From: Oliver Neukum <oneukum@xxxxxxxx> commit 93907620b308609c72ba4b95b09a6aa2658bb553 upstream. The write code path touches the bbu member in a non atomic manner without taking the spinlock. Fix it. The bug is as old as the driver. Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx> CC: stable@xxxxxxxxxxxxxxx Link: https://lore.kernel.org/r/20240912132126.1034743-1-oneukum@xxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/usb/misc/yurex.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -404,7 +404,6 @@ static ssize_t yurex_read(struct file *f struct usb_yurex *dev; int len = 0; char in_buffer[MAX_S64_STRLEN]; - unsigned long flags; dev = file->private_data; @@ -419,9 +418,9 @@ static ssize_t yurex_read(struct file *f return -EIO; } - spin_lock_irqsave(&dev->lock, flags); + spin_lock_irq(&dev->lock); scnprintf(in_buffer, MAX_S64_STRLEN, "%lld\n", dev->bbu); - spin_unlock_irqrestore(&dev->lock, flags); + spin_unlock_irq(&dev->lock); mutex_unlock(&dev->io_mutex); return simple_read_from_buffer(buffer, count, ppos, in_buffer, len); @@ -511,8 +510,11 @@ static ssize_t yurex_write(struct file * __func__, retval); goto error; } - if (set && timeout) + if (set && timeout) { + spin_lock_irq(&dev->lock); dev->bbu = c2; + spin_unlock_irq(&dev->lock); + } return timeout ? count : -EIO; error: Patches currently in stable-queue which might be from oneukum@xxxxxxxx are queue-6.11/usbnet-fix-cyclical-race-on-disconnect-with-work-queue.patch queue-6.11/usb-appledisplay-close-race-between-probe-and-completion-handler.patch queue-6.11/usb-class-cdc-acm-fix-race-between-get_serial-and-set_serial.patch queue-6.11/usb-misc-cypress_cy7c63-check-for-short-transfer.patch queue-6.11/usb-misc-yurex-fix-race-between-read-and-write.patch