queue-6.19/input-uinput-take-event-lock-when-submitting-ff-request-event.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From ff14dafde15c11403fac61367a34fea08926e9ee Mon Sep 17 00:00:00 2001
 From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
 Date: Tue, 7 Apr 2026 22:16:27 -0700
 Subject: Input: uinput - take event lock when submitting FF request "event"

 From: Dmitry Torokhov <dmitry.torokhov@gmail.com>

 commit ff14dafde15c11403fac61367a34fea08926e9ee upstream.

 To avoid racing with FF playback events and corrupting device's event
 queue take event_lock spinlock when calling uinput_dev_event() when
 submitting a FF upload or erase "event".

 Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
 Link: https://patch.msgid.link/adXkf6MWzlB8LA_s@google.com
 Cc: stable@vger.kernel.org
 Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  drivers/input/misc/uinput.c |    7 +++++++
  1 file changed, 7 insertions(+)

 --- a/drivers/input/misc/uinput.c
 +++ b/drivers/input/misc/uinput.c
 @@ -25,8 +25,10 @@
  #include <linux/module.h>
  #include <linux/init.h>
  #include <linux/fs.h>
 +#include <linux/lockdep.h>
  #include <linux/miscdevice.h>
  #include <linux/overflow.h>
 +#include <linux/spinlock.h>
  #include <linux/input/mt.h>
  #include "../input-compat.h"

 @@ -76,6 +78,8 @@ static int uinput_dev_event(struct input
  	struct uinput_device	*udev = input_get_drvdata(dev);
  	struct timespec64	ts;

 +	lockdep_assert_held(&dev->event_lock);
 +
  	ktime_get_ts64(&ts);

  	udev->buff[udev->head] = (struct input_event) {
 @@ -147,6 +151,7 @@ static void uinput_request_release_slot(
  static int uinput_request_send(struct uinput_device *udev,
  			       struct uinput_request *request)
  {
 +	unsigned long flags;
  	int retval = 0;

  	spin_lock(&udev->state_lock);
 @@ -160,7 +165,9 @@ static int uinput_request_send(struct ui
  	 * Tell our userspace application about this new request
  	 * by queueing an input event.
  	 */
 +	spin_lock_irqsave(&udev->dev->event_lock, flags);
  	uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id);
 +	spin_unlock_irqrestore(&udev->dev->event_lock, flags);

   out:
  	spin_unlock(&udev->state_lock);
	From ff14dafde15c11403fac61367a34fea08926e9ee Mon Sep 17 00:00:00 2001
	From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
	Date: Tue, 7 Apr 2026 22:16:27 -0700
	Subject: Input: uinput - take event lock when submitting FF request "event"

	From: Dmitry Torokhov <dmitry.torokhov@gmail.com>

	commit ff14dafde15c11403fac61367a34fea08926e9ee upstream.

	To avoid racing with FF playback events and corrupting device's event
	queue take event_lock spinlock when calling uinput_dev_event() when
	submitting a FF upload or erase "event".

	Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
	Link: https://patch.msgid.link/adXkf6MWzlB8LA_s@google.com
	Cc: stable@vger.kernel.org
	Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	drivers/input/misc/uinput.c \| 7 +++++++
	1 file changed, 7 insertions(+)

	--- a/drivers/input/misc/uinput.c
	+++ b/drivers/input/misc/uinput.c
	@@ -25,8 +25,10 @@
	#include <linux/module.h>
	#include <linux/init.h>
	#include <linux/fs.h>
	+#include <linux/lockdep.h>
	#include <linux/miscdevice.h>
	#include <linux/overflow.h>
	+#include <linux/spinlock.h>
	#include <linux/input/mt.h>
	#include "../input-compat.h"

	@@ -76,6 +78,8 @@ static int uinput_dev_event(struct input
	struct uinput_device *udev = input_get_drvdata(dev);
	struct timespec64 ts;

	+ lockdep_assert_held(&dev->event_lock);
	+
	ktime_get_ts64(&ts);

	udev->buff[udev->head] = (struct input_event) {
	@@ -147,6 +151,7 @@ static void uinput_request_release_slot(
	static int uinput_request_send(struct uinput_device *udev,
	struct uinput_request *request)
	{
	+ unsigned long flags;
	int retval = 0;

	spin_lock(&udev->state_lock);
	@@ -160,7 +165,9 @@ static int uinput_request_send(struct ui
	* Tell our userspace application about this new request
	* by queueing an input event.
	*/
	+ spin_lock_irqsave(&udev->dev->event_lock, flags);
	uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id);
	+ spin_unlock_irqrestore(&udev->dev->event_lock, flags);

	out:
	spin_unlock(&udev->state_lock);