Input: uinput - take event lock when submitting FF request "event"

To avoid racing with FF playback events and corrupting device's event
queue take event_lock spinlock when calling uinput_dev_event() when
submitting a FF upload or erase "event".

Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Link: https://patch.msgid.link/adXkf6MWzlB8LA_s@google.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index a973e82205b5c8e18e6dd8575ff241f1d7dc4063..0e9544a98e672a3ab26e15fda45f47eaaee42fbd 100644 (file)
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -25,8 +25,10 @@
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/fs.h>
+#include <linux/lockdep.h>
 #include <linux/miscdevice.h>
 #include <linux/overflow.h>
+#include <linux/spinlock.h>
 #include <linux/input/mt.h>
 #include "../input-compat.h"
 
@@ -76,6 +78,8 @@ static int uinput_dev_event(struct input_dev *dev,
        struct uinput_device    *udev = input_get_drvdata(dev);
        struct timespec64       ts;
 
+       lockdep_assert_held(&dev->event_lock);
+
        ktime_get_ts64(&ts);
 
        udev->buff[udev->head] = (struct input_event) {
@@ -147,6 +151,7 @@ static void uinput_request_release_slot(struct uinput_device *udev,
 static int uinput_request_send(struct uinput_device *udev,
                               struct uinput_request *request)
 {
+       unsigned long flags;
        int retval = 0;
 
        spin_lock(&udev->state_lock);
@@ -160,7 +165,9 @@ static int uinput_request_send(struct uinput_device *udev,
         * Tell our userspace application about this new request
         * by queueing an input event.
         */
+       spin_lock_irqsave(&udev->dev->event_lock, flags);
        uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id);
+       spin_unlock_irqrestore(&udev->dev->event_lock, flags);
 
  out:
        spin_unlock(&udev->state_lock);