[Bug] roccat_report_event() uses mutex_lock() inside a interrupt handler

[Bug] roccat_report_event() uses mutex_lock() inside a interrupt handler

[Armin Wolf]

Hello,

i finally had the time to debug an locking issue inside the driver of my Roccat Ryos USB keyboard:

[   24.370282] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591
[   24.370564] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/7
[   24.370573] preempt_count: 101, expected: 0
[   24.370580] RCU nest depth: 0, expected: 0
[   24.370587] 2 locks held by swapper/7/0:
[   24.370593]  #0: ffff9881c0053d48 ((wq_completion)events_bh_highpri){+.-.}-{0:0}, at: process_one_work+0x425/0x6a0
[   24.370624]  #1: ffffbb560036cee0 ((work_completion)(&bh->bh)){+.-.}-{0:0}, at: process_one_work+0x1e5/0x6a0
[   24.370652] Preemption disabled at:
[   24.370656] [<ffffffffbb37f9b6>] __raw_spin_lock_irqsave+0x26/0x60
[   24.370669] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Tainted: G            E       6.18.0+ #13 PREEMPT(voluntary)
[   24.370673] Tainted: [E]=UNSIGNED_MODULE
[   24.370674] Hardware name: ASUS System Product Name/PRIME B650-PLUS, BIOS 3602 11/13/2025
[   24.370675] Call Trace:
[   24.370677]  <IRQ>
[   24.370680]  dump_stack_lvl+0x8d/0xb0
[   24.370687]  __might_resched+0x1a0/0x2b0
[   24.370696]  __mutex_lock+0x67/0x1020
[   24.370699]  ? __create_object+0x5e/0x90
[   24.370706]  ? srso_alias_return_thunk+0x5/0xfbef5
[   24.370709]  ? roccat_report_event+0x44/0xe0 [hid_roccat]
[   24.370712]  ? srso_alias_return_thunk+0x5/0xfbef5
[   24.370718]  ? roccat_report_event+0x27/0xe0 [hid_roccat]
[   24.370735]  ? roccat_report_event+0x44/0xe0 [hid_roccat]
[   24.370737]  ? srso_alias_return_thunk+0x5/0xfbef5
[   24.370739]  roccat_report_event+0x44/0xe0 [hid_roccat]
[   24.370746]  ryos_raw_event+0x3f/0x50 [hid_roccat_ryos]
[   24.370750]  __hid_input_report+0x129/0x1f0 [hid]
[   24.370766]  hid_input_report+0x11/0x20 [hid]
[   24.370773]  hid_irq_in+0x104/0x1f0 [usbhid]
[   24.370783]  __usb_hcd_giveback_urb+0xa0/0x120 [usbcore]
[   24.370800]  usb_giveback_urb_bh+0xa6/0x130 [usbcore]
[   24.370820]  process_one_work+0x226/0x6a0
[   24.370824]  ? srso_alias_return_thunk+0x5/0xfbef5
[   24.370839]  bh_worker+0x17b/0x1e0
[   24.370849]  tasklet_hi_action+0x17/0x40
[   24.370853]  handle_softirqs+0xe8/0x410
[   24.370866]  __irq_exit_rcu+0xca/0x120
[   24.370868]  irq_exit_rcu+0xa/0x30
[   24.370871]  common_interrupt+0xb8/0xd0
[   24.370875]  </IRQ>
[   24.370876]  <TASK>
[   24.370881]  asm_common_interrupt+0x22/0x40
[   24.370883] RIP: 0010:cpuidle_enter_state+0x12c/0x4f0
[   24.370886] Code: 01 48 0f a3 05 e5 93 0c 01 0f 82 b4 02 00 00 31 ff e8 98 3a 34 ff 45 84 ff 0f 85 02 02 00 00 e8 1a a8 48 ff fb 0f 1f 44 00 00 <45> 85 f6 0f 88 d4 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d
[   24.370887] RSP: 0018:ffffbb56001d7e68 EFLAGS: 00000202
[   24.370889] RAX: 0000000000030185 RBX: ffff9881e1345c00 RCX: 0000000000000000
[   24.370891] RDX: 0000000000000000 RSI: ffffffffbc7884ca RDI: ffffffffbc767f8c
[   24.370892] RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000000
[   24.370893] R10: 0000000000000001 R11: 0000000000000000 R12: ffffffffbd029e60
[   24.370893] R13: 00000005ac93dbee R14: 0000000000000003 R15: 0000000000000000
[   24.370916]  ? cpuidle_enter_state+0x126/0x4f0
[   24.370926]  cpuidle_enter+0x29/0x40
[   24.370933]  cpuidle_idle_call+0xff/0x180
[   24.370942]  do_idle+0x8e/0xe0
[   24.370947]  cpu_startup_entry+0x25/0x30
[   24.370950]  start_secondary+0x11c/0x140
[   24.370957]  common_startup_64+0x13e/0x141
[   24.370984]  </TASK>

[   24.371060] =============================
[   24.371063] [ BUG: Invalid wait context ]
[   24.371065] 6.18.0+ #13 Tainted: G        W   E
[   24.371068] -----------------------------
[   24.371071] swapper/7/0 is trying to lock:
[   24.371073] ffff9881d2a52200 (&device->cbuf_lock){....}-{4:4}, at: roccat_report_event+0x44/0xe0 [hid_roccat]
[   24.371083] other info that might help us debug this:
[   24.371085] context-{3:3}
[   24.371088] 2 locks held by swapper/7/0:
[   24.371090]  #0: ffff9881c0053d48 ((wq_completion)events_bh_highpri){+.-.}-{0:0}, at: process_one_work+0x425/0x6a0
[   24.371100]  #1: ffffbb560036cee0 ((work_completion)(&bh->bh)){+.-.}-{0:0}, at: process_one_work+0x1e5/0x6a0
[   24.371110] stack backtrace:
[   24.371113] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Tainted: G        W   E       6.18.0+ #13 PREEMPT(voluntary)
[   24.371116] Tainted: [W]=WARN, [E]=UNSIGNED_MODULE
[   24.371116] Hardware name: ASUS System Product Name/PRIME B650-PLUS, BIOS 3602 11/13/2025
[   24.371117] Call Trace:
[   24.371118]  <IRQ>
[   24.371120]  dump_stack_lvl+0x73/0xb0
[   24.371123]  __lock_acquire+0x966/0xbb0
[   24.371127]  ? __raw_spin_lock_irqsave+0x26/0x60
[   24.371131]  lock_acquire.part.0+0xa9/0x230
[   24.371135]  ? roccat_report_event+0x44/0xe0 [hid_roccat]
[   24.371139]  ? srso_alias_return_thunk+0x5/0xfbef5
[   24.371141]  ? rcu_is_watching+0xd/0x40
[   24.371144]  ? srso_alias_return_thunk+0x5/0xfbef5
[   24.371145]  ? lock_acquire+0xee/0x110
[   24.371151]  __mutex_lock+0xb3/0x1020
[   24.371153]  ? roccat_report_event+0x44/0xe0 [hid_roccat]
[   24.371155]  ? __create_object+0x5e/0x90
[   24.371158]  ? srso_alias_return_thunk+0x5/0xfbef5
[   24.371160]  ? roccat_report_event+0x44/0xe0 [hid_roccat]
[   24.371162]  ? srso_alias_return_thunk+0x5/0xfbef5
[   24.371165]  ? roccat_report_event+0x27/0xe0 [hid_roccat]
[   24.371172]  ? roccat_report_event+0x44/0xe0 [hid_roccat]
[   24.371174]  ? srso_alias_return_thunk+0x5/0xfbef5
[   24.371176]  roccat_report_event+0x44/0xe0 [hid_roccat]
[   24.371179]  ryos_raw_event+0x3f/0x50 [hid_roccat_ryos]
[   24.371182]  __hid_input_report+0x129/0x1f0 [hid]
[   24.371190]  hid_input_report+0x11/0x20 [hid]
[   24.371194]  hid_irq_in+0x104/0x1f0 [usbhid]
[   24.371199]  __usb_hcd_giveback_urb+0xa0/0x120 [usbcore]
[   24.371210]  usb_giveback_urb_bh+0xa6/0x130 [usbcore]
[   24.371223]  process_one_work+0x226/0x6a0
[   24.371226]  ? srso_alias_return_thunk+0x5/0xfbef5
[   24.371233]  bh_worker+0x17b/0x1e0
[   24.371238]  tasklet_hi_action+0x17/0x40
[   24.371241]  handle_softirqs+0xe8/0x410
[   24.371247]  __irq_exit_rcu+0xca/0x120
[   24.371249]  irq_exit_rcu+0xa/0x30
[   24.371252]  common_interrupt+0xb8/0xd0
[   24.371255]  </IRQ>
[   24.371255]  <TASK>
[   24.371258]  asm_common_interrupt+0x22/0x40
[   24.371260] RIP: 0010:cpuidle_enter_state+0x12c/0x4f0
[   24.371262] Code: 01 48 0f a3 05 e5 93 0c 01 0f 82 b4 02 00 00 31 ff e8 98 3a 34 ff 45 84 ff 0f 85 02 02 00 00 e8 1a a8 48 ff fb 0f 1f 44 00 00 <45> 85 f6 0f 88 d4 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d
[   24.371263] RSP: 0018:ffffbb56001d7e68 EFLAGS: 00000202
[   24.371265] RAX: 0000000000030185 RBX: ffff9881e1345c00 RCX: 0000000000000000
[   24.371266] RDX: 0000000000000000 RSI: ffffffffbc7884ca RDI: ffffffffbc767f8c
[   24.371267] RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000000
[   24.371268] R10: 0000000000000001 R11: 0000000000000000 R12: ffffffffbd029e60
[   24.371268] R13: 00000005ac93dbee R14: 0000000000000003 R15: 0000000000000000
[   24.371278]  ? cpuidle_enter_state+0x126/0x4f0
[   24.371283]  cpuidle_enter+0x29/0x40
[   24.371287]  cpuidle_idle_call+0xff/0x180
[   24.371291]  do_idle+0x8e/0xe0
[   24.371294]  cpu_startup_entry+0x25/0x30
[   24.371297]  start_secondary+0x11c/0x140
[   24.371300]  common_startup_64+0x13e/0x141
[   24.371313]  </TASK>

AFAIK roccat_report_event() is being called from a interrupt handler, so calling functions like mutex_lock()
is not permitted here. However since commit cacdb14b1c8d ("HID: roccat: Fix use-after-free in roccat_read()"),
roccat_report_event() calls mutex_lock()_unlock(), causing the above warnings.

I myself have no experience with HID drivers, so maybe someone can give me a hint on how to fix
this issue.

Thanks,
Armin Wolf