Commit 93907620 authored by Oliver Neukum's avatar Oliver Neukum Committed by Greg Kroah-Hartman
Browse files

USB: misc: yurex: fix race between read and write 



The write code path touches the bbu member in a non atomic manner
without taking the spinlock. Fix it.

The bug is as old as the driver.

Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
CC: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240912132126.1034743-1-oneukum@suse.com


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 49cd2f4d

drivers/usb/misc/yurex.c

+6 −4
Original line number Diff line number Diff line
@@ -404,7 +404,6 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count, 
	struct usb_yurex *dev;

	int len = 0;

	char in_buffer[MAX_S64_STRLEN];

	unsigned long flags;



	dev = file->private_data;
@@ -419,9 +418,9 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count, 
		return -EIO;

	}



	spin_lock_irqsave(&dev->lock, flags);

	spin_lock_irq(&dev->lock);

	scnprintf(in_buffer, MAX_S64_STRLEN, "%lld\n", dev->bbu);

	spin_unlock_irqrestore(&dev->lock, flags);

	spin_unlock_irq(&dev->lock);

	mutex_unlock(&dev->io_mutex);



	return simple_read_from_buffer(buffer, count, ppos, in_buffer, len);
@@ -511,8 +510,11 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer, 
			__func__, retval);

		goto error;

	}

	if (set && timeout)

	if (set && timeout) {

		spin_lock_irq(&dev->lock);

		dev->bbu = c2;

		spin_unlock_irq(&dev->lock);

	}

	return timeout ? count : -EIO;



error: