handler+0x121/0x1f10 [ 89.715293][ T5839] #1: ffff8880284d90b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_upload+0x398/0xae0 [ 89.724532][ T5839] [ 89.724532][ T5839] stack backtrace: [ 89.730437][ T5839] CPU: 1 UID: 0 PID: 5839 Comm: syz-executor190 Not tainted 6.15.0-next-20250605-syzkaller #0 PREEMPT(full) [ 89.730455][ T5839] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 89.730469][ T5839] Call Trace: [ 89.730477][ T5839] [ 89.730483][ T5839] dump_stack_lvl+0x189/0x250 [ 89.730500][ T5839] ? __pfx_dump_stack_lvl+0x10/0x10 [ 89.730512][ T5839] ? __pfx__printk+0x10/0x10 [ 89.730527][ T5839] ? print_lock_name+0xde/0x100 [ 89.730542][ T5839] print_circular_bug+0x2ee/0x310 [ 89.730557][ T5839] check_noncircular+0x134/0x160 [ 89.730573][ T5839] validate_chain+0xb9b/0x2140 [ 89.730588][ T5839] ? stack_trace_save+0x9c/0xe0 [ 89.730602][ T5839] ? __pfx_stack_trace_save+0x10/0x10 [ 89.730616][ T5839] ? __pfx_hlock_conflict+0x10/0x10 [ 89.730632][ T5839] __lock_acquire+0xab9/0xd20 [ 89.730653][ T5839] ? uinput_request_submit+0x188/0x6f0 [ 89.730666][ T5839] lock_acquire+0x120/0x360 [ 89.730684][ T5839] ? uinput_request_submit+0x188/0x6f0 [ 89.730702][ T5839] __mutex_lock+0x182/0xe80 [ 89.730717][ T5839] ? uinput_request_submit+0x188/0x6f0 [ 89.730731][ T5839] ? uinput_request_alloc_id+0x2f/0x400 [ 89.730746][ T5839] ? uinput_request_submit+0x188/0x6f0 [ 89.730760][ T5839] ? __pfx___mutex_lock+0x10/0x10 [ 89.730776][ T5839] ? do_raw_spin_unlock+0x122/0x240 [ 89.730793][ T5839] ? _raw_spin_unlock+0x28/0x50 [ 89.730813][ T5839] ? uinput_request_alloc_id+0x3cf/0x400 [ 89.730827][ T5839] uinput_request_submit+0x188/0x6f0 [ 89.730841][ T5839] ? __mutex_trylock_common+0x153/0x260 [ 89.730855][ T5839] ? __pfx_uinput_request_submit+0x10/0x10 [ 89.730870][ T5839] ? rcu_is_watching+0x15/0xb0 [ 89.730892][ T5839] ? trace_contention_end+0x39/0x120 [ 89.730905][ T5839] ? __mutex_lock+0x330/0xe80 [ 89.730922][ T5839] uinput_dev_upload_effect+0x150/0x1e0 [ 89.730936][ T5839] ? __pfx_uinput_dev_upload_effect+0x10/0x10 [ 89.730957][ T5839] input_ff_upload+0x5fc/0xae0 [ 89.730974][ T5839] evdev_ioctl_handler+0x1644/0x1f10 [ 89.730996][ T5839] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 89.731012][ T5839] ? __pfx_evdev_ioctl_handler+0x10/0x10 [ 89.731033][ T5839] ? _raw_spin_lock_irq+0xae/0xf0 [ 89.731063][ T5839] ? __pfx_ptrace_notify+0x10/0x10 [ 89.731086][ T5839] ? bpf_lsm_file_ioctl+0x9/0x20 [ 89.731107][ T5839] ? __pfx_evdev_ioctl+0x10/0x10 [ 89.731129][ T5839] __se_sys_ioctl+0xfc/0x170 [ 89.731150][ T5839] do_syscall_64+0xfa/0x3b0 [ 89.731166][ T5839] ? lockdep_hardirqs_on+0x9c/0x150 [ 89.731179][ T5839] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.731192][ T5839] ? clear_bhb_loop+0x60/0xb0 [ 89.731207][ T5839] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.731221][ T5839] RIP: 0033:0x7f626c75e9b9 [ 89.731237][ T5839] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 89.731252][ T5839] RSP: 002b:00007fff695b26c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 89.731266][ T5839] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f626c75e9b9 [ 89.731276][ T5839] RDX: 0000200000000300 RSI: 0000000040304580 RDI: 0000000000000004 [ 89.731285][ T5839] RBP: 00007f626c7d15f0 R08: 0000000000000006 R09: 0000000000000006 [ 89.731294][ T5839] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000001 [ 89.731301][ T5839] R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 [ 89.731316][ T5839] [ 91.957298][ T9] cfg80211: failed to load regulatory.db [pid 5839] ioctl(4, EVIOCSFF, {type=FF_RUMBLE, id=-1, direction=0, ...} [pid 5838] kill(-5839, SIGKILL) = 0 [pid 5838] kill(5839, SIGKILL) = 0 [pid 5838] openat(AT_FDCWD, "/sys/fs/fuse/connections", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 5838] newfstatat(3, "", {st_mode=S_IFDIR|0755, st_size=0, ...}, AT_EMPTY_PATH) = 0 [pid 5838] getdents64(3, 0x55556be7c6f0 /* 2 entries */, 32768) = 48 [pid 5838] getdents64(3, 0x55556be7c6f0 /* 0 entries */, 32768) = 0 [pid 5838] close(3) = 0