summaryrefslogtreecommitdiff
path: root/rust/kernel/interop/git@git.tavy.me:linux-stable.git
diff options
context:
space:
mode:
authorBenoît Sevens <bsevens@google.com>2026-04-01 14:48:11 +0000
committerJiri Kosina <jkosina@suse.com>2026-04-09 19:25:07 +0200
commite2aaf2d3ad92ac4a8afa6b69ad4c38e7747d3d6e (patch)
tree8973c1a2758bdcf703f2644673426e07a9c2cd96 /rust/kernel/interop/git@git.tavy.me:linux-stable.git
parente93faaca84b73431ccef029b2c8e902e5be83006 (diff)
HID: logitech-hidpp: fix race condition when accessing stale stack pointer
The driver uses hidpp->send_receive_buf to point to a stack-allocated buffer in the synchronous command path (__do_hidpp_send_message_sync). However, this pointer is not cleared when the function returns. If an event is processed (e.g. by a different thread) while the send_mutex is held by a new command, but before that command has updated send_receive_buf, the handler (hidpp_raw_hidpp_event) will observe that the mutex is locked and dereference the stale pointer. This results in an out-of-bounds access on a different thread's kernel stack (or a NULL pointer dereference on the very first command). Fix this by: 1. Clearing hidpp->send_receive_buf to NULL before releasing the mutex in the synchronous command path. 2. Moving the assignment of the local 'question' and 'answer' pointers inside the mutex_is_locked() block in the handler, and adding a NULL check before dereferencing. Signed-off-by: Benoît Sevens <bsevens@google.com> Signed-off-by: Jiri Kosina <jkosina@suse.com>
Diffstat (limited to 'rust/kernel/interop/git@git.tavy.me:linux-stable.git')
0 files changed, 0 insertions, 0 deletions
generated by cgit v1.2.3 (git 2.25.1) at 2026-04-23 09:38:28 +0000