lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20260208194516.172227-1-osama.abdelkader@gmail.com>
Date: Sun,  8 Feb 2026 20:45:15 +0100
From: Osama Abdelkader <osama.abdelkader@...il.com>
To: Dmitry Torokhov <dmitry.torokhov@...il.com>,
	linux-input@...r.kernel.org,
	linux-kernel@...r.kernel.org
Cc: Osama Abdelkader <osama.abdelkader@...il.com>,
	syzbot+1b327485934adf39955b@...kaller.appspotmail.com
Subject: [PATCH] Input: evdev: fix data race in evdev_read() and evdev_poll()

Protect all reads of client->packet_head with buffer_lock to fix a
KCSAN-reported data race. The race occurs between:

- evdev_pass_values() writing to packet_head (protected by buffer_lock)
- evdev_read() reading packet_head without lock protection
- evdev_poll() reading packet_head without lock protection

The fix ensures all accesses to packet_head are protected by buffer_lock,
matching the existing write-side protection pattern used in
evdev_pass_values() and evdev_fetch_next_event().

Changes:
- evdev_read(): Protect packet_head read in O_NONBLOCK check
- evdev_read(): Protect packet_head read in wait loop condition
- evdev_poll(): Protect packet_head read in poll check

KCSAN report:
BUG: KCSAN: data-race in evdev_pass_values / evdev_read

write to 0xffff888104842008 of 4 bytes by task 8439 on cpu 1:
 __pass_event drivers/input/evdev.c:239 [inline]
 evdev_pass_values+0x387/0x4e0 drivers/input/evdev.c:278
 evdev_events+0x8e/0xd0 drivers/input/evdev.c:306
 input_pass_values+0x123/0x390 drivers/input/input.c:128
 input_event_dispose+0x248/0x320 drivers/input/input.c:342
 input_handle_event+0x9e8/0xa20 drivers/input/input.c:370
 input_inject_event+0xbc/0x120 drivers/input/input.c:424
 evdev_write+0x224/0x2b0 drivers/input/evdev.c:528
 vfs_write+0x269/0x9f0 fs/read_write.c:684
 ksys_write+0xdc/0x1a0 fs/read_write.c:738
 __do_sys_write fs/read_write.c:749 [inline]
 __se_sys_write fs/read_write.c:746 [inline]
 __x64_sys_write+0x40/0x50 fs/read_write.c:746
 x64_sys_call+0x2847/0x3000 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc0/0x2a0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffff888104842008 of 4 bytes by task 2991 on cpu 0:
 evdev_read+0x157/0x5e0 drivers/input/evdev.c:572
 vfs_read+0x1ab/0x7f0 fs/read_write.c:570
 ksys_read+0xdc/0x1a0 fs/read_write.c:715
 __do_sys_read fs/read_write.c:724 [inline]
 __se_sys_read fs/read_write.c:722 [inline]
 __x64_sys_read+0x40/0x50 fs/read_write.c:722
 x64_sys_call+0x2889/0x3000 arch/x86/include/generated/asm/syscalls_64.h:1
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc0/0x2a0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

value changed: 0x00000002 -> 0x00000004

Reported-by: syzbot+1b327485934adf39955b@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=1b327485934adf39955b
Signed-off-by: Osama Abdelkader <osama.abdelkader@...il.com>
---
 drivers/input/evdev.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c
index 90ff6be85cf4..eebd59d190f5 100644
--- a/drivers/input/evdev.c
+++ b/drivers/input/evdev.c
@@ -569,9 +569,13 @@ static ssize_t evdev_read(struct file *file, char __user *buffer,
 		if (!evdev->exist || client->revoked)
 			return -ENODEV;
 
+		spin_lock_irq(&client->buffer_lock);
 		if (client->packet_head == client->tail &&
-		    (file->f_flags & O_NONBLOCK))
+		    (file->f_flags & O_NONBLOCK)) {
+			spin_unlock_irq(&client->buffer_lock);
 			return -EAGAIN;
+		}
+		spin_unlock_irq(&client->buffer_lock);
 
 		/*
 		 * count == 0 is special - no IO is done but we check
@@ -593,9 +597,12 @@ static ssize_t evdev_read(struct file *file, char __user *buffer,
 			break;
 
 		if (!(file->f_flags & O_NONBLOCK)) {
-			error = wait_event_interruptible(client->wait,
+			spin_lock_irq(&client->buffer_lock);
+			error = wait_event_interruptible_lock_irq(client->wait,
 					client->packet_head != client->tail ||
-					!evdev->exist || client->revoked);
+					!evdev->exist || client->revoked,
+					client->buffer_lock);
+			spin_unlock_irq(&client->buffer_lock);
 			if (error)
 				return error;
 		}
@@ -610,6 +617,7 @@ static __poll_t evdev_poll(struct file *file, poll_table *wait)
 	struct evdev_client *client = file->private_data;
 	struct evdev *evdev = client->evdev;
 	__poll_t mask;
+	bool have_data;
 
 	poll_wait(file, &client->wait, wait);
 
@@ -618,7 +626,11 @@ static __poll_t evdev_poll(struct file *file, poll_table *wait)
 	else
 		mask = EPOLLHUP | EPOLLERR;
 
-	if (client->packet_head != client->tail)
+	spin_lock_irq(&client->buffer_lock);
+	have_data = client->packet_head != client->tail;
+	spin_unlock_irq(&client->buffer_lock);
+
+	if (have_data)
 		mask |= EPOLLIN | EPOLLRDNORM;
 
 	return mask;
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ