HID: roccat: fix use-after-free in roccat_report_event

roccat_report_event() iterates over the device->readers list without
holding the readers_lock. This allows a concurrent roccat_release() to
remove and free a reader while it's still being accessed, leading to a
use-after-free.

Protect the readers list traversal with the readers_lock mutex.

Signed-off-by: Benoît Sevens <bsevens@google.com>
Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>

diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c
index c7f7562e22e5623297167d4d661d8d90f737ae22..e413662f750824d9416c014b256bdf1a56bab0c9 100644 (file)
--- a/drivers/hid/hid-roccat.c
+++ b/drivers/hid/hid-roccat.c
@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data)
        if (!new_value)
                return -ENOMEM;
 
+       mutex_lock(&device->readers_lock);
        mutex_lock(&device->cbuf_lock);
 
        report = &device->cbuf[device->cbuf_end];
@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data)
        }
 
        mutex_unlock(&device->cbuf_lock);
+       mutex_unlock(&device->readers_lock);
 
        wake_up_interruptible(&device->wait);
        return 0;