tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

HID: roccat: fix use-after-free in roccat_report_event

roccat_report_event() iterates over the device->readers list without
holding the readers_lock. This allows a concurrent roccat_release() to
remove and free a reader while it's still being accessed, leading to a
use-after-free.

Protect the readers list traversal with the readers_lock mutex.

Signed-off-by: Benoît Sevens <bsevens@google.com>
Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>

authored by

Benoît Sevens and committed by
Jiri Kosina d802d848 48e91af0

+2
+2
drivers/hid/hid-roccat.c
··· 257 257 if (!new_value) 258 258 return -ENOMEM; 259 259 260 + mutex_lock(&device->readers_lock); 260 261 mutex_lock(&device->cbuf_lock); 261 262 262 263 report = &device->cbuf[device->cbuf_end]; ··· 280 279 } 281 280 282 281 mutex_unlock(&device->cbuf_lock); 282 + mutex_unlock(&device->readers_lock); 283 283 284 284 wake_up_interruptible(&device->wait); 285 285 return 0;