Input: uinput - take event lock when submitting FF request "event"

To avoid racing with FF playback events and corrupting device's event queue take event_lock spinlock when calling uinput_dev_event() when submitting a FF upload or erase "event". Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> Link: https://patch.msgid.link/adXkf6MWzlB8LA_s@google.com Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2026-05-13 00:28:54 +02:00 · 2026-04-07 22:16:27 -07:00 · 2026-04-07 22:16:27 -07:00 · ff14dafde1
commit ff14dafde1
parent 4cda78d6f8
1 changed files with 7 additions and 0 deletions
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@ -25,8 +25,10 @@
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/fs.h>
+#include <linux/lockdep.h>
 #include <linux/miscdevice.h>
 #include <linux/overflow.h>
+#include <linux/spinlock.h>
 #include <linux/input/mt.h>
 #include "../input-compat.h"

@ -76,6 +78,8 @@ static int uinput_dev_event(struct input_dev *dev,
 	struct uinput_device	*udev = input_get_drvdata(dev);
 	struct timespec64	ts;

+	lockdep_assert_held(&dev->event_lock);
+
 	ktime_get_ts64(&ts);

 	udev->buff[udev->head] = (struct input_event) {
@ -147,6 +151,7 @@ static void uinput_request_release_slot(struct uinput_device *udev,
 static int uinput_request_send(struct uinput_device *udev,
 			       struct uinput_request *request)
 {
+	unsigned long flags;
 	int retval = 0;

 	spin_lock(&udev->state_lock);
@ -160,7 +165,9 @@ static int uinput_request_send(struct uinput_device *udev,
 	 * Tell our userspace application about this new request
 	 * by queueing an input event.
 	 */
+	spin_lock_irqsave(&udev->dev->event_lock, flags);
 	uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id);
+	spin_unlock_irqrestore(&udev->dev->event_lock, flags);

 out:
 	spin_unlock(&udev->state_lock);