Fix race condition in libusb hotplug: protect devs with mutex in process_hotplug_event

Copilot · Youw · Copilot · commit 07fa7e8b0f0b · 2026-03-30T11:24:15.000Z
In process_hotplug_event(), the devs list was modified without holding hid_hotplug_context.mutex. Meanwhile, hid_hotplug_register_callback() iterates devs under that mutex during HID_API_HOTPLUG_ENUMERATE. A device disconnect processed by callback_thread could free a devs entry while the ENUMERATE loop was still traversing it, causing a use-after-free. Fix by wrapping process_hotplug_event() with hid_hotplug_context.mutex. The mutex is recursive, so hid_internal_invoke_callbacks() (which also acquires it) works correctly. This aligns with how the linux backend handles the same scenario. Agent-Logs-Url: https://github.com/libusb/hidapi/sessions/cb1dc652-1f96-457d-8319-55e4a6f6e6f3 Co-authored-by: Youw <5939659+Youw@users.noreply.github.com>
diff --git a/libusb/hid.c b/libusb/hid.c
@@ -173,8 +173,8 @@ static struct hid_hotplug_context {
 	struct hid_hotplug_callback *hotplug_cbs;
 
 	/* Linked list of the device infos (mandatory when the device is disconnected).
-	 * Initialized before callback_thread is created; exclusively owned by
-	 * callback_thread after that (both reads/writes and final cleanup). */
+	 * Protected by `mutex` for both reads and writes.
+	 * Final cleanup is done by callback_thread during shutdown. */
 	struct hid_device_info *devs;
 } hid_hotplug_context = {
 	.next_handle = FIRST_HOTPLUG_CALLBACK_HANDLE,
@@ -1165,6 +1165,11 @@ static int hid_libusb_hotplug_callback(libusb_context *ctx, libusb_device *devic
 
 static void process_hotplug_event(struct hid_hotplug_queue* msg)
 {
+	/* Lock the mutex to avoid race conditions with hid_hotplug_register_callback(),
+	 * which may iterate devs during HID_API_HOTPLUG_ENUMERATE while holding this mutex.
+	 * The mutex is recursive, so hid_internal_invoke_callbacks() can safely re-acquire it. */
+	pthread_mutex_lock(&hid_hotplug_context.mutex);
+
 	if (msg->event == LIBUSB_HOTPLUG_EVENT_DEVICE_ARRIVED) {
 		struct hid_device_info* info = hid_enumerate_from_libusb(msg->device, 0, 0);
 		struct hid_device_info* info_cur = info;
@@ -1205,6 +1210,8 @@ static void process_hotplug_event(struct hid_hotplug_queue* msg)
 		}
 	}
 
+	pthread_mutex_unlock(&hid_hotplug_context.mutex);
+
 	/* Release the libusb device - we are done with it */
 	libusb_unref_device(msg->device);
 
