diff options
| author | Benoît Sevens <bsevens@google.com> | 2026-04-01 14:48:11 +0000 |
|---|---|---|
| committer | Jiri Kosina <jkosina@suse.com> | 2026-04-09 19:25:07 +0200 |
| commit | e2aaf2d3ad92ac4a8afa6b69ad4c38e7747d3d6e (patch) | |
| tree | 8973c1a2758bdcf703f2644673426e07a9c2cd96 /scripts/stackusage | |
| parent | e93faaca84b73431ccef029b2c8e902e5be83006 (diff) | |
HID: logitech-hidpp: fix race condition when accessing stale stack pointer
The driver uses hidpp->send_receive_buf to point to a stack-allocated
buffer in the synchronous command path (__do_hidpp_send_message_sync).
However, this pointer is not cleared when the function returns.
If an event is processed (e.g. by a different thread) while the
send_mutex is held by a new command, but before that command has
updated send_receive_buf, the handler (hidpp_raw_hidpp_event) will
observe that the mutex is locked and dereference the stale pointer.
This results in an out-of-bounds access on a different thread's kernel
stack (or a NULL pointer dereference on the very first command).
Fix this by:
1. Clearing hidpp->send_receive_buf to NULL before releasing the mutex
in the synchronous command path.
2. Moving the assignment of the local 'question' and 'answer' pointers
inside the mutex_is_locked() block in the handler, and adding
a NULL check before dereferencing.
Signed-off-by: Benoît Sevens <bsevens@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Diffstat (limited to 'scripts/stackusage')
0 files changed, 0 insertions, 0 deletions