Re: [syzbot] [fs?] possible deadlock in input_event (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+d4c06e848a1c1f9f726f@syzkaller.appspotmail.com>
To: aha310510@gmail.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [fs?] possible deadlock in input_event (2)
Date: Sat, 20 Apr 2024 00:35:06 -0700	[thread overview]
Message-ID: <0000000000003e2cbe0616823e60@google.com> (raw)
In-Reply-To: <20240420061505.62849-1-aha310510@gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
inconsistent lock state in valid_state

================================
WARNING: inconsistent lock state
6.9.0-rc4-syzkaller-00214-g13a2e429f644-dirty #0 Not tainted
--------------------------------
inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.
syz-executor.0/5511 [HC0[0]:SC0[0]:HE0:SE1] takes:
ffff88801bbe3230 (&dev->event_lock#2){?...}-{2:2}, at: input_inject_event+0xc5/0x340 drivers/input/input.c:460
{IN-HARDIRQ-W} state was registered at:
  lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
  __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
  _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
  input_event+0x91/0xd0 drivers/input/input.c:434
  input_report_key include/linux/input.h:425 [inline]
  psmouse_report_standard_buttons drivers/input/mouse/psmouse-base.c:128 [inline]
  psmouse_report_standard_packet+0x54/0x200 drivers/input/mouse/psmouse-base.c:146
  psmouse_process_byte+0x48c/0x680 drivers/input/mouse/psmouse-base.c:237
  psmouse_handle_byte+0x49/0x4c0 drivers/input/mouse/psmouse-base.c:279
  ps2_interrupt+0x17c/0x8e0 drivers/input/serio/libps2.c:613
  serio_interrupt+0x90/0x140 drivers/input/serio/serio.c:998
  i8042_interrupt+0x375/0x770 drivers/input/serio/i8042.c:606
  __handle_irq_event_percpu+0x29a/0xa80 kernel/irq/handle.c:158
  handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
  handle_irq_event+0x89/0x1f0 kernel/irq/handle.c:210
  handle_edge_irq+0x25f/0xc20 kernel/irq/chip.c:831
  generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
  handle_irq arch/x86/kernel/irq.c:238 [inline]
  __common_interrupt+0x138/0x230 arch/x86/kernel/irq.c:257
  common_interrupt+0xa5/0xd0 arch/x86/kernel/irq.c:247
  asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
  __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
  _raw_spin_unlock_irqrestore+0xd8/0x140 kernel/locking/spinlock.c:194
  spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
  i8042_command drivers/input/serio/i8042.c:356 [inline]
  i8042_aux_write+0x116/0x1a0 drivers/input/serio/i8042.c:391
  serio_write include/linux/serio.h:125 [inline]
  ps2_do_sendbyte+0x20f/0x730 drivers/input/serio/libps2.c:58
  ps2_sendbyte+0x60/0x120 drivers/input/serio/libps2.c:113
  cypress_ps2_sendbyte drivers/input/mouse/cypress_ps2.c:42 [inline]
  cypress_ps2_read_cmd_status drivers/input/mouse/cypress_ps2.c:116 [inline]
  cypress_send_ext_cmd+0x221/0x910 drivers/input/mouse/cypress_ps2.c:189
  cypress_detect+0x93/0x230 drivers/input/mouse/cypress_ps2.c:205
  psmouse_do_detect drivers/input/mouse/psmouse-base.c:1006 [inline]
  psmouse_try_protocol drivers/input/mouse/psmouse-base.c:1020 [inline]
  psmouse_extensions+0xc2e/0x1560 drivers/input/mouse/psmouse-base.c:1143
  psmouse_switch_protocol+0x308/0x7d0 drivers/input/mouse/psmouse-base.c:1537
  psmouse_connect+0x8e4/0x14b0 drivers/input/mouse/psmouse-base.c:1626
  serio_connect_driver drivers/input/serio/serio.c:44 [inline]
  serio_driver_probe+0x7f/0xa0 drivers/input/serio/serio.c:775
  really_probe+0x2b8/0xad0 drivers/base/dd.c:656
  __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
  driver_probe_device+0x50/0x430 drivers/base/dd.c:828
  __driver_attach+0x45f/0x710 drivers/base/dd.c:1214
  bus_for_each_dev+0x239/0x2b0 drivers/base/bus.c:368
  serio_attach_driver drivers/input/serio/serio.c:804 [inline]
  serio_handle_event+0x1c7/0x920 drivers/input/serio/serio.c:224
  process_one_work kernel/workqueue.c:3254 [inline]
  process_scheduled_works+0xa10/0x17c0 kernel/workqueue.c:3335
  worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
  kthread+0x2f0/0x390 kernel/kthread.c:388
  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
irq event stamp: 1274
hardirqs last  enabled at (1273): [<ffffffff8b8f8b1f>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last  enabled at (1273): [<ffffffff8b8f8b1f>] _raw_spin_unlock_irqrestore+0x8f/0x140 kernel/locking/spinlock.c:194
hardirqs last disabled at (1274): [<ffffffff8b8f8820>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (1274): [<ffffffff8b8f8820>] _raw_spin_lock_irqsave+0xb0/0x120 kernel/locking/spinlock.c:162
softirqs last  enabled at (0): [<ffffffff8157a613>] rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
softirqs last  enabled at (0): [<ffffffff8157a613>] rcu_read_lock include/linux/rcupdate.h:781 [inline]
softirqs last  enabled at (0): [<ffffffff8157a613>] copy_process+0xa03/0x3df0 kernel/fork.c:2259
softirqs last disabled at (0): [<0000000000000000>] 0x0

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&dev->event_lock#2);
  <Interrupt>
    lock(&dev->event_lock#2);

 *** DEADLOCK ***

5 locks held by syz-executor.0/5511:
 #0: ffff8880249f5110 (&evdev->mutex){+.+.}-{3:3}, at: evdev_write+0x272/0x7c0 drivers/input/evdev.c:513
 #1: ffff88801bbe3230 (&dev->event_lock#2){?...}-{2:2}, at: input_inject_event+0xc5/0x340 drivers/input/input.c:460
 #2: ffffffff8e334de0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
 #2: ffffffff8e334de0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline]
 #2: ffffffff8e334de0 (rcu_read_lock){....}-{1:2}, at: input_inject_event+0xd5/0x340 drivers/input/input.c:462
 #3: ffffffff8e334de0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
 #3: ffffffff8e334de0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline]
 #3: ffffffff8e334de0 (rcu_read_lock){....}-{1:2}, at: input_pass_values+0x9d/0x1200 drivers/input/input.c:153
 #4: ffffffff8e334de0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
 #4: ffffffff8e334de0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline]
 #4: ffffffff8e334de0 (rcu_read_lock){....}-{1:2}, at: evdev_events+0x6f/0x300 drivers/input/evdev.c:298

stack backtrace:
CPU: 1 PID: 5511 Comm: syz-executor.0 Not tainted 6.9.0-rc4-syzkaller-00214-g13a2e429f644-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 valid_state+0x13a/0x1c0 kernel/locking/lockdep.c:4013
 mark_lock_irq+0xbb/0xc20 kernel/locking/lockdep.c:4216
 mark_lock+0x223/0x350 kernel/locking/lockdep.c:4678
 mark_held_locks kernel/locking/lockdep.c:4274 [inline]
 __trace_hardirqs_on_caller kernel/locking/lockdep.c:4292 [inline]
 lockdep_hardirqs_on_prepare+0x282/0x780 kernel/locking/lockdep.c:4359
 trace_hardirqs_on+0x28/0x40 kernel/trace/trace_preemptirq.c:61
 __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline]
 _raw_spin_unlock_irq+0x23/0x50 kernel/locking/spinlock.c:202
 spin_unlock_irq include/linux/spinlock.h:401 [inline]
 evdev_pass_values+0xa28/0xad0 drivers/input/evdev.c:281
 evdev_events+0x1c2/0x300 drivers/input/evdev.c:306
 input_to_handler drivers/input/input.c:129 [inline]
 input_pass_values+0x84d/0x1200 drivers/input/input.c:161
 input_event_dispose+0x36c/0x650 drivers/input/input.c:378
 input_handle_event+0xa71/0xbe0 drivers/input/input.c:406
 input_inject_event+0x22f/0x340 drivers/input/input.c:465
 evdev_write+0x672/0x7c0 drivers/input/evdev.c:530
 vfs_write+0x2a4/0xcb0 fs/read_write.c:588
 ksys_write+0x1a0/0x2c0 fs/read_write.c:643
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2d3287de69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2d3363a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f2d329abf80 RCX: 00007f2d3287de69
RDX: 0000000000002250 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 00007f2d328ca47a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f2d329abf80 R15: 00007fff20752928
 </TASK>
------------[ cut here ]------------
raw_local_irq_restore() called with IRQs enabled
WARNING: CPU: 1 PID: 5511 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x29/0x40 kernel/locking/irqflag-debug.c:10
Modules linked in:
CPU: 1 PID: 5511 Comm: syz-executor.0 Not tainted 6.9.0-rc4-syzkaller-00214-g13a2e429f644-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:warn_bogus_irq_restore+0x29/0x40 kernel/locking/irqflag-debug.c:10
Code: 90 f3 0f 1e fa 90 80 3d 6f 98 0f 04 00 74 06 90 c3 cc cc cc cc c6 05 60 98 0f 04 01 90 48 c7 c7 a0 b0 ca 8b e8 c8 be d3 f5 90 <0f> 0b 90 90 90 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f
RSP: 0018:ffffc90004a67ab8 EFLAGS: 00010246
RAX: 40581f7928fa8d00 RBX: 1ffff9200094cf5c RCX: ffff888019f00000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90004a67b50 R08: ffffffff81588072 R09: fffffbfff1c39b48
R10: dffffc0000000000 R11: fffffbfff1c39b48 R12: dffffc0000000000
R13: 1ffff9200094cf58 R14: ffffc90004a67ae0 R15: 0000000000000246
FS:  00007f2d3363a6c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0861c15ff8 CR3: 000000002c376000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
 _raw_spin_unlock_irqrestore+0x120/0x140 kernel/locking/spinlock.c:194
 evdev_write+0x672/0x7c0 drivers/input/evdev.c:530
 vfs_write+0x2a4/0xcb0 fs/read_write.c:588
 ksys_write+0x1a0/0x2c0 fs/read_write.c:643
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2d3287de69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2d3363a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f2d329abf80 RCX: 00007f2d3287de69
RDX: 0000000000002250 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 00007f2d328ca47a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f2d329abf80 R15: 00007fff20752928
 </TASK>


Tested on:

commit:         13a2e429 Merge tag 'perf-tools-fixes-for-v6.9-2024-04-..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15f2ff0b180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c6e826cf3c9c6ffc
dashboard link: https://syzkaller.appspot.com/bug?extid=d4c06e848a1c1f9f726f
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=179d4bab180000

next prev parent reply	other threads:[~2024-04-20  7:35 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-10 17:01 [syzbot] possible deadlock in input_event (2) syzbot
2021-12-13  2:42 ` syzbot
2024-04-19 16:33   ` Jeongjun Park
2024-04-19 17:08     ` [syzbot] [fs?] " syzbot
2024-04-20  6:15   ` [syzbot] " Jeongjun Park
2024-04-20  7:35     ` syzbot [this message]
2024-04-20  8:14 ` Jeongjun Park
2024-04-20  9:53   ` [syzbot] [fs?] " syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000003e2cbe0616823e60@google.com \
    --to=syzbot+d4c06e848a1c1f9f726f@syzkaller.appspotmail.com \
    --cc=aha310510@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.