possible deadlock in uinput_request_submit
6 views
Skip to first unread message
syzbot
Apr 14, 2019, 5:33:12 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=10a9651f400000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=aeecd8ac161c94ba9daa
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+aeecd8...@syzkaller.appspotmail.com
audit: type=1400 audit(1549745932.922:3796): avc: denied { net_admin }
for pid=2087 comm="syz-executor.5" capability=12
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
======================================================
[ INFO: possible circular locking dependency detected ]
4.9.141+ #23 Not tainted
-------------------------------------------------------
syz-executor.2/18750 is trying to acquire lock:
(&newdev->mutex){+.+.+.}, at: [<ffffffff8207f2e9>] uinput_request_send
drivers/input/misc/uinput.c:116 [inline]
(&newdev->mutex){+.+.+.}, at: [<ffffffff8207f2e9>]
uinput_request_submit.part.2+0x29/0x200 drivers/input/misc/uinput.c:147
but task is already holding lock:
(&ff->mutex){+.+...}, at: [<ffffffff8204aefa>] input_ff_upload+0x10a/0xa00
drivers/input/ff-core.c:135
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&ff->mutex){+.+...}:
lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621
flush_effects+0x58/0x110 drivers/input/ff-core.c:249
input_flush_device+0x8e/0xd0 drivers/input/input.c:632
evdev_flush+0xfb/0x120 drivers/input/evdev.c:353
filp_close+0xa7/0x140 fs/open.c:1129
__close_fd+0x156/0x230 fs/file.c:651
SYSC_close fs/open.c:1148 [inline]
SyS_close+0x4c/0x90 fs/open.c:1146
do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137
-> #1 (&dev->mutex#2){+.+...}:
lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621
input_disconnect_device drivers/input/input.c:704 [inline]
__input_unregister_device+0x2a/0x490 drivers/input/input.c:2018
input_unregister_device+0xa6/0xf0 drivers/input/input.c:2197
uinput_destroy_device+0x1cf/0x220 drivers/input/misc/uinput.c:246
uinput_ioctl_handler.isra.4+0xffb/0x1980
drivers/input/misc/uinput.c:821
uinput_compat_ioctl+0x5f/0x80 drivers/input/misc/uinput.c:1001
C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137
-> #0 (&newdev->mutex){+.+.+.}:
check_prev_add kernel/locking/lockdep.c:1828 [inline]
check_prevs_add kernel/locking/lockdep.c:1938 [inline]
validate_chain kernel/locking/lockdep.c:2265 [inline]
__lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345
lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_interruptible_nested+0xcc/0x9c0 kernel/locking/mutex.c:650
uinput_request_send drivers/input/misc/uinput.c:116 [inline]
uinput_request_submit.part.2+0x29/0x200
drivers/input/misc/uinput.c:147
uinput_request_submit drivers/input/misc/uinput.c:144 [inline]
uinput_dev_upload_effect+0x14a/0x1c0 drivers/input/misc/uinput.c:216
input_ff_upload+0x528/0xa00 drivers/input/ff-core.c:165
evdev_do_ioctl drivers/input/evdev.c:1213 [inline]
evdev_ioctl_handler+0xe62/0x1820 drivers/input/evdev.c:1302
evdev_ioctl_compat+0x29/0x30 drivers/input/evdev.c:1318
C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137
other info that might help us debug this:
Chain exists of:
&newdev->mutex --> &dev->mutex#2 --> &ff->mutex
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ff->mutex);
lock(&dev->mutex#2);
lock(&ff->mutex);
lock(&newdev->mutex);
*** DEADLOCK ***
2 locks held by syz-executor.2/18750:
#0: (&evdev->mutex){+.+.+.}, at: [<ffffffff820577f2>]
evdev_ioctl_handler+0x112/0x1820 drivers/input/evdev.c:1293
#1: (&ff->mutex){+.+...}, at: [<ffffffff8204aefa>]
input_ff_upload+0x10a/0xa00 drivers/input/ff-core.c:135
stack backtrace:
CPU: 1 PID: 18750 Comm: syz-executor.2 Not tainted 4.9.141+ #23
ffff8801a3187778 ffffffff81b42e79 ffffffff83c98560 ffffffff83ce93b0
ffffffff83cd4c50 ffff8801a9c808f8 ffff8801a9c80000 ffff8801a31877c0
ffffffff813fee40 0000000000000002 00000000a9c808d8 0000000000000002
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff813fee40>] print_circular_bug.cold.36+0x2f7/0x432
kernel/locking/lockdep.c:1202
[<ffffffff8120a539>] check_prev_add kernel/locking/lockdep.c:1828 [inline]
[<ffffffff8120a539>] check_prevs_add kernel/locking/lockdep.c:1938 [inline]
[<ffffffff8120a539>] validate_chain kernel/locking/lockdep.c:2265 [inline]
[<ffffffff8120a539>] __lock_acquire+0x3189/0x4a10
kernel/locking/lockdep.c:3345
[<ffffffff8120c8d0>] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
[<ffffffff8280ce4c>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff8280ce4c>] mutex_lock_interruptible_nested+0xcc/0x9c0
kernel/locking/mutex.c:650
[<ffffffff8207f2e9>] uinput_request_send drivers/input/misc/uinput.c:116
[inline]
[<ffffffff8207f2e9>] uinput_request_submit.part.2+0x29/0x200
drivers/input/misc/uinput.c:147
[<ffffffff8208237a>] uinput_request_submit drivers/input/misc/uinput.c:144
[inline]
[<ffffffff8208237a>] uinput_dev_upload_effect+0x14a/0x1c0
drivers/input/misc/uinput.c:216
[<ffffffff8204b318>] input_ff_upload+0x528/0xa00
drivers/input/ff-core.c:165
[<ffffffff82058542>] evdev_do_ioctl drivers/input/evdev.c:1213 [inline]
[<ffffffff82058542>] evdev_ioctl_handler+0xe62/0x1820
drivers/input/evdev.c:1302
[<ffffffff82058f29>] evdev_ioctl_compat+0x29/0x30
drivers/input/evdev.c:1318
[<ffffffff81619c8d>] C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
[<ffffffff81619c8d>] compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
audit: type=1400 audit(1549745932.942:3797): avc: denied { dac_override }
for pid=18749 comm="syz-executor.2" capability=1
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
audit: type=1400 audit(1549745932.962:3798): avc: denied { net_admin }
for pid=2087 comm="syz-executor.5" capability=12
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
audit: type=1400 audit(1549745932.962:3799): avc: denied { net_admin }
for pid=2087 comm="syz-executor.5" capability=12
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
audit: type=1400 audit(1549745932.962:3800): avc: denied { net_admin }
for pid=2087 comm="syz-executor.5" capability=12
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
audit: type=1400 audit(1549745932.962:3801): avc: denied { net_admin }
for pid=2087 comm="syz-executor.5" capability=12
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
audit: type=1400 audit(1549745932.972:3802): avc: denied { net_admin }
for pid=2087 comm="syz-executor.5" capability=12
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
audit: type=1400 audit(1549745932.982:3803): avc: denied { prog_load }
for pid=18754 comm="syz-executor.4"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf
permissive=1
audit: type=1400 audit(1549745932.992:3804): avc: denied { sys_admin }
for pid=2086 comm="syz-executor.4" capability=21
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=10a9651f400000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=aeecd8ac161c94ba9daa
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+aeecd8...@syzkaller.appspotmail.com
audit: type=1400 audit(1549745932.922:3796): avc: denied { net_admin }
for pid=2087 comm="syz-executor.5" capability=12
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
======================================================
[ INFO: possible circular locking dependency detected ]
4.9.141+ #23 Not tainted
-------------------------------------------------------
syz-executor.2/18750 is trying to acquire lock:
(&newdev->mutex){+.+.+.}, at: [<ffffffff8207f2e9>] uinput_request_send
drivers/input/misc/uinput.c:116 [inline]
(&newdev->mutex){+.+.+.}, at: [<ffffffff8207f2e9>]
uinput_request_submit.part.2+0x29/0x200 drivers/input/misc/uinput.c:147
but task is already holding lock:
(&ff->mutex){+.+...}, at: [<ffffffff8204aefa>] input_ff_upload+0x10a/0xa00
drivers/input/ff-core.c:135
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&ff->mutex){+.+...}:
lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621
flush_effects+0x58/0x110 drivers/input/ff-core.c:249
input_flush_device+0x8e/0xd0 drivers/input/input.c:632
evdev_flush+0xfb/0x120 drivers/input/evdev.c:353
filp_close+0xa7/0x140 fs/open.c:1129
__close_fd+0x156/0x230 fs/file.c:651
SYSC_close fs/open.c:1148 [inline]
SyS_close+0x4c/0x90 fs/open.c:1146
do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137
-> #1 (&dev->mutex#2){+.+...}:
lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621
input_disconnect_device drivers/input/input.c:704 [inline]
__input_unregister_device+0x2a/0x490 drivers/input/input.c:2018
input_unregister_device+0xa6/0xf0 drivers/input/input.c:2197
uinput_destroy_device+0x1cf/0x220 drivers/input/misc/uinput.c:246
uinput_ioctl_handler.isra.4+0xffb/0x1980
drivers/input/misc/uinput.c:821
uinput_compat_ioctl+0x5f/0x80 drivers/input/misc/uinput.c:1001
C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137
-> #0 (&newdev->mutex){+.+.+.}:
check_prev_add kernel/locking/lockdep.c:1828 [inline]
check_prevs_add kernel/locking/lockdep.c:1938 [inline]
validate_chain kernel/locking/lockdep.c:2265 [inline]
__lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345
lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_interruptible_nested+0xcc/0x9c0 kernel/locking/mutex.c:650
uinput_request_send drivers/input/misc/uinput.c:116 [inline]
uinput_request_submit.part.2+0x29/0x200
drivers/input/misc/uinput.c:147
uinput_request_submit drivers/input/misc/uinput.c:144 [inline]
uinput_dev_upload_effect+0x14a/0x1c0 drivers/input/misc/uinput.c:216
input_ff_upload+0x528/0xa00 drivers/input/ff-core.c:165
evdev_do_ioctl drivers/input/evdev.c:1213 [inline]
evdev_ioctl_handler+0xe62/0x1820 drivers/input/evdev.c:1302
evdev_ioctl_compat+0x29/0x30 drivers/input/evdev.c:1318
C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137
other info that might help us debug this:
Chain exists of:
&newdev->mutex --> &dev->mutex#2 --> &ff->mutex
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ff->mutex);
lock(&dev->mutex#2);
lock(&ff->mutex);
lock(&newdev->mutex);
*** DEADLOCK ***
2 locks held by syz-executor.2/18750:
#0: (&evdev->mutex){+.+.+.}, at: [<ffffffff820577f2>]
evdev_ioctl_handler+0x112/0x1820 drivers/input/evdev.c:1293
#1: (&ff->mutex){+.+...}, at: [<ffffffff8204aefa>]
input_ff_upload+0x10a/0xa00 drivers/input/ff-core.c:135
stack backtrace:
CPU: 1 PID: 18750 Comm: syz-executor.2 Not tainted 4.9.141+ #23
ffff8801a3187778 ffffffff81b42e79 ffffffff83c98560 ffffffff83ce93b0
ffffffff83cd4c50 ffff8801a9c808f8 ffff8801a9c80000 ffff8801a31877c0
ffffffff813fee40 0000000000000002 00000000a9c808d8 0000000000000002
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff813fee40>] print_circular_bug.cold.36+0x2f7/0x432
kernel/locking/lockdep.c:1202
[<ffffffff8120a539>] check_prev_add kernel/locking/lockdep.c:1828 [inline]
[<ffffffff8120a539>] check_prevs_add kernel/locking/lockdep.c:1938 [inline]
[<ffffffff8120a539>] validate_chain kernel/locking/lockdep.c:2265 [inline]
[<ffffffff8120a539>] __lock_acquire+0x3189/0x4a10
kernel/locking/lockdep.c:3345
[<ffffffff8120c8d0>] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
[<ffffffff8280ce4c>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff8280ce4c>] mutex_lock_interruptible_nested+0xcc/0x9c0
kernel/locking/mutex.c:650
[<ffffffff8207f2e9>] uinput_request_send drivers/input/misc/uinput.c:116
[inline]
[<ffffffff8207f2e9>] uinput_request_submit.part.2+0x29/0x200
drivers/input/misc/uinput.c:147
[<ffffffff8208237a>] uinput_request_submit drivers/input/misc/uinput.c:144
[inline]
[<ffffffff8208237a>] uinput_dev_upload_effect+0x14a/0x1c0
drivers/input/misc/uinput.c:216
[<ffffffff8204b318>] input_ff_upload+0x528/0xa00
drivers/input/ff-core.c:165
[<ffffffff82058542>] evdev_do_ioctl drivers/input/evdev.c:1213 [inline]
[<ffffffff82058542>] evdev_ioctl_handler+0xe62/0x1820
drivers/input/evdev.c:1302
[<ffffffff82058f29>] evdev_ioctl_compat+0x29/0x30
drivers/input/evdev.c:1318
[<ffffffff81619c8d>] C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
[<ffffffff81619c8d>] compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
audit: type=1400 audit(1549745932.942:3797): avc: denied { dac_override }
for pid=18749 comm="syz-executor.2" capability=1
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
audit: type=1400 audit(1549745932.962:3798): avc: denied { net_admin }
for pid=2087 comm="syz-executor.5" capability=12
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
audit: type=1400 audit(1549745932.962:3799): avc: denied { net_admin }
for pid=2087 comm="syz-executor.5" capability=12
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
audit: type=1400 audit(1549745932.962:3800): avc: denied { net_admin }
for pid=2087 comm="syz-executor.5" capability=12
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
audit: type=1400 audit(1549745932.962:3801): avc: denied { net_admin }
for pid=2087 comm="syz-executor.5" capability=12
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
audit: type=1400 audit(1549745932.972:3802): avc: denied { net_admin }
for pid=2087 comm="syz-executor.5" capability=12
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
audit: type=1400 audit(1549745932.982:3803): avc: denied { prog_load }
for pid=18754 comm="syz-executor.4"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf
permissive=1
audit: type=1400 audit(1549745932.992:3804): avc: denied { sys_admin }
for pid=2086 comm="syz-executor.4" capability=21
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
May 24, 2019, 10:59:06 AM5/24/19
to syzkaller-a...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=172a33f8a00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=157de272a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+aeecd8...@syzkaller.appspotmail.com
input: syz0 as /devices/virtual/input/input49
input: syz0 as /devices/virtual/input/input50
input: syz0 as /devices/virtual/input/input51
input: syz0 as /devices/virtual/input/input52
evdev_cleanup+0x26/0x1a0 drivers/input/evdev.c:1354
evdev_disconnect+0x43/0xa0 drivers/input/evdev.c:1446
__input_unregister_device+0x1ec/0x490 drivers/input/input.c:2023
__fput+0x263/0x700 fs/file_table.c:208
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x10c/0x180 kernel/task_work.c:116
exit_task_work include/linux/task_work.h:21 [inline]
do_exit+0x78d/0x2a50 kernel/exit.c:833
do_group_exit+0x111/0x300 kernel/exit.c:937
SYSC_exit_group kernel/exit.c:948 [inline]
SyS_exit_group+0x1d/0x20 kernel/exit.c:946
uinput_create_device drivers/input/misc/uinput.c:302 [inline]
uinput_ioctl_handler.isra.4+0x84a/0x1980
drivers/input/misc/uinput.c:817
#0: (&evdev->mutex){+.+...}, at: [<ffffffff820577f2>]
ffff8801c9dc7778 ffffffff81b42e79 ffffffff83cc2500 ffffffff83cc4bd0
ffffffff83cc10c0 ffff8801c9b120b8 ffff8801c9b117c0 ffff8801c9dc77c0
ffffffff813fee40 0000000000000002 00000000c9b12098 0000000000000002
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=aeecd8ac161c94ba9daa
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13c52d30a00000
dashboard link: https://syzkaller.appspot.com/bug?extid=aeecd8ac161c94ba9daa
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=157de272a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+aeecd8...@syzkaller.appspotmail.com
input: syz0 as /devices/virtual/input/input50
input: syz0 as /devices/virtual/input/input51
input: syz0 as /devices/virtual/input/input52
======================================================
[ INFO: possible circular locking dependency detected ]
4.9.141+ #23 Not tainted
-------------------------------------------------------
syz-executor116/2216 is trying to acquire lock:
[ INFO: possible circular locking dependency detected ]
4.9.141+ #23 Not tainted
-------------------------------------------------------
(&newdev->mutex){+.+.+.}, at: [<ffffffff8207f2e9>] uinput_request_send
drivers/input/misc/uinput.c:116 [inline]
(&newdev->mutex){+.+.+.}, at: [<ffffffff8207f2e9>]
uinput_request_submit.part.2+0x29/0x200 drivers/input/misc/uinput.c:147
but task is already holding lock:
(&ff->mutex){+.+...}, at: [<ffffffff8204aefa>] input_ff_upload+0x10a/0xa00
drivers/input/ff-core.c:135
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
drivers/input/misc/uinput.c:116 [inline]
(&newdev->mutex){+.+.+.}, at: [<ffffffff8207f2e9>]
uinput_request_submit.part.2+0x29/0x200 drivers/input/misc/uinput.c:147
but task is already holding lock:
(&ff->mutex){+.+...}, at: [<ffffffff8204aefa>] input_ff_upload+0x10a/0xa00
drivers/input/ff-core.c:135
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621
input_ff_upload+0x10a/0xa00 drivers/input/ff-core.c:135
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621
evdev_do_ioctl drivers/input/evdev.c:1213 [inline]
evdev_ioctl_handler+0xe62/0x1820 drivers/input/evdev.c:1302
evdev_ioctl_compat+0x29/0x30 drivers/input/evdev.c:1318
C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137
evdev_ioctl_handler+0xe62/0x1820 drivers/input/evdev.c:1302
evdev_ioctl_compat+0x29/0x30 drivers/input/evdev.c:1318
C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137
lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621
evdev_mark_dead drivers/input/evdev.c:1345 [inline]
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621
evdev_cleanup+0x26/0x1a0 drivers/input/evdev.c:1354
evdev_disconnect+0x43/0xa0 drivers/input/evdev.c:1446
__input_unregister_device+0x1ec/0x490 drivers/input/input.c:2023
input_unregister_device+0xa6/0xf0 drivers/input/input.c:2197
uinput_destroy_device+0x1cf/0x220 drivers/input/misc/uinput.c:246
uinput_release+0x3a/0x50 drivers/input/misc/uinput.c:658
uinput_destroy_device+0x1cf/0x220 drivers/input/misc/uinput.c:246
__fput+0x263/0x700 fs/file_table.c:208
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x10c/0x180 kernel/task_work.c:116
exit_task_work include/linux/task_work.h:21 [inline]
do_exit+0x78d/0x2a50 kernel/exit.c:833
do_group_exit+0x111/0x300 kernel/exit.c:937
SYSC_exit_group kernel/exit.c:948 [inline]
SyS_exit_group+0x1d/0x20 kernel/exit.c:946
do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137
do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137
lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_interruptible_nested+0xcc/0x9c0 kernel/locking/mutex.c:650
input_register_device.cold.13+0x39/0x204 drivers/input/input.c:2146
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_interruptible_nested+0xcc/0x9c0 kernel/locking/mutex.c:650
uinput_create_device drivers/input/misc/uinput.c:302 [inline]
uinput_ioctl_handler.isra.4+0x84a/0x1980
drivers/input/misc/uinput.c:817
uinput_compat_ioctl+0x5f/0x80 drivers/input/misc/uinput.c:1001
C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137
C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137
check_prev_add kernel/locking/lockdep.c:1828 [inline]
check_prevs_add kernel/locking/lockdep.c:1938 [inline]
validate_chain kernel/locking/lockdep.c:2265 [inline]
__lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345
lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_interruptible_nested+0xcc/0x9c0 kernel/locking/mutex.c:650
uinput_request_send drivers/input/misc/uinput.c:116 [inline]
uinput_request_submit.part.2+0x29/0x200
drivers/input/misc/uinput.c:147
uinput_request_submit drivers/input/misc/uinput.c:144 [inline]
uinput_dev_upload_effect+0x14a/0x1c0 drivers/input/misc/uinput.c:216
input_ff_upload+0x528/0xa00 drivers/input/ff-core.c:165
evdev_do_ioctl drivers/input/evdev.c:1213 [inline]
evdev_ioctl_handler+0xe62/0x1820 drivers/input/evdev.c:1302
evdev_ioctl_compat+0x29/0x30 drivers/input/evdev.c:1318
C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137
other info that might help us debug this:
Chain exists of:
check_prevs_add kernel/locking/lockdep.c:1938 [inline]
validate_chain kernel/locking/lockdep.c:2265 [inline]
__lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345
lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_interruptible_nested+0xcc/0x9c0 kernel/locking/mutex.c:650
uinput_request_send drivers/input/misc/uinput.c:116 [inline]
uinput_request_submit.part.2+0x29/0x200
drivers/input/misc/uinput.c:147
uinput_request_submit drivers/input/misc/uinput.c:144 [inline]
uinput_dev_upload_effect+0x14a/0x1c0 drivers/input/misc/uinput.c:216
input_ff_upload+0x528/0xa00 drivers/input/ff-core.c:165
evdev_do_ioctl drivers/input/evdev.c:1213 [inline]
evdev_ioctl_handler+0xe62/0x1820 drivers/input/evdev.c:1302
evdev_ioctl_compat+0x29/0x30 drivers/input/evdev.c:1318
C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137
other info that might help us debug this:
Chain exists of:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ff->mutex);
lock(&evdev->mutex);
CPU0 CPU1
---- ----
lock(&ff->mutex);
lock(&ff->mutex);
lock(&newdev->mutex);
*** DEADLOCK ***
2 locks held by syz-executor116/2216:
lock(&newdev->mutex);
*** DEADLOCK ***
#0: (&evdev->mutex){+.+...}, at: [<ffffffff820577f2>]
evdev_ioctl_handler+0x112/0x1820 drivers/input/evdev.c:1293
#1: (&ff->mutex){+.+...}, at: [<ffffffff8204aefa>]
input_ff_upload+0x10a/0xa00 drivers/input/ff-core.c:135
stack backtrace:
CPU: 1 PID: 2216 Comm: syz-executor116 Not tainted 4.9.141+ #23
#1: (&ff->mutex){+.+...}, at: [<ffffffff8204aefa>]
input_ff_upload+0x10a/0xa00 drivers/input/ff-core.c:135
stack backtrace:
ffff8801c9dc7778 ffffffff81b42e79 ffffffff83cc2500 ffffffff83cc4bd0
ffffffff83cc10c0 ffff8801c9b120b8 ffff8801c9b117c0 ffff8801c9dc77c0
ffffffff813fee40 0000000000000002 00000000c9b12098 0000000000000002
Reply all
Reply to author
Forward
0 new messages