USB: misc: yurex: fix race between read and write

[ Upstream commit 93907620b308609c72ba4b95b09a6aa2658bb553 ]

The write code path touches the bbu member in a non atomic manner
without taking the spinlock. Fix it.

The bug is as old as the driver.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
CC: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240912132126.1034743-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c
index 5a13cddace0e635aea2daf76decf885229f548d3..44136989f6c6a29a1a8f9d7b623e41b01ad923f8 100644 (file)
--- a/drivers/usb/misc/yurex.c
+++ b/drivers/usb/misc/yurex.c
@@ -404,7 +404,6 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count,
        struct usb_yurex *dev;
        int len = 0;
        char in_buffer[MAX_S64_STRLEN];
-       unsigned long flags;
 
        dev = file->private_data;
 
@@ -417,9 +416,9 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count,
        if (WARN_ON_ONCE(dev->bbu > S64_MAX || dev->bbu < S64_MIN))
                return -EIO;
 
-       spin_lock_irqsave(&dev->lock, flags);
+       spin_lock_irq(&dev->lock);
        scnprintf(in_buffer, MAX_S64_STRLEN, "%lld\n", dev->bbu);
-       spin_unlock_irqrestore(&dev->lock, flags);
+       spin_unlock_irq(&dev->lock);
        mutex_unlock(&dev->io_mutex);
 
        return simple_read_from_buffer(buffer, count, ppos, in_buffer, len);
@@ -509,8 +508,11 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer,
                        __func__, retval);
                goto error;
        }
-       if (set && timeout)
+       if (set && timeout) {
+               spin_lock_irq(&dev->lock);
                dev->bbu = c2;
+               spin_unlock_irq(&dev->lock);
+       }
        return timeout ? count : -EIO;
 
 error: