[PATCH 05/11] Input: ims-pcu - fix race condition in reset_device sysfs callback

Next message: Nathan Chancellor: "Re: [PATCH 2/4] firmware: arm_ffa: Register core as a platform driver"
Previous message: Dmitry Torokhov: "[PATCH 01/11] Input: ims-pcu - release data interface on disconnect"
In reply to: Dmitry Torokhov: "[PATCH 01/11] Input: ims-pcu - release data interface on disconnect"
Next in thread: Dmitry Torokhov: "[PATCH 04/11] Input: ims-pcu - fix firmware leak in async update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dmitry Torokhov

Date: Sat May 23 2026 - 01:07:35 EST

The ims_pcu_reset_device() sysfs callback calls ims_pcu_execute_command()
without acquiring pcu->cmd_mutex. This can lead to data races and
corruption of the shared command buffer if triggered concurrently with
other commands.

Acquire pcu->cmd_mutex before calling ims_pcu_execute_command().

Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Cc: stable@xxxxxxxxxxxxxxx
Reported-by: Sashiko bot <sashiko-bot@xxxxxxxxxx>
Assisted-by: Gemini:gemini-3.1-pro
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
---
drivers/input/misc/ims-pcu.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index f86f9a5a7564..7fdff9dd1b5f 100644
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1152,6 +1152,8 @@ static ssize_t ims_pcu_reset_device(struct device *dev,

dev_info(pcu->dev, "Attempting to reset device\n");

+ guard(mutex)(&pcu->cmd_mutex);
+
error = ims_pcu_execute_command(pcu, PCU_RESET, &reset_byte, 1);
if (error) {
dev_info(pcu->dev,
--
2.54.0.746.g67dd491aae-goog