[bug report] Potential atomicity bug in drivers/input/joydev.c, between joydev_0x_read() and joydev_ioctl_common()
From: Ginger <hidden>
Date: 2026-06-01 07:07:17
From: Ginger <hidden>
Date: 2026-06-01 07:07:17
Dear Linux kernel maintainers,
My research-based static analyzer found a potential atomicity bug
within the 'drivers/input' subsystem, more specifically, in
'drivers/input/joydev.c'.
This potential issue is present as of git commit
eb3f4b7426cfd2b79d65b7d37155480b32259a11 of the mainline kernel.
Potential concurrent triggering executions:
T0:
joydev_0x_read
--> spin_lock_irq(&input->event_lock);
--> read from joydev->abs
--> spin_unlock_irq(&input->event_lock);
T1:
joydev_ioctl_common
--> case JSIOCSCORR:
--> write to joydev->abs[i] (no unlocked)
The above trace is meant to demonstrate an illustrative example of the issue:
IMHO, in 'joydev_0x_read', the 'input->event_lock' is adopted to
serialize the read
accesses to joydev's fields like 'abs' and 'keypam' or input's fields
like 'input->key.
However, in either case, the write-side accesses to these fields are
not similarly
serialized.
Please kindly check at your convenience. Thank you for your time and
consideration.
Best regards,
Ginger