HID: roccat: fix use-after-free in roccat_report_event

roccat_report_event() iterates over the device->readers list without holding the readers_lock. This allows a concurrent roccat_release() to remove and free a reader while it's still being accessed, leading to a use-after-free. Protect the readers list traversal with the readers_lock mutex. Signed-off-by: Benoît Sevens <bsevens@google.com> Reviewed-by: Silvan Jegen <s.jegen@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.com>
author: Benoît Sevens <bsevens@google.com> 2026-03-23 16:11:07 +0000
committer: Jiri Kosina <jkosina@suse.com> 2026-03-27 11:27:37 +0100
commit: d802d848308b35220f21a8025352f0c0aba15c12 (patch)
tree: fdefe42215a684b5d5740b1209cbb3a8623d9013
parent: 48e91af0cbe942d50ef6257d850accdca1d01378 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c
index c7f7562e22e5..e413662f7508 100644
--- a/drivers/hid/hid-roccat.c
+++ b/drivers/hid/hid-roccat.c
@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data)
 	if (!new_value)
 		return -ENOMEM;
 
+	mutex_lock(&device->readers_lock);
 	mutex_lock(&device->cbuf_lock);
 
 	report = &device->cbuf[device->cbuf_end];
@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data)
 	}
 
 	mutex_unlock(&device->cbuf_lock);
+	mutex_unlock(&device->readers_lock);
 
 	wake_up_interruptible(&device->wait);
 	return 0;
author	Benoît Sevens <bsevens@google.com>	2026-03-23 16:11:07 +0000
committer	Jiri Kosina <jkosina@suse.com>	2026-03-27 11:27:37 +0100
commit	d802d848308b35220f21a8025352f0c0aba15c12 (patch)
tree	fdefe42215a684b5d5740b1209cbb3a8623d9013
parent	48e91af0cbe942d50ef6257d850accdca1d01378 (diff)