* [PATCH] HID: hidraw: fix data race on device refcount
@ 2023-06-21 11:17 Ludvig Michaelsson via B4 Relay
2023-06-21 15:55 ` Benjamin Tissoires
0 siblings, 1 reply; 2+ messages in thread
From: Ludvig Michaelsson via B4 Relay @ 2023-06-21 11:17 UTC (permalink / raw)
To: Jiri Kosina, Benjamin Tissoires, André Almeida
Cc: linux-input, linux-kernel, Ludvig Michaelsson
From: Ludvig Michaelsson <ludvig.michaelsson@yubico.com>
The hidraw_open() function increments the hidraw device reference
counter. The counter has no dedicated synchronization mechanism,
resulting in a potential data race when concurrently opening a device.
The race is a regression introduced by commit 8590222e4b02 ("HID:
hidraw: Replace hidraw device table mutex with a rwsem"). While
minors_rwsem is intended to protect the hidraw_table itself, by instead
acquiring the lock for writing, the reference counter is also protected.
This is symmetrical to hidraw_release().
Link: https://github.com/systemd/systemd/issues/27947
Fixes: 8590222e4b02 ("HID: hidraw: Replace hidraw device table mutex with a rwsem")
Signed-off-by: Ludvig Michaelsson <ludvig.michaelsson@yubico.com>
---
drivers/hid/hidraw.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c
index 93e62b161501..e63c56a0d57f 100644
--- a/drivers/hid/hidraw.c
+++ b/drivers/hid/hidraw.c
@@ -272,7 +272,12 @@ static int hidraw_open(struct inode *inode, struct file *file)
goto out;
}
- down_read(&minors_rwsem);
+ /*
+ * Technically not writing to the hidraw_table but a write lock is
+ * required to protect the device refcount. This is symmetrical to
+ * hidraw_release().
+ */
+ down_write(&minors_rwsem);
if (!hidraw_table[minor] || !hidraw_table[minor]->exist) {
err = -ENODEV;
goto out_unlock;
@@ -301,7 +306,7 @@ static int hidraw_open(struct inode *inode, struct file *file)
spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags);
file->private_data = list;
out_unlock:
- up_read(&minors_rwsem);
+ up_write(&minors_rwsem);
out:
if (err < 0)
kfree(list);
---
base-commit: 45a3e24f65e90a047bef86f927ebdc4c710edaa1
change-id: 20230621-hidraw-race-b51b11bf11ed
Best regards,
--
Ludvig Michaelsson <ludvig.michaelsson@yubico.com>
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] HID: hidraw: fix data race on device refcount
2023-06-21 11:17 [PATCH] HID: hidraw: fix data race on device refcount Ludvig Michaelsson via B4 Relay
@ 2023-06-21 15:55 ` Benjamin Tissoires
0 siblings, 0 replies; 2+ messages in thread
From: Benjamin Tissoires @ 2023-06-21 15:55 UTC (permalink / raw)
To: Jiri Kosina, André Almeida, Ludvig Michaelsson
Cc: Benjamin Tissoires, linux-input, linux-kernel
On Wed, 21 Jun 2023 13:17:43 +0200, Ludvig Michaelsson wrote:
> The hidraw_open() function increments the hidraw device reference
> counter. The counter has no dedicated synchronization mechanism,
> resulting in a potential data race when concurrently opening a device.
>
> The race is a regression introduced by commit 8590222e4b02 ("HID:
> hidraw: Replace hidraw device table mutex with a rwsem"). While
> minors_rwsem is intended to protect the hidraw_table itself, by instead
> acquiring the lock for writing, the reference counter is also protected.
> This is symmetrical to hidraw_release().
>
> [...]
Added stable@ cc tags and
Applied to hid/hid.git (for-6.4/upstream-fixes), thanks!
[1/1] HID: hidraw: fix data race on device refcount
https://git.kernel.org/hid/hid/c/944ee77dc6ec
Cheers,
--
Benjamin Tissoires <benjamin.tissoires@redhat.com>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-06-21 15:56 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-06-21 11:17 [PATCH] HID: hidraw: fix data race on device refcount Ludvig Michaelsson via B4 Relay
2023-06-21 15:55 ` Benjamin Tissoires
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).