[bug report] Potential atomicity bug in drivers/input/joydev.c, between joydev_0x_read() and joydev_ioctl

Linux Input/HID development
 help / color / mirror / Atom feed

* [bug report] Potential atomicity bug in drivers/input/joydev.c, between joydev_0x_read() and joydev_ioctl_common()
@ 2026-06-01  7:07 Ginger
  2026-06-01 17:22 ` Dmitry Torokhov
  0 siblings, 1 reply; 3+ messages in thread
From: Ginger @ 2026-06-01  7:07 UTC (permalink / raw)
  To: dmitry.torokhov; +Cc: linux-input

Dear Linux kernel maintainers,

My research-based static analyzer found a potential atomicity bug
within the 'drivers/input' subsystem, more specifically, in
'drivers/input/joydev.c'.

This potential issue is present as of git commit
eb3f4b7426cfd2b79d65b7d37155480b32259a11 of the mainline kernel.

Potential concurrent triggering executions:
T0:
joydev_0x_read
     --> spin_lock_irq(&input->event_lock);
     --> read from joydev->abs
     --> spin_unlock_irq(&input->event_lock);

T1:
joydev_ioctl_common
    --> case JSIOCSCORR:
    --> write to joydev->abs[i] (no unlocked)

The above trace is meant to demonstrate an illustrative example of the issue:
IMHO, in 'joydev_0x_read', the 'input->event_lock' is adopted to
serialize the read
accesses to joydev's fields like 'abs' and 'keypam' or input's fields
like 'input->key.
However, in either case, the write-side accesses to these fields are
not similarly
serialized.

Please kindly check at your convenience. Thank you for your time and
consideration.

Best regards,
Ginger

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [bug report] Potential atomicity bug in drivers/input/joydev.c, between joydev_0x_read() and joydev_ioctl_common()
  2026-06-01  7:07 [bug report] Potential atomicity bug in drivers/input/joydev.c, between joydev_0x_read() and joydev_ioctl_common() Ginger
@ 2026-06-01 17:22 ` Dmitry Torokhov
  2026-06-02  1:50   ` Ginger
  0 siblings, 1 reply; 3+ messages in thread
From: Dmitry Torokhov @ 2026-06-01 17:22 UTC (permalink / raw)
  To: Ginger; +Cc: linux-input

Hi Ginger,

On Mon, Jun 01, 2026 at 03:07:05PM +0800, Ginger wrote:
> Dear Linux kernel maintainers,
> 
> My research-based static analyzer found a potential atomicity bug
> within the 'drivers/input' subsystem, more specifically, in
> 'drivers/input/joydev.c'.
> 
> This potential issue is present as of git commit
> eb3f4b7426cfd2b79d65b7d37155480b32259a11 of the mainline kernel.
> 
> Potential concurrent triggering executions:
> T0:
> joydev_0x_read
>      --> spin_lock_irq(&input->event_lock);
>      --> read from joydev->abs
>      --> spin_unlock_irq(&input->event_lock);
> 
> T1:
> joydev_ioctl_common
>     --> case JSIOCSCORR:
>     --> write to joydev->abs[i] (no unlocked)
> 
> The above trace is meant to demonstrate an illustrative example of the issue:
> IMHO, in 'joydev_0x_read', the 'input->event_lock' is adopted to
> serialize the read
> accesses to joydev's fields like 'abs' and 'keypam' or input's fields
> like 'input->key.
> However, in either case, the write-side accesses to these fields are
> not similarly
> serialized.

Yes, there is lack of locking in joydev. Some of this might be OK (if
we prevent tearing on reads/writes) since the data may actually be
obsolete immediately after we read it, while in many places we
actually do need consistency, especially when we adjust key and axis
maps.

Thanks.

-- 
Dmitry

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [bug report] Potential atomicity bug in drivers/input/joydev.c, between joydev_0x_read() and joydev_ioctl_common()
  2026-06-01 17:22 ` Dmitry Torokhov
@ 2026-06-02  1:50   ` Ginger
  0 siblings, 0 replies; 3+ messages in thread
From: Ginger @ 2026-06-02  1:50 UTC (permalink / raw)
  To: Dmitry Torokhov; +Cc: linux-input

Hi Dmitry,

Many thanks for the clarification.

In that case, may I kindly ask if it is necessary to fix joydev with locks,
or we can leave it this way and let it just tolerate some inconsistencies?

Regards,
Ginger

On Tue, Jun 2, 2026 at 1:22 AM Dmitry Torokhov
<dmitry.torokhov@gmail.com> wrote:
>
> Hi Ginger,
>
> On Mon, Jun 01, 2026 at 03:07:05PM +0800, Ginger wrote:
> > Dear Linux kernel maintainers,
> >
> > My research-based static analyzer found a potential atomicity bug
> > within the 'drivers/input' subsystem, more specifically, in
> > 'drivers/input/joydev.c'.
> >
> > This potential issue is present as of git commit
> > eb3f4b7426cfd2b79d65b7d37155480b32259a11 of the mainline kernel.
> >
> > Potential concurrent triggering executions:
> > T0:
> > joydev_0x_read
> >      --> spin_lock_irq(&input->event_lock);
> >      --> read from joydev->abs
> >      --> spin_unlock_irq(&input->event_lock);
> >
> > T1:
> > joydev_ioctl_common
> >     --> case JSIOCSCORR:
> >     --> write to joydev->abs[i] (no unlocked)
> >
> > The above trace is meant to demonstrate an illustrative example of the issue:
> > IMHO, in 'joydev_0x_read', the 'input->event_lock' is adopted to
> > serialize the read
> > accesses to joydev's fields like 'abs' and 'keypam' or input's fields
> > like 'input->key.
> > However, in either case, the write-side accesses to these fields are
> > not similarly
> > serialized.
>
> Yes, there is lack of locking in joydev. Some of this might be OK (if
> we prevent tearing on reads/writes) since the data may actually be
> obsolete immediately after we read it, while in many places we
> actually do need consistency, especially when we adjust key and axis
> maps.
>
> Thanks.
>
> --
> Dmitry

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-02  1:50 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-01  7:07 [bug report] Potential atomicity bug in drivers/input/joydev.c, between joydev_0x_read() and joydev_ioctl_common() Ginger
2026-06-01 17:22 ` Dmitry Torokhov
2026-06-02  1:50   ` Ginger

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox