[syzbot] [kernel?] possible deadlock in assign_fw

Hello,

syzbot found the following issue on:

HEAD commit: e9d22f7a6655 Merge tag 'linux_kselftest-fixes-6.10-rc7' of..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1471b399980000
kernel config: https://syzkaller.appspot.com/x/.config?x=864caee5f78cab51
dashboard link: https://syzkaller.appspot.com/bug?extid=e70e4c6f6eee43357ba7
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c3dd72a93425/disk-e9d22f7a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9d79986da9dc/vmlinux-e9d22f7a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0df271bec574/bzImage-e9d22f7a.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 000000000000006e R14: 00007f30c0504038 R15: 00007f30c062fa68
</TASK>
============================================
WARNING: possible recursive locking detected
6.10.0-rc6-syzkaller-00061-ge9d22f7a6655 #0 Not tainted
--------------------------------------------
syz.1.2110/15436 is trying to acquire lock:
ffffffff8ec73968 (fw_lock){+.+.}-{3:3}, at: assign_fw+0x56/0x890 drivers/base/firmware_loader/main.c:700

but task is already holding lock:
ffffffff8ec73968 (fw_lock){+.+.}-{3:3}, at: device_cache_fw_images drivers/base/firmware_loader/main.c:1483 [inline]
ffffffff8ec73968 (fw_lock){+.+.}-{3:3}, at: fw_pm_notify+0x232/0x2f0 drivers/base/firmware_loader/main.c:1536

other info that might help us debug this:
Possible unsafe locking scenario:

CPU0
----
lock(fw_lock);
lock(fw_lock);

*** DEADLOCK ***

May be due to missing lock nesting notation

5 locks held by syz.1.2110/15436:
#0: ffffffff8eb2f6e8 (misc_mtx){+.+.}-{3:3}, at: misc_open+0x5c/0x390 drivers/char/misc.c:129
#1: ffffffff8e1e7368 (system_transition_mutex){+.+.}-{3:3}, at: lock_system_sleep+0x60/0xa0 kernel/power/main.c:56
#2: ffffffff8e2077f0 ((pm_chain_head).rwsem){++++}-{3:3}, at: blocking_notifier_call_chain_robust+0xac/0x1e0 kernel/notifier.c:352
#3: ffffffff8ec73968 (fw_lock){+.+.}-{3:3}, at: device_cache_fw_images drivers/base/firmware_loader/main.c:1483 [inline]
#3: ffffffff8ec73968 (fw_lock){+.+.}-{3:3}, at: fw_pm_notify+0x232/0x2f0 drivers/base/firmware_loader/main.c:1536
#4: ffffffff8ec6ea08 (dpm_list_mtx){+.+.}-{3:3}, at: device_pm_lock drivers/base/power/main.c:113 [inline]
#4: ffffffff8ec6ea08 (dpm_list_mtx){+.+.}-{3:3}, at: dpm_for_each_dev+0x2b/0xc0 drivers/base/power/main.c:1961

stack backtrace:
CPU: 0 PID: 15436 Comm: syz.1.2110 Not tainted 6.10.0-rc6-syzkaller-00061-ge9d22f7a6655 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
check_deadlock kernel/locking/lockdep.c:3062 [inline]
validate_chain+0x15d3/0x5900 kernel/locking/lockdep.c:3856
__lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
assign_fw+0x56/0x890 drivers/base/firmware_loader/main.c:700
_request_firmware+0xd0a/0x12b0 drivers/base/firmware_loader/main.c:917
request_firmware drivers/base/firmware_loader/main.c:963 [inline]
cache_firmware drivers/base/firmware_loader/main.c:1265 [inline]
__async_dev_cache_fw_image+0xe7/0x320 drivers/base/firmware_loader/main.c:1379
async_schedule_node_domain+0xdc/0x110 kernel/async.c:221
async_schedule_domain include/linux/async.h:72 [inline]
dev_cache_fw_image+0x36d/0x3e0 drivers/base/firmware_loader/main.c:1435
dpm_for_each_dev+0x58/0xc0 drivers/base/power/main.c:1963
device_cache_fw_images drivers/base/firmware_loader/main.c:1485 [inline]
fw_pm_notify+0x24a/0x2f0 drivers/base/firmware_loader/main.c:1536
notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93
notifier_call_chain_robust kernel/notifier.c:128 [inline]
blocking_notifier_call_chain_robust+0xe8/0x1e0 kernel/notifier.c:353
pm_notifier_call_chain_robust+0x2c/0x60 kernel/power/main.c:102
snapshot_open+0x1a1/0x280 kernel/power/user.c:77
misc_open+0x313/0x390 drivers/char/misc.c:165
chrdev_open+0x5b0/0x630 fs/char_dev.c:414
do_dentry_open+0x970/0x1450 fs/open.c:955
vfs_open+0x3e/0x330 fs/open.c:1086
do_open fs/namei.c:3654 [inline]
path_openat+0x2c01/0x35f0 fs/namei.c:3813
do_filp_open+0x235/0x490 fs/namei.c:3840
do_sys_openat2+0x13e/0x1d0 fs/open.c:1413
do_sys_open fs/open.c:1428 [inline]
__do_sys_openat fs/open.c:1444 [inline]
__se_sys_openat fs/open.c:1439 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1439
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f30c0375bd9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f30c1120048 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f30c0504038 RCX: 00007f30c0375bd9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: ffffffffffffff9c
RBP: 00007f30c11200a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 000000000000006e R14: 00007f30c0504038 R15: 00007f30c062fa68
</TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syzbot has found a reproducer for the following issue on:

HEAD commit: d5d547aa7b51 Merge tag 'random-6.11-rc6-for-linus' of git:..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1493808f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d76559f775f44ba6
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14ee2b7b980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177c7b7b980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/28e0e4e1eeef/disk-d5d547aa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/72b0f7665fc8/vmlinux-d5d547aa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/96e3870a77f6/bzImage-d5d547aa.xz
R13: 0000000000000001 R14: 00746f687370616e R15: 616e732f7665642f
6.11.0-rc5-syzkaller-00081-gd5d547aa7b51 #0 Not tainted
--------------------------------------------
syz-executor300/5260 is trying to acquire lock:
ffffffff8f293008 (fw_lock){+.+.}-{3:3}, at: assign_fw+0x56/0x890 drivers/base/firmware_loader/main.c:700
ffffffff8f293008 (fw_lock){+.+.}-{3:3}, at: device_cache_fw_images drivers/base/firmware_loader/main.c:1519 [inline]
ffffffff8f293008 (fw_lock){+.+.}-{3:3}, at: fw_pm_notify+0x232/0x2f0 drivers/base/firmware_loader/main.c:1572
5 locks held by syz-executor300/5260:
#0: ffffffff8f145568 (misc_mtx){+.+.}-{3:3}, at: misc_open+0x5c/0x390 drivers/char/misc.c:129
#1: ffffffff8e7eb608 (system_transition_mutex){+.+.}-{3:3}, at: lock_system_sleep+0x60/0xa0 kernel/power/main.c:56
#2: ffffffff8e80bab0 ((pm_chain_head).rwsem){++++}-{3:3}, at: blocking_notifier_call_chain_robust+0xac/0x1e0 kernel/notifier.c:352
#3: ffffffff8f293008 (fw_lock){+.+.}-{3:3}, at: device_cache_fw_images drivers/base/firmware_loader/main.c:1519 [inline]
#3: ffffffff8f293008 (fw_lock){+.+.}-{3:3}, at: fw_pm_notify+0x232/0x2f0 drivers/base/firmware_loader/main.c:1572
#4: ffffffff8f28e0a8 (dpm_list_mtx){+.+.}-{3:3}, at: device_pm_lock drivers/base/power/main.c:113 [inline]
#4: ffffffff8f28e0a8 (dpm_list_mtx){+.+.}-{3:3}, at: dpm_for_each_dev+0x2b/0xc0 drivers/base/power/main.c:1961

stack backtrace:
CPU: 0 UID: 0 PID: 5260 Comm: syz-executor300 Not tainted 6.11.0-rc5-syzkaller-00081-gd5d547aa7b51 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
check_deadlock kernel/locking/lockdep.c:3061 [inline]
validate_chain+0x15d3/0x5900 kernel/locking/lockdep.c:3855
__lock_acquire+0x137a/0x2040 kernel/locking/lockdep.c:5142
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
cache_firmware drivers/base/firmware_loader/main.c:1301 [inline]
__async_dev_cache_fw_image+0xe7/0x320 drivers/base/firmware_loader/main.c:1415
dev_cache_fw_image+0x36d/0x3e0 drivers/base/firmware_loader/main.c:1471
dpm_for_each_dev+0x58/0xc0 drivers/base/power/main.c:1963
device_cache_fw_images drivers/base/firmware_loader/main.c:1521 [inline]
fw_pm_notify+0x24a/0x2f0 drivers/base/firmware_loader/main.c:1572
snapshot_open+0x138/0x280 kernel/power/user.c:87
do_dentry_open+0x970/0x1440 fs/open.c:959
vfs_open+0x3e/0x330 fs/open.c:1089
do_open fs/namei.c:3727 [inline]
path_openat+0x2b3e/0x3470 fs/namei.c:3886
do_filp_open+0x235/0x490 fs/namei.c:3913
do_sys_openat2+0x13e/0x1d0 fs/open.c:1416
do_sys_open fs/open.c:1431 [inline]
__do_sys_openat fs/open.c:1447 [inline]
__se_sys_openat fs/open.c:1442 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1442
RIP: 0033:0x7fec1643df29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 31 1e 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fec163e9208 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fec164c4188 RCX: 00007fec1643df29
RDX: 0000000000000001 RSI: 00000000200000c0 RDI: ffffffffffffff9c
RBP: 00007fec164c4180 R08: 00007fec163e8fa7 R09: 0000000000000038
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fec163e9210
R13: 0000000000000001 R14: 00746f687370616e R15: 616e732f7665642f
</TASK>


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

syzbot has bisected this issue to:

commit 4d0e9df5e43dba52d38b251e3b909df8fa1110be
Author: Albert van der Linde <[email protected]>
Date: Fri Oct 16 03:13:50 2020 +0000

lib, uaccess: add failure injection to usercopy functions

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=132abd2b980000
start commit: d5d547aa7b51 Merge tag 'random-6.11-rc6-for-linus' of git:..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=10aabd2b980000
console output: https://syzkaller.appspot.com/x/log.txt?x=172abd2b980000
Reported-by: [email protected]
Fixes: 4d0e9df5e43d ("lib, uaccess: add failure injection to usercopy functions")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection