Commit d802d848 authored Mar 23, 2026 by Benoît Sevens Committed by Jiri Kosina Mar 27, 2026

HID: roccat: fix use-after-free in roccat_report_event



roccat_report_event() iterates over the device->readers list without
holding the readers_lock. This allows a concurrent roccat_release() to
remove and free a reader while it's still being accessed, leading to a
use-after-free.

Protect the readers list traversal with the readers_lock mutex.

Signed-off-by: Benoît Sevens <bsevens@google.com>
Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>

parent 48e91af0

drivers/hid/hid-roccat.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data)
		if (!new_value)
		return -ENOMEM;

		mutex_lock(&device->readers_lock);
		mutex_lock(&device->cbuf_lock);

		report = &device->cbuf[device->cbuf_end];
		@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data)
		}

		mutex_unlock(&device->cbuf_lock);
		mutex_unlock(&device->readers_lock);

		wake_up_interruptible(&device->wait);
		return 0;