Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp9213362rwd; Wed, 21 Jun 2023 04:44:34 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6yZzOU5dtglUrubzknD4qib6hiXV/LnvMb6C6+98AeCK7KYwKHj9ZwRn3DJxfgQkLNqrGO X-Received: by 2002:a05:6a20:158f:b0:10f:6529:5442 with SMTP id h15-20020a056a20158f00b0010f65295442mr14587172pzj.49.1687347873801; Wed, 21 Jun 2023 04:44:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687347873; cv=none; d=google.com; s=arc-20160816; b=kwVL5gauDlFAXugUGmMUTfabABahaS7kjOy7lL/hj97yc8rgtUELOZYuiO4d/toS/M zPpk0KlM0iwYemKfZ+zyZ63LguujcLQua+rxaBAYU35Ef6tKrsaRP5vqHVOOfoCIroFl WZKmqGdHuShwcj1LsLRCeykSw3gPohF4hUEio4CKdp/axXd9dBf3xBy10erKnsMB09jB 2KaIGV5f993rCKf1iUl2nHS71VU4Pg+zzp5VIRiuIL2ws/tlNP5qqz22+tiy4Znj4AYf u8a1n39ylgaNjnUxZiBVrzMZvudNbe+QGU3G+BrmUOOJ2b8dy9PDMvLPVc0VvUSVTGDr 6sVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:reply-to:cc:to:message-id :content-transfer-encoding:mime-version:subject:date:from :dkim-signature; bh=XaY6u8JPMRW+s21rZS6hMeZpqnDRNoj8T+BF3vG/Z8Q=; b=abtW0mhtEXRj7y3t2uBQWRoP1vaCVsxLw3bwnVBSv87CVEXC687PkL9QcyIt/bxloT BujJghYp1csibJLAQCjlFHs1vChAFBvYN5J87PLkNwTh4aJ0JA9yBVJd0fE6FOnOSe5X k/+dVPOFImRew/Aqw+6ehnj+94hrq81rqk/pZSjovtcY21tbTUoVyEWpuJAeNa1K98Mx vItjovhDC8kKZ4ecy7jjlhl+PC/MhYTx9LZk8+VSPEQc9Obaq4nFHVEaCUzcvkCLutf2 Di+mUxyDJWtUMYcF5FJ+lo1AJ1JSvACnW1X4uQtzHLDrZ5w0Kd1y2jsEV/VnmOdjKCtj H0fQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="M77EO/MF"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b4-20020a170903228400b001ae8c22791asi4140249plh.477.2023.06.21.04.44.19; Wed, 21 Jun 2023 04:44:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="M77EO/MF"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232708AbjFULTn (ORCPT + 99 others); Wed, 21 Jun 2023 07:19:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44618 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229964AbjFULT1 (ORCPT ); Wed, 21 Jun 2023 07:19:27 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A89BF1BE3; Wed, 21 Jun 2023 04:18:53 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4538F61509; Wed, 21 Jun 2023 11:18:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPS id A1618C433CB; Wed, 21 Jun 2023 11:18:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1687346332; bh=awRUEIsBz7jICYn6S0zzZ2KjEVA3QGWX7J+A7/FWXeA=; h=From:Date:Subject:To:Cc:Reply-To:From; b=M77EO/MFnPqoH7ShIjHrFSpp9rIdVnvHODeAGlQca24+4N+VEK9/GuEgtS4BbY6Yz mq2L+SO7XauWUWOdIQoOZfQDsj6rhInBISI2QWKyEQBUb3JPlqkf+0dpz8m9+Vhd/4 eaSSzVRMzX5T3ugRC/rMW5AmAOomD6czNcMT6lm4Zb2HgY12VCVs2TfPl7EMklD3EQ daCTu8LKGSqVMys+wkD6QQLK46rnPpzHMEjy8otVaA15tBgRC1x293cy4VpJnwbYdS HxANm45a6cK5UonnP6FW/0r+3YXsjdVupkNxvSE6UtI3xktQps6BE3RvSs6neL3XRW FFzwkn0pwmyrQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 825D6EB64D7; Wed, 21 Jun 2023 11:18:52 +0000 (UTC) From: Ludvig Michaelsson via B4 Relay Date: Wed, 21 Jun 2023 13:17:43 +0200 Subject: [PATCH] HID: hidraw: fix data race on device refcount MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20230621-hidraw-race-v1-1-a58e6ac69bab@yubico.com> X-B4-Tracking: v=1; b=H4sIAFbckmQC/x2NQQqEMAxFryJZT8FUxoVXGVykbbRZ2JFEHEG8u 3WW730e/wRjFTYYmhOUdzH5lgr4aiBmKjM7SZXBt75re48uS1L6OaXILrwxIIYJkRPUIpBVqVR ifpqFbGN9hlV5kuN/8xmv6waz9WPwdgAAAA== To: Jiri Kosina , Benjamin Tissoires , =?utf-8?q?Andr=C3=A9_Almeida?= Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Ludvig Michaelsson X-Mailer: b4 0.12.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=1903; i=ludvig.michaelsson@yubico.com; h=from:subject:message-id; bh=H+F1GtqsL31H9za8Cp+DCcNUqK2U4w+0+a9OPk49764=; b=owJ4nJvAy8zAJWab5fnkyINtxYyn1ZIYUibdmRlX2tG4s3tDGdfyaQ+1fizccmSzmKnMjKvTT 51TYl94IECno5SFQYyLQVZMkWVzAfN/0QUZS4SfcsvAzGFlAhnCwMUpABMpEmT4pyN1vSThYWFb Oss69VsFraGikyKTnh3ao7tnT6jToYPV3Qz/q2W85zi8F1t3TW73EdkjXJ0+M9enGVU5GYSZVlj G8IjwAgB2p0pI X-Developer-Key: i=ludvig.michaelsson@yubico.com; a=openpgp; fpr=78D997D53E9C0A2A205392ED14A19784723C9988 X-Endpoint-Received: by B4 Relay for ludvig.michaelsson@yubico.com/default with auth_id=54 X-Original-From: Ludvig Michaelsson Reply-To: X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ludvig Michaelsson The hidraw_open() function increments the hidraw device reference counter. The counter has no dedicated synchronization mechanism, resulting in a potential data race when concurrently opening a device. The race is a regression introduced by commit 8590222e4b02 ("HID: hidraw: Replace hidraw device table mutex with a rwsem"). While minors_rwsem is intended to protect the hidraw_table itself, by instead acquiring the lock for writing, the reference counter is also protected. This is symmetrical to hidraw_release(). Link: https://github.com/systemd/systemd/issues/27947 Fixes: 8590222e4b02 ("HID: hidraw: Replace hidraw device table mutex with a rwsem") Signed-off-by: Ludvig Michaelsson --- drivers/hid/hidraw.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c index 93e62b161501..e63c56a0d57f 100644 --- a/drivers/hid/hidraw.c +++ b/drivers/hid/hidraw.c @@ -272,7 +272,12 @@ static int hidraw_open(struct inode *inode, struct file *file) goto out; } - down_read(&minors_rwsem); + /* + * Technically not writing to the hidraw_table but a write lock is + * required to protect the device refcount. This is symmetrical to + * hidraw_release(). + */ + down_write(&minors_rwsem); if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { err = -ENODEV; goto out_unlock; @@ -301,7 +306,7 @@ static int hidraw_open(struct inode *inode, struct file *file) spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags); file->private_data = list; out_unlock: - up_read(&minors_rwsem); + up_write(&minors_rwsem); out: if (err < 0) kfree(list); --- base-commit: 45a3e24f65e90a047bef86f927ebdc4c710edaa1 change-id: 20230621-hidraw-race-b51b11bf11ed Best regards, -- Ludvig Michaelsson