[syzbot] [input?] possible deadlock in input_ff

linux-input.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [syzbot] [input?] possible deadlock in input_ff_flush
@ 2025-01-05 12:40 syzbot
  2025-01-06 10:29 ` Hillf Danton
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: syzbot @ 2025-01-05 12:40 UTC (permalink / raw)
  To: dmitry.torokhov, linux-input, linux-kernel, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    ccb98ccef0e5 Merge tag 'platform-drivers-x86-v6.13-4' of g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1613fac4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=dc863cc90857c683
dashboard link: https://syzkaller.appspot.com/bug?extid=ed7c6209f62eba1565aa
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17bd56df980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-ccb98cce.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1f85617cae1e/vmlinux-ccb98cce.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0dc4d6c6c931/bzImage-ccb98cce.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ed7c6209f62eba1565aa@syzkaller.appspotmail.com

======================================================
WARNING: possible circular locking dependency detected
6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0 Not tainted
------------------------------------------------------
udevd/5941 is trying to acquire lock:
ffff8880293600b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_flush+0x63/0x170 drivers/input/ff-core.c:242

but task is already holding lock:
ffff88804d45b2c0 (&dev->mutex#2){+.+.}-{4:4}, at: input_flush_device+0x4b/0xd0 drivers/input/input.c:647

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (&dev->mutex#2){+.+.}-{4:4}:
       __mutex_lock_common kernel/locking/mutex.c:585 [inline]
       __mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
       input_register_handle+0xca/0x5e0 drivers/input/input.c:2725
       kbd_connect+0xca/0x160 drivers/tty/vt/keyboard.c:1587
       input_attach_handler.isra.0+0x181/0x260 drivers/input/input.c:1032
       input_register_device+0xa84/0x1110 drivers/input/input.c:2475
       acpi_button_add+0x57a/0xb70 drivers/acpi/button.c:615
       acpi_device_probe+0xc6/0x330 drivers/acpi/bus.c:1076
       call_driver_probe drivers/base/dd.c:579 [inline]
       really_probe+0x23e/0xa90 drivers/base/dd.c:658
       __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
       driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
       __driver_attach+0x283/0x580 drivers/base/dd.c:1216
       bus_for_each_dev+0x13c/0x1d0 drivers/base/bus.c:370
       bus_add_driver+0x2e9/0x690 drivers/base/bus.c:675
       driver_register+0x15c/0x4b0 drivers/base/driver.c:246
       __acpi_bus_register_driver+0xdf/0x130 drivers/acpi/bus.c:1027
       acpi_button_register_driver drivers/acpi/button.c:745 [inline]
       acpi_button_driver_init+0x82/0x110 drivers/acpi/button.c:754
       do_one_initcall+0x128/0x700 init/main.c:1266
       do_initcall_level init/main.c:1328 [inline]
       do_initcalls init/main.c:1344 [inline]
       do_basic_setup init/main.c:1363 [inline]
       kernel_init_freeable+0x5c7/0x900 init/main.c:1577
       kernel_init+0x1c/0x2b0 init/main.c:1466
       ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

-> #2 (input_mutex){+.+.}-{4:4}:
       __mutex_lock_common kernel/locking/mutex.c:585 [inline]
       __mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
       input_register_device+0x98a/0x1110 drivers/input/input.c:2468
       uinput_create_device drivers/input/misc/uinput.c:365 [inline]
       uinput_ioctl_handler.isra.0+0x130c/0x1d70 drivers/input/misc/uinput.c:918
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:906 [inline]
       __se_sys_ioctl fs/ioctl.c:892 [inline]
       __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #1 (&newdev->mutex){+.+.}-{4:4}:
       __mutex_lock_common kernel/locking/mutex.c:585 [inline]
       __mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
       uinput_request_send drivers/input/misc/uinput.c:151 [inline]
       uinput_request_submit.part.0+0x25/0x2e0 drivers/input/misc/uinput.c:182
       uinput_request_submit drivers/input/misc/uinput.c:179 [inline]
       uinput_dev_upload_effect+0x175/0x1f0 drivers/input/misc/uinput.c:257
       input_ff_upload+0x55b/0xbf0 drivers/input/ff-core.c:152
       evdev_do_ioctl+0xf45/0x1ae0 drivers/input/evdev.c:1181
       evdev_ioctl_handler drivers/input/evdev.c:1270 [inline]
       evdev_ioctl+0x16a/0x1a0 drivers/input/evdev.c:1279
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:906 [inline]
       __se_sys_ioctl fs/ioctl.c:892 [inline]
       __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 (&ff->mutex){+.+.}-{4:4}:
       check_prev_add kernel/locking/lockdep.c:3161 [inline]
       check_prevs_add kernel/locking/lockdep.c:3280 [inline]
       validate_chain kernel/locking/lockdep.c:3904 [inline]
       __lock_acquire+0x249e/0x3c40 kernel/locking/lockdep.c:5226
       lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
       __mutex_lock_common kernel/locking/mutex.c:585 [inline]
       __mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
       input_ff_flush+0x63/0x170 drivers/input/ff-core.c:242
       uinput_dev_flush+0x2a/0x40 drivers/input/misc/uinput.c:283
       input_flush_device+0x97/0xd0 drivers/input/input.c:652
       evdev_release+0x33d/0x400 drivers/input/evdev.c:435
       __fput+0x3f8/0xb60 fs/file_table.c:450
       __fput_sync+0xa1/0xc0 fs/file_table.c:535
       __do_sys_close fs/open.c:1554 [inline]
       __se_sys_close fs/open.c:1539 [inline]
       __x64_sys_close+0x86/0x100 fs/open.c:1539
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

Chain exists of:
  &ff->mutex --> input_mutex --> &dev->mutex#2

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&dev->mutex#2);
                               lock(input_mutex);
                               lock(&dev->mutex#2);
  lock(&ff->mutex);

 *** DEADLOCK ***

2 locks held by udevd/5941:
 #0: ffff888024d58118 (&evdev->mutex){+.+.}-{4:4}, at: evdev_release+0x77/0x400 drivers/input/evdev.c:432
 #1: ffff88804d45b2c0 (&dev->mutex#2){+.+.}-{4:4}, at: input_flush_device+0x4b/0xd0 drivers/input/input.c:647

stack backtrace:
CPU: 2 UID: 0 PID: 5941 Comm: udevd Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_circular_bug+0x419/0x5d0 kernel/locking/lockdep.c:2074
 check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2206
 check_prev_add kernel/locking/lockdep.c:3161 [inline]
 check_prevs_add kernel/locking/lockdep.c:3280 [inline]
 validate_chain kernel/locking/lockdep.c:3904 [inline]
 __lock_acquire+0x249e/0x3c40 kernel/locking/lockdep.c:5226
 lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
 __mutex_lock_common kernel/locking/mutex.c:585 [inline]
 __mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
 input_ff_flush+0x63/0x170 drivers/input/ff-core.c:242
 uinput_dev_flush+0x2a/0x40 drivers/input/misc/uinput.c:283
 input_flush_device+0x97/0xd0 drivers/input/input.c:652
 evdev_release+0x33d/0x400 drivers/input/evdev.c:435
 __fput+0x3f8/0xb60 fs/file_table.c:450
 __fput_sync+0xa1/0xc0 fs/file_table.c:535
 __do_sys_close fs/open.c:1554 [inline]
 __se_sys_close fs/open.c:1539 [inline]
 __x64_sys_close+0x86/0x100 fs/open.c:1539
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1d757850a8
Code: 48 8b 05 83 9d 0d 00 64 c7 00 16 00 00 00 83 c8 ff 48 83 c4 20 5b c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 5b 48 8b 15 51 9d 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007fffb61bcef8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 00007f1d756b10e0 RCX: 00007f1d757850a8
RDX: fffffffffffffe60 RSI: 0000000080184540 RDI: 0000000000000008
RBP: 00005620d7ea5160 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000016
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [syzbot] [input?] possible deadlock in input_ff_flush
  2025-01-05 12:40 [syzbot] [input?] possible deadlock in input_ff_flush syzbot
@ 2025-01-06 10:29 ` Hillf Danton
  2025-01-06 10:50   ` syzbot
  2025-01-07 10:45 ` Hillf Danton
  2025-07-26 18:46 ` syzbot
  2 siblings, 1 reply; 5+ messages in thread
From: Hillf Danton @ 2025-01-06 10:29 UTC (permalink / raw)
  To: syzbot; +Cc: linux-input, syzkaller-bugs

On Sun, 05 Jan 2025 04:40:19 -0800
> syzbot found the following issue on:
> 
> HEAD commit:    ccb98ccef0e5 Merge tag 'platform-drivers-x86-v6.13-4' of g..
> git tree:       upstream
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17bd56df980000

#syz test

--- x/drivers/input/input.c
+++ y/drivers/input/input.c
@@ -642,17 +642,11 @@ EXPORT_SYMBOL(input_open_device);
 int input_flush_device(struct input_handle *handle, struct file *file)
 {
 	struct input_dev *dev = handle->dev;
-	int retval;
-
-	retval = mutex_lock_interruptible(&dev->mutex);
-	if (retval)
-		return retval;
 
 	if (dev->flush)
-		retval = dev->flush(dev, file);
+		return dev->flush(dev, file);
 
-	mutex_unlock(&dev->mutex);
-	return retval;
+	return 0;
 }
 EXPORT_SYMBOL(input_flush_device);
 
--

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [syzbot] [input?] possible deadlock in input_ff_flush
  2025-01-06 10:29 ` Hillf Danton
@ 2025-01-06 10:50   ` syzbot
  0 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2025-01-06 10:50 UTC (permalink / raw)
  To: hdanton, linux-input, linux-kernel, syzkaller-bugs

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

RCU Tasks: Setting shift to 3 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=8.
[    1.320011][    T0] RCU Tasks Trace: Setting shift to 3 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=8.
[    1.413544][    T0] NR_IRQS: 4352, nr_irqs: 488, preallocated irqs: 16
[    1.417998][    T0] rcu: srcu_init: Setting srcu_struct sizes based on contention.
[    1.422501][    T0] kfence: initialized - using 2097152 bytes for 255 objects at 0xffff88816da00000-0xffff88816dc00000
[    1.452776][    T0] Console: colour VGA+ 80x25
[    1.455468][    T0] printk: legacy console [ttyS0] enabled
[    1.455468][    T0] printk: legacy console [ttyS0] enabled
[    1.461552][    T0] printk: legacy bootconsole [earlyser0] disabled
[    1.461552][    T0] printk: legacy bootconsole [earlyser0] disabled
[    1.468502][    T0] Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
[    1.473211][    T0] ... MAX_LOCKDEP_SUBCLASSES:  8
[    1.475923][    T0] ... MAX_LOCK_DEPTH:          48
[    1.478695][    T0] ... MAX_LOCKDEP_KEYS:        8192
[    1.481553][    T0] ... CLASSHASH_SIZE:          4096
[    1.484403][    T0] ... MAX_LOCKDEP_ENTRIES:     1048576
[    1.487406][    T0] ... MAX_LOCKDEP_CHAINS:      1048576
[    1.490409][    T0] ... CHAINHASH_SIZE:          524288
[    1.493349][    T0]  memory used by lock dependency info: 106625 kB
[    1.496847][    T0]  memory used for stack traces: 8320 kB
[    1.499919][    T0]  per task-struct memory footprint: 1920 bytes
[    1.503473][    T0] mempolicy: Enabling automatic NUMA balancing. Configure with numa_balancing= or the kernel.numa_balancing sysctl
[    1.510107][    T0] ACPI: Core revision 20240827
[    1.513638][    T0] clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604467 ns
[    1.519704][    T0] APIC: Switch to symmetric I/O mode setup
[    1.522913][    T0] DMAR: Host address width 39
[    1.525474][    T0] DMAR: DRHD base: 0x000000fed90000 flags: 0x0
[    1.528986][    T0] DMAR: dmar0: reg_base_addr fed90000 ver 1:0 cap d2008c22260206 ecap f00f5e
[    1.534044][    T0] DMAR: ATSR flags: 0x1
[    1.536335][    T0] DMAR-IR: IOAPIC id 0 under DRHD base  0xfed90000 IOMMU 0
[    1.540418][    T0] DMAR-IR: Queued invalidation will be enabled to support x2apic and Intr-remapping.
[    1.548667][    T0] DMAR-IR: Enabled IRQ remapping in x2apic mode
[    1.552114][    T0] x2apic enabled
[    1.554491][    T0] APIC: Switched APIC routing to: cluster x2apic
[    1.557962][    T0] kvm-guest: APIC: send_IPI_mask() replaced with kvm_send_ipi_mask()
[    1.562568][    T0] kvm-guest: APIC: send_IPI_mask_allbutself() replaced with kvm_send_ipi_mask_allbutself()
[    1.567982][    T0] kvm-guest: setup PV IPIs
[    1.581704][    T0] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
[    1.585771][    T0] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x257a52d4118, max_idle_ns: 440795307231 ns
[    1.592018][    T0] Calibrating delay loop (skipped) preset value.. 5200.04 BogoMIPS (lpj=26000240)
[    1.598053][    T0] x86/cpu: User Mode Instruction Prevention (UMIP) activated
[    1.602772][    T0] Last level iTLB entries: 4KB 0, 2MB 0, 4MB 0
[    1.606122][    T0] Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0, 1GB 0
[    1.612067][    T0] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[    1.617214][    T0] Spectre V2 : WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!
[    1.622026][    T0] Spectre V2 : Spectre BHI mitigation: SW BHB clearing on syscall and VM exit
[    1.626659][    T0] Spectre V2 : Mitigation: Enhanced / Automatic IBRS
[    1.632013][    T0] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[    1.636821][    T0] Spectre V2 : Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT
[    1.641224][    T0] Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
[    1.642068][    T0] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl
[    1.647090][    T0] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
[    1.652014][    T0] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
[    1.655416][    T0] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
[    1.662016][    T0] x86/fpu: Supporting XSAVE feature 0x020: 'AVX-512 opmask'
[    1.665506][    T0] x86/fpu: Supporting XSAVE feature 0x040: 'AVX-512 Hi256'
[    1.668910][    T0] x86/fpu: Supporting XSAVE feature 0x080: 'AVX-512 ZMM_Hi256'
[    1.672015][    T0] x86/fpu: xstate_offset[2]:  576, xstate_sizes[2]:  256
[    1.675340][    T0] x86/fpu: xstate_offset[5]:  832, xstate_sizes[5]:   64
[    1.678673][    T0] x86/fpu: xstate_offset[6]:  896, xstate_sizes[6]:  512
[    1.682014][    T0] x86/fpu: xstate_offset[7]: 1408, xstate_sizes[7]: 1024
[    1.685374][    T0] x86/fpu: Enabled xstate features 0xe7, context size is 2432 bytes, using 'compacted' format.
[    1.879449][    T0] Freeing SMP alternatives memory: 124K
[    1.882022][    T0] pid_max: default: 32768 minimum: 301
[    1.884916][    T0] LSM: initializing lsm=lockdown,capability,landlock,yama,safesetid,tomoyo,selinux,bpf,ima,evm
[    1.890201][    T0] landlock: Up and running.
[    1.892017][    T0] Yama: becoming mindful.
[    1.894319][    T0] TOMOYO Linux initialized
[    1.896440][    T0] SELinux:  Initializing.
[    1.900834][    T0] LSM support for eBPF active
[    1.904266][    T0] Dentry cache hash table entries: 524288 (order: 10, 4194304 bytes, vmalloc hugepage)
[    1.909837][    T0] Inode-cache hash table entries: 262144 (order: 9, 2097152 bytes, vmalloc hugepage)
[    1.912180][    T0] Mount-cache hash table entries: 8192 (order: 4, 65536 bytes, vmalloc)
[    1.916220][    T0] Mountpoint-cache hash table entries: 8192 (order: 4, 65536 bytes, vmalloc)
[    1.924405][    T0] Running RCU synchronous self tests
[    1.926906][    T0] Running RCU synchronous self tests
[    1.932624][    T1] smpboot: CPU0: Intel(R) Xeon(R) CPU @ 2.60GHz (family: 0x6, model: 0x6a, stepping: 0x6)
[    1.939802][    T1] Running RCU Tasks wait API self tests
[    2.052170][    T1] Running RCU Tasks Trace wait API self tests
[    2.055195][    T1] Performance Events: unsupported p6 CPU model 106 no PMU driver, software events only.
[    2.059975][    T1] signal: max sigframe size: 3632
[    2.062509][    T1] rcu: Hierarchical SRCU implementation.
[    2.065211][    T1] rcu: 	Max phase no-delay instances is 1000.
[    2.068674][    T1] Timer migration: 2 hierarchy levels; 8 children per group; 1 crossnode level
[    2.072179][   T15] Callback from call_rcu_tasks_trace() invoked.
[    2.078054][    T1] NMI watchdog: Perf NMI watchdog permanently disabled
[    2.082536][    T1] smp: Bringing up secondary CPUs ...
[    2.086533][    T1] smpboot: x86: Booting SMP configuration:
[    2.089356][    T1] .... node  #0, CPUs:      #2
[    2.092529][   T22] ------------[ cut here ]------------
[    2.096008][   T22] workqueue: work disable count underflowed
[    2.099729][   T22] WARNING: CPU: 2 PID: 22 at kernel/workqueue.c:4317 enable_work+0x2fa/0x340
[    2.102006][   T22] Modules linked in:
[    2.102006][   T22] CPU: 2 UID: 0 PID: 22 Comm: cpuhp/2 Not tainted 6.13.0-rc6-syzkaller-g9d89551994a4-dirty #0
[    2.102006][   T22] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[    2.102006][   T22] RIP: 0010:enable_work+0x2fa/0x340
[    2.102006][   T22] Code: 89 ee e8 49 d6 36 00 45 84 ed 0f 85 28 fe ff ff e8 9b db 36 00 c6 05 f2 9f e4 0e 01 90 48 c7 c7 00 da 6b 8b e8 57 12 f7 ff 90 <0f> 0b 90 90 e9 05 fe ff ff 48 89 ef e8 e5 7f 99 00 e9 a9 fe ff ff
[    2.102006][   T22] RSP: 0000:ffffc9000060fca0 EFLAGS: 00010082
[    2.102006][   T22] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff815a5139
[    2.102006][   T22] RDX: ffff88801d6dc880 RSI: ffffffff815a5146 RDI: 0000000000000001
[    2.102006][   T22] RBP: ffff88806a838660 R08: 0000000000000001 R09: 0000000000000000
[    2.102006][   T22] R10: 0000000000000000 R11: 0000000000000002 R12: 1ffff920000c1f95
[    2.102006][   T22] R13: 0000000000000000 R14: 00000000000000c5 R15: ffffffff81dbfd90
[    2.102006][   T22] FS:  0000000000000000(0000) GS:ffff88806a800000(0000) knlGS:0000000000000000
[    2.102006][   T22] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    2.102006][   T22] CR2: 0000000000000000 CR3: 000000000df7e000 CR4: 0000000000350ef0
[    2.102006][   T22] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    2.102006][   T22] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    2.102006][   T22] Call Trace:
[    2.102006][   T22]  <TASK>
[    2.102006][   T22]  ? __warn+0xea/0x3c0
[    2.102006][   T22]  ? enable_work+0x2fa/0x340
[    2.102006][   T22]  ? report_bug+0x3c0/0x580
[    2.102006][   T22]  ? handle_bug+0x54/0xa0
[    2.102006][   T22]  ? exc_invalid_op+0x17/0x50
[    2.102006][   T22]  ? asm_exc_invalid_op+0x1a/0x20
[    2.102006][   T22]  ? __pfx_vmstat_cpu_online+0x10/0x10
[    2.102006][   T22]  ? __warn_printk+0x199/0x350
[    2.102006][   T22]  ? __warn_printk+0x1a6/0x350
[    2.102006][   T22]  ? enable_work+0x2fa/0x340
[    2.102006][   T22]  ? __pfx_enable_work+0x10/0x10
[    2.102006][   T22]  vmstat_cpu_online+0x83/0xf0
[    2.102006][   T22]  cpuhp_invoke_callback+0x3d0/0xa10
[    2.102006][   T22]  ? __pfx_vmstat_cpu_online+0x10/0x10
[    2.102006][   T22]  ? lock_acquire.part.0+0x350/0x380
[    2.102006][   T22]  ? cpuhp_next_state+0x100/0x1c0
[    2.102006][   T22]  cpuhp_thread_fun+0x480/0x6f0
[    2.102006][   T22]  ? __pfx_cpuhp_thread_fun+0x10/0x10
[    2.102006][   T22]  ? __pfx_cpuhp_thread_fun+0x10/0x10
[    2.102006][   T22]  ? smpboot_thread_fn+0x59d/0xa30
[    2.102006][   T22]  smpboot_thread_fn+0x661/0xa30
[    2.102006][   T22]  ? __kthread_parkme+0x148/0x220
[    2.102006][   T22]  ? __pfx_smpboot_thread_fn+0x10/0x10
[    2.102006][   T22]  kthread+0x2c1/0x3a0
[    2.102006][   T22]  ? _raw_spin_unlock_irq+0x23/0x50
[    2.102006][   T22]  ? __pfx_kthread+0x10/0x10
[    2.102006][   T22]  ret_from_fork+0x45/0x80
[    2.102006][   T22]  ? __pfx_kthread+0x10/0x10
[    2.102006][   T22]  ret_from_fork_asm+0x1a/0x30
[    2.102006][   T22]  </TASK>
[    2.102006][   T22] Kernel panic - not syncing: kernel: panic_on_warn set ...
[    2.102006][   T22] CPU: 2 UID: 0 PID: 22 Comm: cpuhp/2 Not tainted 6.13.0-rc6-syzkaller-g9d89551994a4-dirty #0
[    2.102006][   T22] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[    2.102006][   T22] Call Trace:
[    2.102006][   T22]  <TASK>
[    2.102006][   T22]  dump_stack_lvl+0x3d/0x1f0
[    2.102006][   T22]  panic+0x71d/0x800
[    2.102006][   T22]  ? __pfx_panic+0x10/0x10
[    2.102006][   T22]  ? show_trace_log_lvl+0x29d/0x3d0
[    2.102006][   T22]  ? check_panic_on_warn+0x1f/0xb0
[    2.102006][   T22]  ? enable_work+0x2fa/0x340
[    2.102006][   T22]  check_panic_on_warn+0xab/0xb0
[    2.102006][   T22]  __warn+0xf6/0x3c0
[    2.102006][   T22]  ? enable_work+0x2fa/0x340
[    2.102006][   T22]  report_bug+0x3c0/0x580
[    2.102006][   T22]  handle_bug+0x54/0xa0
[    2.102006][   T22]  exc_invalid_op+0x17/0x50
[    2.102006][   T22]  asm_exc_invalid_op+0x1a/0x20
[    2.102006][   T22] RIP: 0010:enable_work+0x2fa/0x340
[    2.102006][   T22] Code: 89 ee e8 49 d6 36 00 45 84 ed 0f 85 28 fe ff ff e8 9b db 36 00 c6 05 f2 9f e4 0e 01 90 48 c7 c7 00 da 6b 8b e8 57 12 f7 ff 90 <0f> 0b 90 90 e9 05 fe ff ff 48 89 ef e8 e5 7f 99 00 e9 a9 fe ff ff
[    2.102006][   T22] RSP: 0000:ffffc9000060fca0 EFLAGS: 00010082
[    2.102006][   T22] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff815a5139
[    2.102006][   T22] RDX: ffff88801d6dc880 RSI: ffffffff815a5146 RDI: 0000000000000001
[    2.102006][   T22] RBP: ffff88806a838660 R08: 0000000000000001 R09: 0000000000000000
[    2.102006][   T22] R10: 0000000000000000 R11: 0000000000000002 R12: 1ffff920000c1f95
[    2.102006][   T22] R13: 0000000000000000 R14: 00000000000000c5 R15: ffffffff81dbfd90
[    2.102006][   T22]  ? __pfx_vmstat_cpu_online+0x10/0x10
[    2.102006][   T22]  ? __warn_printk+0x199/0x350
[    2.102006][   T22]  ? __warn_printk+0x1a6/0x350
[    2.102006][   T22]  ? __pfx_enable_work+0x10/0x10
[    2.102006][   T22]  vmstat_cpu_online+0x83/0xf0
[    2.102006][   T22]  cpuhp_invoke_callback+0x3d0/0xa10
[    2.102006][   T22]  ? __pfx_vmstat_cpu_online+0x10/0x10
[    2.102006][   T22]  ? lock_acquire.part.0+0x350/0x380
[    2.102006][   T22]  ? cpuhp_next_state+0x100/0x1c0
[    2.102006][   T22]  cpuhp_thread_fun+0x480/0x6f0
[    2.102006][   T22]  ? __pfx_cpuhp_thread_fun+0x10/0x10
[    2.102006][   T22]  ? __pfx_cpuhp_thread_fun+0x10/0x10
[    2.102006][   T22]  ? smpboot_thread_fn+0x59d/0xa30
[    2.102006][   T22]  smpboot_thread_fn+0x661/0xa30
[    2.102006][   T22]  ? __kthread_parkme+0x148/0x220
[    2.102006][   T22]  ? __pfx_smpboot_thread_fn+0x10/0x10
[    2.102006][   T22]  kthread+0x2c1/0x3a0
[    2.102006][   T22]  ? _raw_spin_unlock_irq+0x23/0x50
[    2.102006][   T22]  ? __pfx_kthread+0x10/0x10
[    2.102006][   T22]  ret_from_fork+0x45/0x80
[    2.102006][   T22]  ? __pfx_kthread+0x10/0x10
[    2.102006][   T22]  ret_from_fork_asm+0x1a/0x30
[    2.102006][   T22]  </TASK>
[    2.102006][   T22] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3770409158=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at d3ccff6372
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d3ccff6372e07c6aabd02b5da419aa6492b5f0ad -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241226-091248'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d3ccff6372e07c6aabd02b5da419aa6492b5f0ad\"
/usr/bin/ld: /tmp/cc7jjcOI.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1270c4b0580000


Tested on:

commit:         9d895519 Linux 6.13-rc6
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=7bdfbaac3fbb90d6
dashboard link: https://syzkaller.appspot.com/bug?extid=ed7c6209f62eba1565aa
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1120c4b0580000


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [syzbot] [input?] possible deadlock in input_ff_flush
  2025-01-05 12:40 [syzbot] [input?] possible deadlock in input_ff_flush syzbot
  2025-01-06 10:29 ` Hillf Danton
@ 2025-01-07 10:45 ` Hillf Danton
  2025-07-26 18:46 ` syzbot
  2 siblings, 0 replies; 5+ messages in thread
From: Hillf Danton @ 2025-01-07 10:45 UTC (permalink / raw)
  To: dmitry.torokhov, Boqun Feng
  Cc: syzbot, Tetsuo Handa, linux-input, linux-kernel, syzkaller-bugs

On Sun, 05 Jan 2025 04:40:19 -0800
> syzbot found the following issue on:
> 
> HEAD commit:    ccb98ccef0e5 Merge tag 'platform-drivers-x86-v6.13-4' of g..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1613fac4580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=dc863cc90857c683
> dashboard link: https://syzkaller.appspot.com/bug?extid=ed7c6209f62eba1565aa
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17bd56df980000
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-ccb98cce.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/1f85617cae1e/vmlinux-ccb98cce.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/0dc4d6c6c931/bzImage-ccb98cce.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+ed7c6209f62eba1565aa@syzkaller.appspotmail.com
> 
> ======================================================
> WARNING: possible circular locking dependency detected
> 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0 Not tainted
> ------------------------------------------------------
> udevd/5941 is trying to acquire lock:
> ffff8880293600b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_flush+0x63/0x170 drivers/input/ff-core.c:242
> 
> but task is already holding lock:
> ffff88804d45b2c0 (&dev->mutex#2){+.+.}-{4:4}, at: input_flush_device+0x4b/0xd0 drivers/input/input.c:647
> 
> which lock already depends on the new lock.
> 
> 
> the existing dependency chain (in reverse order) is:
> 
> -> #3 (&dev->mutex#2){+.+.}-{4:4}:
>        __mutex_lock_common kernel/locking/mutex.c:585 [inline]
>        __mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
>        input_register_handle+0xca/0x5e0 drivers/input/input.c:2725
>        kbd_connect+0xca/0x160 drivers/tty/vt/keyboard.c:1587
>        input_attach_handler.isra.0+0x181/0x260 drivers/input/input.c:1032
>        input_register_device+0xa84/0x1110 drivers/input/input.c:2475
>        acpi_button_add+0x57a/0xb70 drivers/acpi/button.c:615
>        acpi_device_probe+0xc6/0x330 drivers/acpi/bus.c:1076
>        call_driver_probe drivers/base/dd.c:579 [inline]
>        really_probe+0x23e/0xa90 drivers/base/dd.c:658
>        __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
>        driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
>        __driver_attach+0x283/0x580 drivers/base/dd.c:1216
>        bus_for_each_dev+0x13c/0x1d0 drivers/base/bus.c:370
>        bus_add_driver+0x2e9/0x690 drivers/base/bus.c:675
>        driver_register+0x15c/0x4b0 drivers/base/driver.c:246
>        __acpi_bus_register_driver+0xdf/0x130 drivers/acpi/bus.c:1027
>        acpi_button_register_driver drivers/acpi/button.c:745 [inline]
>        acpi_button_driver_init+0x82/0x110 drivers/acpi/button.c:754
>        do_one_initcall+0x128/0x700 init/main.c:1266
>        do_initcall_level init/main.c:1328 [inline]
>        do_initcalls init/main.c:1344 [inline]
>        do_basic_setup init/main.c:1363 [inline]
>        kernel_init_freeable+0x5c7/0x900 init/main.c:1577
>        kernel_init+0x1c/0x2b0 init/main.c:1466
>        ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
>        ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
> 
> -> #2 (input_mutex){+.+.}-{4:4}:
>        __mutex_lock_common kernel/locking/mutex.c:585 [inline]
>        __mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
>        input_register_device+0x98a/0x1110 drivers/input/input.c:2468
>        uinput_create_device drivers/input/misc/uinput.c:365 [inline]

The upload callback is set [1] before registering the input device.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/input/misc/uinput.c?id=ccb98ccef0e5#n348

>        uinput_ioctl_handler.isra.0+0x130c/0x1d70 drivers/input/misc/uinput.c:918
>        vfs_ioctl fs/ioctl.c:51 [inline]
>        __do_sys_ioctl fs/ioctl.c:906 [inline]
>        __se_sys_ioctl fs/ioctl.c:892 [inline]
>        __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
>        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>        do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
>        entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> -> #1 (&newdev->mutex){+.+.}-{4:4}:
>        __mutex_lock_common kernel/locking/mutex.c:585 [inline]
>        __mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
>        uinput_request_send drivers/input/misc/uinput.c:151 [inline]
>        uinput_request_submit.part.0+0x25/0x2e0 drivers/input/misc/uinput.c:182
>        uinput_request_submit drivers/input/misc/uinput.c:179 [inline]
>        uinput_dev_upload_effect+0x175/0x1f0 drivers/input/misc/uinput.c:257
>        input_ff_upload+0x55b/0xbf0 drivers/input/ff-core.c:152

The dependence of #1 on #2 does not exist from the functional POV as
the upload callback can not be invoked before it is inited. So this
report is false positive.

>        evdev_do_ioctl+0xf45/0x1ae0 drivers/input/evdev.c:1181
>        evdev_ioctl_handler drivers/input/evdev.c:1270 [inline]
>        evdev_ioctl+0x16a/0x1a0 drivers/input/evdev.c:1279
>        vfs_ioctl fs/ioctl.c:51 [inline]
>        __do_sys_ioctl fs/ioctl.c:906 [inline]
>        __se_sys_ioctl fs/ioctl.c:892 [inline]
>        __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
>        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>        do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
>        entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> -> #0 (&ff->mutex){+.+.}-{4:4}:
>        check_prev_add kernel/locking/lockdep.c:3161 [inline]
>        check_prevs_add kernel/locking/lockdep.c:3280 [inline]
>        validate_chain kernel/locking/lockdep.c:3904 [inline]
>        __lock_acquire+0x249e/0x3c40 kernel/locking/lockdep.c:5226
>        lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
>        __mutex_lock_common kernel/locking/mutex.c:585 [inline]
>        __mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
>        input_ff_flush+0x63/0x170 drivers/input/ff-core.c:242
>        uinput_dev_flush+0x2a/0x40 drivers/input/misc/uinput.c:283
>        input_flush_device+0x97/0xd0 drivers/input/input.c:652
>        evdev_release+0x33d/0x400 drivers/input/evdev.c:435
>        __fput+0x3f8/0xb60 fs/file_table.c:450
>        __fput_sync+0xa1/0xc0 fs/file_table.c:535
>        __do_sys_close fs/open.c:1554 [inline]
>        __se_sys_close fs/open.c:1539 [inline]
>        __x64_sys_close+0x86/0x100 fs/open.c:1539
>        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>        do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
>        entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> other info that might help us debug this:
> 
> Chain exists of:
>   &ff->mutex --> input_mutex --> &dev->mutex#2
> 
>  Possible unsafe locking scenario:
> 
>        CPU0                    CPU1
>        ----                    ----
>   lock(&dev->mutex#2);
>                                lock(input_mutex);
>                                lock(&dev->mutex#2);
>   lock(&ff->mutex);
> 
>  *** DEADLOCK ***
> 
> 2 locks held by udevd/5941:
>  #0: ffff888024d58118 (&evdev->mutex){+.+.}-{4:4}, at: evdev_release+0x77/0x400 drivers/input/evdev.c:432
>  #1: ffff88804d45b2c0 (&dev->mutex#2){+.+.}-{4:4}, at: input_flush_device+0x4b/0xd0 drivers/input/input.c:647
> 
> stack backtrace:
> CPU: 2 UID: 0 PID: 5941 Comm: udevd Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:94 [inline]
>  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
>  print_circular_bug+0x419/0x5d0 kernel/locking/lockdep.c:2074
>  check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2206
>  check_prev_add kernel/locking/lockdep.c:3161 [inline]
>  check_prevs_add kernel/locking/lockdep.c:3280 [inline]
>  validate_chain kernel/locking/lockdep.c:3904 [inline]
>  __lock_acquire+0x249e/0x3c40 kernel/locking/lockdep.c:5226
>  lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
>  __mutex_lock_common kernel/locking/mutex.c:585 [inline]
>  __mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
>  input_ff_flush+0x63/0x170 drivers/input/ff-core.c:242
>  uinput_dev_flush+0x2a/0x40 drivers/input/misc/uinput.c:283
>  input_flush_device+0x97/0xd0 drivers/input/input.c:652
>  evdev_release+0x33d/0x400 drivers/input/evdev.c:435
>  __fput+0x3f8/0xb60 fs/file_table.c:450
>  __fput_sync+0xa1/0xc0 fs/file_table.c:535
>  __do_sys_close fs/open.c:1554 [inline]
>  __se_sys_close fs/open.c:1539 [inline]
>  __x64_sys_close+0x86/0x100 fs/open.c:1539
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f1d757850a8
> Code: 48 8b 05 83 9d 0d 00 64 c7 00 16 00 00 00 83 c8 ff 48 83 c4 20 5b c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 5b 48 8b 15 51 9d 0d 00 f7 d8 64 89 02 48 83
> RSP: 002b:00007fffb61bcef8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
> RAX: ffffffffffffffda RBX: 00007f1d756b10e0 RCX: 00007f1d757850a8
> RDX: fffffffffffffe60 RSI: 0000000080184540 RDI: 0000000000000008
> RBP: 00005620d7ea5160 R08: 00000000ffffffff R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000016
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
>  </TASK>
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [syzbot] [input?] possible deadlock in input_ff_flush
  2025-01-05 12:40 [syzbot] [input?] possible deadlock in input_ff_flush syzbot
  2025-01-06 10:29 ` Hillf Danton
  2025-01-07 10:45 ` Hillf Danton
@ 2025-07-26 18:46 ` syzbot
  2 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2025-07-26 18:46 UTC (permalink / raw)
  To: boqun.feng, dmitry.torokhov, hdanton, linux-input, linux-kernel,
	penguin-kernel, syzkaller-bugs

syzbot has found a reproducer for the following issue on:

HEAD commit:    5f33ebd2018c Merge tag 'drm-fixes-2025-07-26' of https://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=130d4034580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9f175a9275d2cdd7
dashboard link: https://syzkaller.appspot.com/bug?extid=ed7c6209f62eba1565aa
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=108d4034580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=148d4034580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/744f4180f939/disk-5f33ebd2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/473dde4ed605/vmlinux-5f33ebd2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8a27e8b2b834/bzImage-5f33ebd2.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ed7c6209f62eba1565aa@syzkaller.appspotmail.com

======================================================
WARNING: possible circular locking dependency detected
6.16.0-rc7-syzkaller-00120-g5f33ebd2018c #0 Not tainted
------------------------------------------------------
udevd/5831 is trying to acquire lock:
ffff8880259b80b0 (&ff->mutex){+.+.}-{4:4}, at: class_mutex_constructor include/linux/mutex.h:225 [inline]
ffff8880259b80b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_flush+0x63/0x180 drivers/input/ff-core.c:231

but task is already holding lock:
ffff8880268022c0 (&dev->mutex#2){+.+.}-{4:4}, at: class_mutex_intr_constructor include/linux/mutex.h:227 [inline]
ffff8880268022c0 (&dev->mutex#2){+.+.}-{4:4}, at: input_flush_device+0x55/0x110 drivers/input/input.c:625

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (&dev->mutex#2){+.+.}-{4:4}:
       __mutex_lock_common kernel/locking/mutex.c:602 [inline]
       __mutex_lock+0x199/0xb90 kernel/locking/mutex.c:747
       class_mutex_intr_constructor include/linux/mutex.h:227 [inline]
       input_register_handle+0xdc/0x620 drivers/input/input.c:2653
       kbd_connect+0xca/0x160 drivers/tty/vt/keyboard.c:1580
       input_attach_handler.isra.0+0x184/0x260 drivers/input/input.c:993
       input_register_device+0xa84/0x1130 drivers/input/input.c:2412
       acpi_button_add+0x582/0xb70 drivers/acpi/button.c:621
       acpi_device_probe+0xc6/0x330 drivers/acpi/bus.c:1076
       call_driver_probe drivers/base/dd.c:579 [inline]
       really_probe+0x23e/0xa90 drivers/base/dd.c:657
       __driver_probe_device+0x1de/0x440 drivers/base/dd.c:799
       driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:829
       __driver_attach+0x283/0x580 drivers/base/dd.c:1215
       bus_for_each_dev+0x13e/0x1d0 drivers/base/bus.c:370
       bus_add_driver+0x2e9/0x690 drivers/base/bus.c:678
       driver_register+0x15c/0x4b0 drivers/base/driver.c:249
       __acpi_bus_register_driver+0xdf/0x130 drivers/acpi/bus.c:1027
       acpi_button_register_driver drivers/acpi/button.c:751 [inline]
       acpi_button_driver_init+0x82/0x110 drivers/acpi/button.c:760
       do_one_initcall+0x120/0x6e0 init/main.c:1274
       do_initcall_level init/main.c:1336 [inline]
       do_initcalls init/main.c:1352 [inline]
       do_basic_setup init/main.c:1371 [inline]
       kernel_init_freeable+0x5c2/0x900 init/main.c:1584
       kernel_init+0x1c/0x2b0 init/main.c:1474
       ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

-> #2 (input_mutex){+.+.}-{4:4}:
       __mutex_lock_common kernel/locking/mutex.c:602 [inline]
       __mutex_lock+0x199/0xb90 kernel/locking/mutex.c:747
       class_mutex_intr_constructor include/linux/mutex.h:227 [inline]
       input_register_device+0x98a/0x1130 drivers/input/input.c:2408
       uinput_create_device drivers/input/misc/uinput.c:365 [inline]
       uinput_ioctl_handler.isra.0+0x1357/0x1df0 drivers/input/misc/uinput.c:918
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:907 [inline]
       __se_sys_ioctl fs/ioctl.c:893 [inline]
       __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #1 (&newdev->mutex){+.+.}-{4:4}:
       __mutex_lock_common kernel/locking/mutex.c:602 [inline]
       __mutex_lock+0x199/0xb90 kernel/locking/mutex.c:747
       uinput_request_send drivers/input/misc/uinput.c:151 [inline]
       uinput_request_submit.part.0+0x25/0x2e0 drivers/input/misc/uinput.c:182
       uinput_request_submit drivers/input/misc/uinput.c:179 [inline]
       uinput_dev_upload_effect+0x174/0x1f0 drivers/input/misc/uinput.c:257
       input_ff_upload+0x568/0xc10 drivers/input/ff-core.c:148
       evdev_do_ioctl+0xf40/0x1b30 drivers/input/evdev.c:1181
       evdev_ioctl_handler drivers/input/evdev.c:1270 [inline]
       evdev_ioctl+0x16f/0x1a0 drivers/input/evdev.c:1279
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:907 [inline]
       __se_sys_ioctl fs/ioctl.c:893 [inline]
       __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 (&ff->mutex){+.+.}-{4:4}:
       check_prev_add kernel/locking/lockdep.c:3168 [inline]
       check_prevs_add kernel/locking/lockdep.c:3287 [inline]
       validate_chain kernel/locking/lockdep.c:3911 [inline]
       __lock_acquire+0x126f/0x1c90 kernel/locking/lockdep.c:5240
       lock_acquire kernel/locking/lockdep.c:5871 [inline]
       lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5828
       __mutex_lock_common kernel/locking/mutex.c:602 [inline]
       __mutex_lock+0x199/0xb90 kernel/locking/mutex.c:747
       class_mutex_constructor include/linux/mutex.h:225 [inline]
       input_ff_flush+0x63/0x180 drivers/input/ff-core.c:231
       uinput_dev_flush+0x2a/0x40 drivers/input/misc/uinput.c:283
       input_flush_device+0xa1/0x110 drivers/input/input.c:627
       evdev_release+0x344/0x420 drivers/input/evdev.c:435
       __fput+0x3ff/0xb70 fs/file_table.c:465
       fput_close_sync+0x118/0x260 fs/file_table.c:570
       __do_sys_close fs/open.c:1589 [inline]
       __se_sys_close fs/open.c:1574 [inline]
       __x64_sys_close+0x8b/0x120 fs/open.c:1574
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

Chain exists of:
  &ff->mutex --> input_mutex --> &dev->mutex#2

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&dev->mutex#2);
                               lock(input_mutex);
                               lock(&dev->mutex#2);
  lock(&ff->mutex);

 *** DEADLOCK ***

2 locks held by udevd/5831:
 #0: ffff888026803118 (&evdev->mutex){+.+.}-{4:4}, at: evdev_release+0x79/0x420 drivers/input/evdev.c:432
 #1: ffff8880268022c0 (&dev->mutex#2){+.+.}-{4:4}, at: class_mutex_intr_constructor include/linux/mutex.h:227 [inline]
 #1: ffff8880268022c0 (&dev->mutex#2){+.+.}-{4:4}, at: input_flush_device+0x55/0x110 drivers/input/input.c:625

stack backtrace:
CPU: 0 UID: 0 PID: 5831 Comm: udevd Not tainted 6.16.0-rc7-syzkaller-00120-g5f33ebd2018c #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_circular_bug+0x275/0x350 kernel/locking/lockdep.c:2046
 check_noncircular+0x14c/0x170 kernel/locking/lockdep.c:2178
 check_prev_add kernel/locking/lockdep.c:3168 [inline]
 check_prevs_add kernel/locking/lockdep.c:3287 [inline]
 validate_chain kernel/locking/lockdep.c:3911 [inline]
 __lock_acquire+0x126f/0x1c90 kernel/locking/lockdep.c:5240
 lock_acquire kernel/locking/lockdep.c:5871 [inline]
 lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5828
 __mutex_lock_common kernel/locking/mutex.c:602 [inline]
 __mutex_lock+0x199/0xb90 kernel/locking/mutex.c:747
 class_mutex_constructor include/linux/mutex.h:225 [inline]
 input_ff_flush+0x63/0x180 drivers/input/ff-core.c:231
 uinput_dev_flush+0x2a/0x40 drivers/input/misc/uinput.c:283
 input_flush_device+0xa1/0x110 drivers/input/input.c:627
 evdev_release+0x344/0x420 drivers/input/evdev.c:435
 __fput+0x3ff/0xb70 fs/file_table.c:465
 fput_close_sync+0x118/0x260 fs/file_table.c:570
 __do_sys_close fs/open.c:1589 [inline]
 __se_sys_close fs/open.c:1574 [inline]
 __x64_sys_close+0x8b/0x120 fs/open.c:1574
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7c2f2a7407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007fff6a7623b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 00007f7c2fa12880 RCX: 00007f7c2f2a7407
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000008
RBP: 00007f7c2fa126e8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000016
R13: 00007fff6a7624c0 R14: 0000000000000000 R15: 0000000000000000
 </TASK>


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2025-07-26 18:46 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-05 12:40 [syzbot] [input?] possible deadlock in input_ff_flush syzbot
2025-01-06 10:29 ` Hillf Danton
2025-01-06 10:50   ` syzbot
2025-01-07 10:45 ` Hillf Danton
2025-07-26 18:46 ` syzbot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).