The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 93907620b308609c72ba4b95b09a6aa2658bb553 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to 'stable@vger.kernel.org' --in-reply-to '2024100158-doorstop-atom-5aa4@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^..
Possible dependencies:
93907620b308 ("USB: misc: yurex: fix race between read and write") 86b20af11e84 ("usb: yurex: Replace snprintf() with the safer scnprintf() variant")
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 93907620b308609c72ba4b95b09a6aa2658bb553 Mon Sep 17 00:00:00 2001 From: Oliver Neukum oneukum@suse.com Date: Thu, 12 Sep 2024 15:21:22 +0200 Subject: [PATCH] USB: misc: yurex: fix race between read and write
The write code path touches the bbu member in a non atomic manner without taking the spinlock. Fix it.
The bug is as old as the driver.
Signed-off-by: Oliver Neukum oneukum@suse.com CC: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240912132126.1034743-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c index 4745a320eae4..4a9859e03f6b 100644 --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -404,7 +404,6 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count, struct usb_yurex *dev; int len = 0; char in_buffer[MAX_S64_STRLEN]; - unsigned long flags;
dev = file->private_data;
@@ -419,9 +418,9 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count, return -EIO; }
- spin_lock_irqsave(&dev->lock, flags); + spin_lock_irq(&dev->lock); scnprintf(in_buffer, MAX_S64_STRLEN, "%lld\n", dev->bbu); - spin_unlock_irqrestore(&dev->lock, flags); + spin_unlock_irq(&dev->lock); mutex_unlock(&dev->io_mutex);
return simple_read_from_buffer(buffer, count, ppos, in_buffer, len); @@ -511,8 +510,11 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer, __func__, retval); goto error; } - if (set && timeout) + if (set && timeout) { + spin_lock_irq(&dev->lock); dev->bbu = c2; + spin_unlock_irq(&dev->lock); + } return timeout ? count : -EIO;
error: