From: syzbot <syzbot+ed7c6209f62eba1565aa@syzkaller.appspotmail.com>
To: hdanton@sina.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [input?] possible deadlock in input_ff_flush
Date: Mon, 06 Jan 2025 03:27:04 -0800 [thread overview]
Message-ID: <677bbe08.050a0220.3b3668.0008.GAE@google.com> (raw)
In-Reply-To: <20250106110825.1430-1-hdanton@sina.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in evdev_cleanup
======================================================
WARNING: possible circular locking dependency detected
6.13.0-rc6-syzkaller-g9d89551994a4-dirty #0 Not tainted
------------------------------------------------------
syz.1.17/6488 is trying to acquire lock:
ffff888035d51118 (&evdev->mutex){+.+.}-{4:4}, at: evdev_mark_dead drivers/input/evdev.c:1311 [inline]
ffff888035d51118 (&evdev->mutex){+.+.}-{4:4}, at: evdev_cleanup+0x21/0x1a0 drivers/input/evdev.c:1320
but task is already holding lock:
ffffffff8f7250e8 (input_mutex){+.+.}-{4:4}, at: __input_unregister_device+0x136/0x450 drivers/input/input.c:2271
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (input_mutex){+.+.}-{4:4}:
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
input_register_device+0x98a/0x1110 drivers/input/input.c:2462
uinput_create_device drivers/input/misc/uinput.c:365 [inline]
uinput_ioctl_handler.isra.0+0x130c/0x1d70 drivers/input/misc/uinput.c:918
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #2 (&newdev->mutex){+.+.}-{4:4}:
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
uinput_request_send drivers/input/misc/uinput.c:151 [inline]
uinput_request_submit.part.0+0x25/0x2e0 drivers/input/misc/uinput.c:182
uinput_request_submit drivers/input/misc/uinput.c:179 [inline]
uinput_dev_upload_effect+0x175/0x1f0 drivers/input/misc/uinput.c:257
input_ff_upload+0x55b/0xbf0 drivers/input/ff-core.c:152
evdev_do_ioctl+0xf45/0x1ae0 drivers/input/evdev.c:1181
evdev_ioctl_handler drivers/input/evdev.c:1270 [inline]
evdev_ioctl+0x16a/0x1a0 drivers/input/evdev.c:1279
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #1 (&ff->mutex){+.+.}-{4:4}:
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
input_ff_flush+0x63/0x170 drivers/input/ff-core.c:242
uinput_dev_flush+0x2a/0x40 drivers/input/misc/uinput.c:283
input_flush_device+0x6e/0xa0 drivers/input/input.c:647
evdev_release+0x33d/0x400 drivers/input/evdev.c:435
__fput+0x3f8/0xb60 fs/file_table.c:450
__fput_sync+0xa1/0xc0 fs/file_table.c:535
__do_sys_close fs/open.c:1554 [inline]
__se_sys_close fs/open.c:1539 [inline]
__x64_sys_close+0x86/0x100 fs/open.c:1539
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (&evdev->mutex){+.+.}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain kernel/locking/lockdep.c:3904 [inline]
__lock_acquire+0x249e/0x3c40 kernel/locking/lockdep.c:5226
lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
evdev_mark_dead drivers/input/evdev.c:1311 [inline]
evdev_cleanup+0x21/0x1a0 drivers/input/evdev.c:1320
evdev_disconnect+0x48/0xb0 drivers/input/evdev.c:1404
__input_unregister_device+0x1d5/0x450 drivers/input/input.c:2274
input_unregister_device+0xb9/0x100 drivers/input/input.c:2510
uinput_destroy_device+0x1f4/0x260 drivers/input/misc/uinput.c:299
uinput_release+0x34/0x50 drivers/input/misc/uinput.c:758
__fput+0x3f8/0xb60 fs/file_table.c:450
task_work_run+0x14e/0x250 kernel/task_work.c:239
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x27b/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Chain exists of:
&evdev->mutex --> &newdev->mutex --> input_mutex
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(input_mutex);
lock(&newdev->mutex);
lock(input_mutex);
lock(&evdev->mutex);
*** DEADLOCK ***
1 lock held by syz.1.17/6488:
#0: ffffffff8f7250e8 (input_mutex){+.+.}-{4:4}, at: __input_unregister_device+0x136/0x450 drivers/input/input.c:2271
stack backtrace:
CPU: 1 UID: 0 PID: 6488 Comm: syz.1.17 Not tainted 6.13.0-rc6-syzkaller-g9d89551994a4-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_circular_bug+0x419/0x5d0 kernel/locking/lockdep.c:2074
check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2206
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain kernel/locking/lockdep.c:3904 [inline]
__lock_acquire+0x249e/0x3c40 kernel/locking/lockdep.c:5226
lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
evdev_mark_dead drivers/input/evdev.c:1311 [inline]
evdev_cleanup+0x21/0x1a0 drivers/input/evdev.c:1320
evdev_disconnect+0x48/0xb0 drivers/input/evdev.c:1404
__input_unregister_device+0x1d5/0x450 drivers/input/input.c:2274
input_unregister_device+0xb9/0x100 drivers/input/input.c:2510
uinput_destroy_device+0x1f4/0x260 drivers/input/misc/uinput.c:299
uinput_release+0x34/0x50 drivers/input/misc/uinput.c:758
__fput+0x3f8/0xb60 fs/file_table.c:450
task_work_run+0x14e/0x250 kernel/task_work.c:239
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x27b/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f00f5385d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdc4d0ae08 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007f00f5577ba0 RCX: 00007f00f5385d29
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007f00f5577ba0 R08: 0000000000000000 R09: 00007ffdc4d0b0ff
R10: 00007f00f5577ac0 R11: 0000000000000246 R12: 0000000000012434
R13: 00007ffdc4d0af10 R14: 0000000000000032 R15: ffffffffffffffff
</TASK>
Tested on:
commit: 9d895519 Linux 6.13-rc6
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=172936f8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7bdfbaac3fbb90d6
dashboard link: https://syzkaller.appspot.com/bug?extid=ed7c6209f62eba1565aa
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10ab3418580000
next prev parent reply other threads:[~2025-01-06 11:27 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-05 12:40 [syzbot] [input?] possible deadlock in input_ff_flush syzbot
2025-01-06 10:29 ` Hillf Danton
2025-01-06 10:50 ` syzbot
2025-01-06 10:29 ` [syzbot] " syzbot
2025-01-06 11:08 ` Hillf Danton
2025-01-06 11:27 ` syzbot [this message]
2025-01-07 10:45 ` Hillf Danton
2025-07-26 18:46 ` syzbot
2025-07-27 3:59 ` Hillf Danton
2025-07-27 4:48 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=677bbe08.050a0220.3b3668.0008.GAE@google.com \
--to=syzbot+ed7c6209f62eba1565aa@syzkaller.appspotmail.com \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.