Input: ims-pcu - fix race condition in reset_device sysfs callback

The ims_pcu_reset_device() sysfs callback calls ims_pcu_execute_command()
without acquiring pcu->cmd_mutex. This can lead to data races and
corruption of the shared command buffer if triggered concurrently with
other commands.

Acquire pcu->cmd_mutex before calling ims_pcu_execute_command().

Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Cc: stable@vger.kernel.org
Reported-by: Sashiko bot <sashiko-bot@kernel.org>
Assisted-by: Gemini:gemini-3.1-pro
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index 4f8265c0772f573b52f14f1b560efe9f558a2a9d..39bc02ef3e5380a1826707fd19d62e0e80bb50f2 100644 (file)
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1153,6 +1153,8 @@ static ssize_t ims_pcu_reset_device(struct device *dev,
 
        dev_info(pcu->dev, "Attempting to reset device\n");
 
+       guard(mutex)(&pcu->cmd_mutex);
+
        error = ims_pcu_execute_command(pcu, PCU_RESET, &reset_byte, 1);
        if (error) {
                dev_info(pcu->dev,