[syzbot] [input?] [ext4?] possible deadlock in uinput_request_submit
16 views
Skip to first unread message
syzbot
Apr 26, 2024, 12:42:27 AMApr 26
to dmitry....@gmail.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 7b4f2bc91c15 Add linux-next specific files for 20240418
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=12a07f67180000
kernel config: https://syzkaller.appspot.com/x/.config?x=ae644165a243bf62
dashboard link: https://syzkaller.appspot.com/bug?extid=159077b1355b8cd72757
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1273c763180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14b59430980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/524a18e6c5be/disk-7b4f2bc9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/029f1b84d653/vmlinux-7b4f2bc9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c02d1542e886/bzImage-7b4f2bc9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/95b3c106e235/mount_6.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+159077...@syzkaller.appspotmail.com
WARNING: possible circular locking dependency detected
6.9.0-rc4-next-20240418-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor109/5116 is trying to acquire lock:
ffff8880117e3870 (&newdev->mutex){+.+.}-{3:3}, at: uinput_request_send drivers/input/misc/uinput.c:151 [inline]
ffff8880117e3870 (&newdev->mutex){+.+.}-{3:3}, at: uinput_request_submit+0x19c/0x740 drivers/input/misc/uinput.c:182
but task is already holding lock:
ffff888015fb60b0
(&ff->mutex
){+.+.}-{3:3}
, at: input_ff_upload+0x3e4/0xb00 drivers/input/ff-core.c:120
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (
&ff->mutex){+.+.}-{3:3}
:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
input_ff_flush+0x5e/0x140 drivers/input/ff-core.c:240
input_flush_device+0x9c/0xc0 drivers/input/input.c:686
evdev_release+0xf9/0x7d0 drivers/input/evdev.c:444
__fput+0x406/0x8b0 fs/file_table.c:422
__do_sys_close fs/open.c:1555 [inline]
__se_sys_close fs/open.c:1540 [inline]
__x64_sys_close+0x7f/0x110 fs/open.c:1540
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #2 (
&dev->mutex
#2){+.+.}-{3:3}
:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
input_register_handle+0x6d/0x3b0 drivers/input/input.c:2555
kbd_connect+0xbf/0x130 drivers/tty/vt/keyboard.c:1589
input_attach_handler drivers/input/input.c:1064 [inline]
input_register_device+0xcfa/0x1090 drivers/input/input.c:2396
acpi_button_add+0x6c6/0xb90 drivers/acpi/button.c:604
acpi_device_probe+0xa5/0x2b0 drivers/acpi/bus.c:1063
really_probe+0x2b8/0xad0 drivers/base/dd.c:656
__driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
driver_probe_device+0x50/0x430 drivers/base/dd.c:828
__driver_attach+0x45f/0x710 drivers/base/dd.c:1214
bus_for_each_dev+0x239/0x2b0 drivers/base/bus.c:368
bus_add_driver+0x346/0x670 drivers/base/bus.c:673
driver_register+0x23a/0x320 drivers/base/driver.c:246
do_one_initcall+0x248/0x880 init/main.c:1263
do_initcall_level+0x157/0x210 init/main.c:1325
do_initcalls+0x3f/0x80 init/main.c:1341
kernel_init_freeable+0x435/0x5d0 init/main.c:1574
kernel_init+0x1d/0x2b0 init/main.c:1463
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
-> #1 (
input_mutex){+.+.}-{3:3}
:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
input_register_device+0xae5/0x1090 drivers/input/input.c:2389
uinput_create_device+0x40e/0x630 drivers/input/misc/uinput.c:365
uinput_ioctl_handler+0x48b/0x1770 drivers/input/misc/uinput.c:904
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0
(&newdev->mutex
){+.+.}-{3:3}
:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869
__lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
uinput_request_send drivers/input/misc/uinput.c:151 [inline]
uinput_request_submit+0x19c/0x740 drivers/input/misc/uinput.c:182
uinput_dev_upload_effect+0x199/0x240 drivers/input/misc/uinput.c:257
input_ff_upload+0x5df/0xb00 drivers/input/ff-core.c:150
evdev_do_ioctl drivers/input/evdev.c:1183 [inline]
evdev_ioctl_handler+0x17d0/0x21b0 drivers/input/evdev.c:1272
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Chain exists of:
&newdev->mutex
--> &dev->mutex
#2 -->
&ff->mutex
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(
&ff->mutex);
lock(&dev->mutex
#2);
lock(&ff->mutex
);
lock(&newdev->mutex
);
*** DEADLOCK ***
2 locks held by syz-executor109/5116:
#0: ffff88801cac6110
(&evdev->mutex
){+.+.}-{3:3}
, at: evdev_ioctl_handler+0x125/0x21b0 drivers/input/evdev.c:1263
#1: ffff888015fb60b0
(&ff->mutex
){+.+.}-{3:3}
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 7b4f2bc91c15 Add linux-next specific files for 20240418
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=12a07f67180000
kernel config: https://syzkaller.appspot.com/x/.config?x=ae644165a243bf62
dashboard link: https://syzkaller.appspot.com/bug?extid=159077b1355b8cd72757
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1273c763180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14b59430980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/524a18e6c5be/disk-7b4f2bc9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/029f1b84d653/vmlinux-7b4f2bc9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c02d1542e886/bzImage-7b4f2bc9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/95b3c106e235/mount_6.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+159077...@syzkaller.appspotmail.com
WARNING: possible circular locking dependency detected
6.9.0-rc4-next-20240418-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor109/5116 is trying to acquire lock:
ffff8880117e3870 (&newdev->mutex){+.+.}-{3:3}, at: uinput_request_send drivers/input/misc/uinput.c:151 [inline]
ffff8880117e3870 (&newdev->mutex){+.+.}-{3:3}, at: uinput_request_submit+0x19c/0x740 drivers/input/misc/uinput.c:182
but task is already holding lock:
ffff888015fb60b0
(&ff->mutex
){+.+.}-{3:3}
, at: input_ff_upload+0x3e4/0xb00 drivers/input/ff-core.c:120
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (
&ff->mutex){+.+.}-{3:3}
:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
input_ff_flush+0x5e/0x140 drivers/input/ff-core.c:240
input_flush_device+0x9c/0xc0 drivers/input/input.c:686
evdev_release+0xf9/0x7d0 drivers/input/evdev.c:444
__fput+0x406/0x8b0 fs/file_table.c:422
__do_sys_close fs/open.c:1555 [inline]
__se_sys_close fs/open.c:1540 [inline]
__x64_sys_close+0x7f/0x110 fs/open.c:1540
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #2 (
&dev->mutex
#2){+.+.}-{3:3}
:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
input_register_handle+0x6d/0x3b0 drivers/input/input.c:2555
kbd_connect+0xbf/0x130 drivers/tty/vt/keyboard.c:1589
input_attach_handler drivers/input/input.c:1064 [inline]
input_register_device+0xcfa/0x1090 drivers/input/input.c:2396
acpi_button_add+0x6c6/0xb90 drivers/acpi/button.c:604
acpi_device_probe+0xa5/0x2b0 drivers/acpi/bus.c:1063
really_probe+0x2b8/0xad0 drivers/base/dd.c:656
__driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
driver_probe_device+0x50/0x430 drivers/base/dd.c:828
__driver_attach+0x45f/0x710 drivers/base/dd.c:1214
bus_for_each_dev+0x239/0x2b0 drivers/base/bus.c:368
bus_add_driver+0x346/0x670 drivers/base/bus.c:673
driver_register+0x23a/0x320 drivers/base/driver.c:246
do_one_initcall+0x248/0x880 init/main.c:1263
do_initcall_level+0x157/0x210 init/main.c:1325
do_initcalls+0x3f/0x80 init/main.c:1341
kernel_init_freeable+0x435/0x5d0 init/main.c:1574
kernel_init+0x1d/0x2b0 init/main.c:1463
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
-> #1 (
input_mutex){+.+.}-{3:3}
:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
input_register_device+0xae5/0x1090 drivers/input/input.c:2389
uinput_create_device+0x40e/0x630 drivers/input/misc/uinput.c:365
uinput_ioctl_handler+0x48b/0x1770 drivers/input/misc/uinput.c:904
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0
(&newdev->mutex
){+.+.}-{3:3}
:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869
__lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
uinput_request_send drivers/input/misc/uinput.c:151 [inline]
uinput_request_submit+0x19c/0x740 drivers/input/misc/uinput.c:182
uinput_dev_upload_effect+0x199/0x240 drivers/input/misc/uinput.c:257
input_ff_upload+0x5df/0xb00 drivers/input/ff-core.c:150
evdev_do_ioctl drivers/input/evdev.c:1183 [inline]
evdev_ioctl_handler+0x17d0/0x21b0 drivers/input/evdev.c:1272
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Chain exists of:
&newdev->mutex
--> &dev->mutex
#2 -->
&ff->mutex
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(
&ff->mutex);
lock(&dev->mutex
#2);
lock(&ff->mutex
);
lock(&newdev->mutex
);
*** DEADLOCK ***
2 locks held by syz-executor109/5116:
#0: ffff88801cac6110
(&evdev->mutex
){+.+.}-{3:3}
, at: evdev_ioctl_handler+0x125/0x21b0 drivers/input/evdev.c:1263
#1: ffff888015fb60b0
(&ff->mutex
){+.+.}-{3:3}
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hillf Danton
Apr 26, 2024, 7:02:21 AMApr 26
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Thu, 25 Apr 2024 21:42:26 -0700
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 7b4f2bc91c15
--- x/drivers/input/misc/uinput.c
+++ y/drivers/input/misc/uinput.c
@@ -311,8 +311,11 @@ static int uinput_create_device(struct u
struct input_dev *dev = udev->dev;
int error, nslot;
+ lockdep_assert_held(&udev->mutex);
+
if (udev->state != UIST_SETUP_COMPLETE) {
printk(KERN_DEBUG "%s: write device info first\n", UINPUT_NAME);
+ mutex_unlock(&udev->mutex);
return -EINVAL;
}
@@ -362,9 +365,12 @@ static int uinput_create_device(struct u
input_set_drvdata(udev->dev, udev);
+ mutex_unlock(&udev->mutex);
error = input_register_device(udev->dev);
- if (error)
+ if (error) {
+ mutex_lock(&udev->mutex);
goto fail2;
+ }
udev->state = UIST_CREATED;
@@ -372,6 +378,7 @@ static int uinput_create_device(struct u
fail2: input_ff_destroy(dev);
fail1: uinput_destroy_device(udev);
+ mutex_unlock(&udev->mutex);
return error;
}
@@ -901,8 +908,7 @@ static long uinput_ioctl_handler(struct
goto out;
case UI_DEV_CREATE:
- retval = uinput_create_device(udev);
- goto out;
+ return uinput_create_device(udev);
case UI_DEV_DESTROY:
uinput_destroy_device(udev);
--
> syzbot found the following issue on:
>
> HEAD commit: 7b4f2bc91c15 Add linux-next specific files for 20240418
> git tree: linux-next
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14b59430980000
>
> HEAD commit: 7b4f2bc91c15 Add linux-next specific files for 20240418
> git tree: linux-next
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 7b4f2bc91c15
--- x/drivers/input/misc/uinput.c
+++ y/drivers/input/misc/uinput.c
@@ -311,8 +311,11 @@ static int uinput_create_device(struct u
struct input_dev *dev = udev->dev;
int error, nslot;
+ lockdep_assert_held(&udev->mutex);
+
if (udev->state != UIST_SETUP_COMPLETE) {
printk(KERN_DEBUG "%s: write device info first\n", UINPUT_NAME);
+ mutex_unlock(&udev->mutex);
return -EINVAL;
}
@@ -362,9 +365,12 @@ static int uinput_create_device(struct u
input_set_drvdata(udev->dev, udev);
+ mutex_unlock(&udev->mutex);
error = input_register_device(udev->dev);
- if (error)
+ if (error) {
+ mutex_lock(&udev->mutex);
goto fail2;
+ }
udev->state = UIST_CREATED;
@@ -372,6 +378,7 @@ static int uinput_create_device(struct u
fail2: input_ff_destroy(dev);
fail1: uinput_destroy_device(udev);
+ mutex_unlock(&udev->mutex);
return error;
}
@@ -901,8 +908,7 @@ static long uinput_ioctl_handler(struct
goto out;
case UI_DEV_CREATE:
- retval = uinput_create_device(udev);
- goto out;
+ return uinput_create_device(udev);
case UI_DEV_DESTROY:
uinput_destroy_device(udev);
--
syzbot
Apr 26, 2024, 9:12:04 AMApr 26
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: trying to register non-static key in uinput_destroy_device
input: syz1 as /devices/virtual/input/input6070
INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
CPU: 0 PID: 21743 Comm: syz-executor144 Not tainted 6.9.0-rc4-next-20240418-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
assign_lock_key+0x238/0x270 kernel/locking/lockdep.c:976
register_lock_class+0x1cf/0x980 kernel/locking/lockdep.c:1289
__lock_acquire+0xda/0x1fd0 kernel/locking/lockdep.c:5014
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
complete_with_flags kernel/sched/completion.c:20 [inline]
complete+0x28/0x1c0 kernel/sched/completion.c:47
uinput_flush_requests drivers/input/misc/uinput.c:213 [inline]
uinput_destroy_device+0x129/0x8f0 drivers/input/misc/uinput.c:298
uinput_release+0x3e/0x50 drivers/input/misc/uinput.c:751
__fput+0x406/0x8b0 fs/file_table.c:422
task_work_run+0x24f/0x310 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa1b/0x27e0 kernel/exit.c:877
do_group_exit+0x207/0x2c0 kernel/exit.c:1026
__do_sys_exit_group kernel/exit.c:1037 [inline]
__se_sys_exit_group kernel/exit.c:1035 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1035
Code: Unable to access opcode bytes at 0x7fb846ea660f.
RSP: 002b:00007fff8074c3d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb846ea6639
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007fb846f222d0 R08: ffffffffffffffb8 R09: 000000000000046f
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb846f222d0
R13: 0000000000000000 R14: 00007fb846f23040 R15: 00007fb846e74780
</TASK>
BUG: unable to handle page fault for address: fffffffffffffff8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD e136067 P4D e136067 PUD e138067 PMD 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 21743 Comm: syz-executor144 Not tainted 6.9.0-rc4-next-20240418-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete_with_flags kernel/sched/completion.c:24 [inline]
RIP: 0010:complete+0x9b/0x1c0 kernel/sched/completion.c:47
Code: df e8 39 fd 8b 00 4c 8b 23 49 39 dc 0f 84 e2 00 00 00 49 8d 7c 24 f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 15 fd 8b 00 <49> 8b 7c 24 f8 be 03 00 00 00 31 d2 e8 04 e5 f6 ff 4c 89 e7 e8 3c
RSP: 0018:ffffc9000a91fb30 EFLAGS: 00010046
RAX: 1fffffffffffffff RBX: ffffc9000b477af8 RCX: 0000000000000001
RDX: dffffc0000000000 RSI: 0000000000000004 RDI: fffffffffffffff8
RBP: 1ffff9200168ef56 R08: 0000000000000003 R09: fffff52001523f40
R10: dffffc0000000000 R11: fffff52001523f40 R12: 0000000000000000
R13: 0000000000000246 R14: dffffc0000000000 R15: ffffc9000b477ab8
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff8 CR3: 0000000024bc2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
uinput_flush_requests drivers/input/misc/uinput.c:213 [inline]
uinput_destroy_device+0x129/0x8f0 drivers/input/misc/uinput.c:298
uinput_release+0x3e/0x50 drivers/input/misc/uinput.c:751
__fput+0x406/0x8b0 fs/file_table.c:422
task_work_run+0x24f/0x310 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa1b/0x27e0 kernel/exit.c:877
do_group_exit+0x207/0x2c0 kernel/exit.c:1026
__do_sys_exit_group kernel/exit.c:1037 [inline]
__se_sys_exit_group kernel/exit.c:1035 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1035
Code: Unable to access opcode bytes at 0x7fb846ea660f.
RSP: 002b:00007fff8074c3d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb846ea6639
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007fb846f222d0 R08: ffffffffffffffb8 R09: 000000000000046f
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb846f222d0
R13: 0000000000000000 R14: 00007fb846f23040 R15: 00007fb846e74780
</TASK>
Modules linked in:
CR2: fffffffffffffff8
---[ end trace 0000000000000000 ]---
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete_with_flags kernel/sched/completion.c:24 [inline]
RIP: 0010:complete+0x9b/0x1c0 kernel/sched/completion.c:47
Code: df e8 39 fd 8b 00 4c 8b 23 49 39 dc 0f 84 e2 00 00 00 49 8d 7c 24 f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 15 fd 8b 00 <49> 8b 7c 24 f8 be 03 00 00 00 31 d2 e8 04 e5 f6 ff 4c 89 e7 e8 3c
RSP: 0018:ffffc9000a91fb30 EFLAGS: 00010046
RAX: 1fffffffffffffff RBX: ffffc9000b477af8 RCX: 0000000000000001
RDX: dffffc0000000000 RSI: 0000000000000004 RDI: fffffffffffffff8
RBP: 1ffff9200168ef56 R08: 0000000000000003 R09: fffff52001523f40
R10: dffffc0000000000 R11: fffff52001523f40 R12: 0000000000000000
R13: 0000000000000246 R14: dffffc0000000000 R15: ffffc9000b477ab8
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff8 CR3: 0000000024bc2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: df e8 fucomip %st(0),%st
2: 39 fd cmp %edi,%ebp
4: 8b 00 mov (%rax),%eax
6: 4c 8b 23 mov (%rbx),%r12
9: 49 39 dc cmp %rbx,%r12
c: 0f 84 e2 00 00 00 je 0xf4
12: 49 8d 7c 24 f8 lea -0x8(%r12),%rdi
17: 48 89 f8 mov %rdi,%rax
1a: 48 c1 e8 03 shr $0x3,%rax
1e: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1)
23: 74 05 je 0x2a
25: e8 15 fd 8b 00 call 0x8bfd3f
* 2a: 49 8b 7c 24 f8 mov -0x8(%r12),%rdi <-- trapping instruction
2f: be 03 00 00 00 mov $0x3,%esi
34: 31 d2 xor %edx,%edx
36: e8 04 e5 f6 ff call 0xfff6e53f
3b: 4c 89 e7 mov %r12,%rdi
3e: e8 .byte 0xe8
3f: 3c .byte 0x3c
Tested on:
commit: 7b4f2bc9 Add linux-next specific files for 20240418
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14aa5b27180000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: trying to register non-static key in uinput_destroy_device
input: syz1 as /devices/virtual/input/input6070
INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
CPU: 0 PID: 21743 Comm: syz-executor144 Not tainted 6.9.0-rc4-next-20240418-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
assign_lock_key+0x238/0x270 kernel/locking/lockdep.c:976
register_lock_class+0x1cf/0x980 kernel/locking/lockdep.c:1289
__lock_acquire+0xda/0x1fd0 kernel/locking/lockdep.c:5014
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
complete_with_flags kernel/sched/completion.c:20 [inline]
complete+0x28/0x1c0 kernel/sched/completion.c:47
uinput_flush_requests drivers/input/misc/uinput.c:213 [inline]
uinput_destroy_device+0x129/0x8f0 drivers/input/misc/uinput.c:298
uinput_release+0x3e/0x50 drivers/input/misc/uinput.c:751
__fput+0x406/0x8b0 fs/file_table.c:422
task_work_run+0x24f/0x310 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa1b/0x27e0 kernel/exit.c:877
do_group_exit+0x207/0x2c0 kernel/exit.c:1026
__do_sys_exit_group kernel/exit.c:1037 [inline]
__se_sys_exit_group kernel/exit.c:1035 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1035
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb846ea6639
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: Unable to access opcode bytes at 0x7fb846ea660f.
RSP: 002b:00007fff8074c3d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb846ea6639
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007fb846f222d0 R08: ffffffffffffffb8 R09: 000000000000046f
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb846f222d0
R13: 0000000000000000 R14: 00007fb846f23040 R15: 00007fb846e74780
</TASK>
BUG: unable to handle page fault for address: fffffffffffffff8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD e136067 P4D e136067 PUD e138067 PMD 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 21743 Comm: syz-executor144 Not tainted 6.9.0-rc4-next-20240418-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete_with_flags kernel/sched/completion.c:24 [inline]
RIP: 0010:complete+0x9b/0x1c0 kernel/sched/completion.c:47
Code: df e8 39 fd 8b 00 4c 8b 23 49 39 dc 0f 84 e2 00 00 00 49 8d 7c 24 f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 15 fd 8b 00 <49> 8b 7c 24 f8 be 03 00 00 00 31 d2 e8 04 e5 f6 ff 4c 89 e7 e8 3c
RSP: 0018:ffffc9000a91fb30 EFLAGS: 00010046
RAX: 1fffffffffffffff RBX: ffffc9000b477af8 RCX: 0000000000000001
RDX: dffffc0000000000 RSI: 0000000000000004 RDI: fffffffffffffff8
RBP: 1ffff9200168ef56 R08: 0000000000000003 R09: fffff52001523f40
R10: dffffc0000000000 R11: fffff52001523f40 R12: 0000000000000000
R13: 0000000000000246 R14: dffffc0000000000 R15: ffffc9000b477ab8
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff8 CR3: 0000000024bc2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
uinput_flush_requests drivers/input/misc/uinput.c:213 [inline]
uinput_destroy_device+0x129/0x8f0 drivers/input/misc/uinput.c:298
uinput_release+0x3e/0x50 drivers/input/misc/uinput.c:751
__fput+0x406/0x8b0 fs/file_table.c:422
task_work_run+0x24f/0x310 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa1b/0x27e0 kernel/exit.c:877
do_group_exit+0x207/0x2c0 kernel/exit.c:1026
__do_sys_exit_group kernel/exit.c:1037 [inline]
__se_sys_exit_group kernel/exit.c:1035 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1035
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb846ea6639
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: Unable to access opcode bytes at 0x7fb846ea660f.
RSP: 002b:00007fff8074c3d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb846ea6639
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007fb846f222d0 R08: ffffffffffffffb8 R09: 000000000000046f
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb846f222d0
R13: 0000000000000000 R14: 00007fb846f23040 R15: 00007fb846e74780
</TASK>
Modules linked in:
CR2: fffffffffffffff8
---[ end trace 0000000000000000 ]---
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete_with_flags kernel/sched/completion.c:24 [inline]
RIP: 0010:complete+0x9b/0x1c0 kernel/sched/completion.c:47
Code: df e8 39 fd 8b 00 4c 8b 23 49 39 dc 0f 84 e2 00 00 00 49 8d 7c 24 f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 15 fd 8b 00 <49> 8b 7c 24 f8 be 03 00 00 00 31 d2 e8 04 e5 f6 ff 4c 89 e7 e8 3c
RSP: 0018:ffffc9000a91fb30 EFLAGS: 00010046
RAX: 1fffffffffffffff RBX: ffffc9000b477af8 RCX: 0000000000000001
RDX: dffffc0000000000 RSI: 0000000000000004 RDI: fffffffffffffff8
RBP: 1ffff9200168ef56 R08: 0000000000000003 R09: fffff52001523f40
R10: dffffc0000000000 R11: fffff52001523f40 R12: 0000000000000000
R13: 0000000000000246 R14: dffffc0000000000 R15: ffffc9000b477ab8
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff8 CR3: 0000000024bc2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: df e8 fucomip %st(0),%st
2: 39 fd cmp %edi,%ebp
4: 8b 00 mov (%rax),%eax
6: 4c 8b 23 mov (%rbx),%r12
9: 49 39 dc cmp %rbx,%r12
c: 0f 84 e2 00 00 00 je 0xf4
12: 49 8d 7c 24 f8 lea -0x8(%r12),%rdi
17: 48 89 f8 mov %rdi,%rax
1a: 48 c1 e8 03 shr $0x3,%rax
1e: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1)
23: 74 05 je 0x2a
25: e8 15 fd 8b 00 call 0x8bfd3f
* 2a: 49 8b 7c 24 f8 mov -0x8(%r12),%rdi <-- trapping instruction
2f: be 03 00 00 00 mov $0x3,%esi
34: 31 d2 xor %edx,%edx
36: e8 04 e5 f6 ff call 0xfff6e53f
3b: 4c 89 e7 mov %r12,%rdi
3e: e8 .byte 0xe8
3f: 3c .byte 0x3c
Tested on:
commit: 7b4f2bc9 Add linux-next specific files for 20240418
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14aa5b27180000
kernel config: https://syzkaller.appspot.com/x/.config?x=ae644165a243bf62
dashboard link: https://syzkaller.appspot.com/bug?extid=159077b1355b8cd72757
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=179fc530980000
dashboard link: https://syzkaller.appspot.com/bug?extid=159077b1355b8cd72757
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Hillf Danton
Apr 26, 2024, 10:35:44 AMApr 26
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Thu, 25 Apr 2024 21:42:26 -0700
> syzbot found the following issue on:
>
> HEAD commit: 7b4f2bc91c15 Add linux-next specific files for 20240418
> git tree: linux-next
>
> HEAD commit: 7b4f2bc91c15 Add linux-next specific files for 20240418
> git tree: linux-next
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14b59430980000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 7b4f2bc91c15
--- x/drivers/input/misc/uinput.c
+++ y/drivers/input/misc/uinput.c
@@ -157,8 +157,6 @@ static int uinput_request_send(struct ui
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 7b4f2bc91c15
--- x/drivers/input/misc/uinput.c
+++ y/drivers/input/misc/uinput.c
goto out;
}
- init_completion(&request->done);
-
/*
* Tell our userspace application about this new request
* by queueing an input event.
@@ -175,6 +173,8 @@ static int uinput_request_submit(struct
{
int retval;
+ init_completion(&request->done);
+
retval = uinput_request_reserve_slot(udev, request);
if (retval)
return retval;
syzbot
Apr 26, 2024, 11:03:05 AMApr 26
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+159077...@syzkaller.appspotmail.com
Tested on:
commit: 7b4f2bc9 Add linux-next specific files for 20240418
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17674890980000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+159077...@syzkaller.appspotmail.com
Tested on:
commit: 7b4f2bc9 Add linux-next specific files for 20240418
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config: https://syzkaller.appspot.com/x/.config?x=ae644165a243bf62
dashboard link: https://syzkaller.appspot.com/bug?extid=159077b1355b8cd72757
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10d6cb80980000
dashboard link: https://syzkaller.appspot.com/bug?extid=159077b1355b8cd72757
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages