This is a note to let you know that I've just added the patch titled HID: hidraw: fix data race on device refcount to the 6.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: hid-hidraw-fix-data-race-on-device-refcount.patch and it can be found in the queue-6.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 944ee77dc6ec7b0afd8ec70ffc418b238c92f12b Mon Sep 17 00:00:00 2001 From: Ludvig Michaelsson <ludvig.michaelsson@xxxxxxxxxx> Date: Wed, 21 Jun 2023 13:17:43 +0200 Subject: HID: hidraw: fix data race on device refcount From: Ludvig Michaelsson <ludvig.michaelsson@xxxxxxxxxx> commit 944ee77dc6ec7b0afd8ec70ffc418b238c92f12b upstream. The hidraw_open() function increments the hidraw device reference counter. The counter has no dedicated synchronization mechanism, resulting in a potential data race when concurrently opening a device. The race is a regression introduced by commit 8590222e4b02 ("HID: hidraw: Replace hidraw device table mutex with a rwsem"). While minors_rwsem is intended to protect the hidraw_table itself, by instead acquiring the lock for writing, the reference counter is also protected. This is symmetrical to hidraw_release(). Link: https://github.com/systemd/systemd/issues/27947 Fixes: 8590222e4b02 ("HID: hidraw: Replace hidraw device table mutex with a rwsem") Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Ludvig Michaelsson <ludvig.michaelsson@xxxxxxxxxx> Link: https://lore.kernel.org/r/20230621-hidraw-race-v1-1-a58e6ac69bab@xxxxxxxxxx Signed-off-by: Benjamin Tissoires <benjamin.tissoires@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/hid/hidraw.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) --- a/drivers/hid/hidraw.c +++ b/drivers/hid/hidraw.c @@ -272,7 +272,12 @@ static int hidraw_open(struct inode *ino goto out; } - down_read(&minors_rwsem); + /* + * Technically not writing to the hidraw_table but a write lock is + * required to protect the device refcount. This is symmetrical to + * hidraw_release(). + */ + down_write(&minors_rwsem); if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { err = -ENODEV; goto out_unlock; @@ -301,7 +306,7 @@ static int hidraw_open(struct inode *ino spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags); file->private_data = list; out_unlock: - up_read(&minors_rwsem); + up_write(&minors_rwsem); out: if (err < 0) kfree(list); Patches currently in stable-queue which might be from ludvig.michaelsson@xxxxxxxxxx are queue-6.4/hid-hidraw-fix-data-race-on-device-refcount.patch