Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp5985495ybc; Wed, 27 Nov 2019 12:56:06 -0800 (PST) X-Google-Smtp-Source: APXvYqz6m1ppBYUIGzsD9A31EKqlgVy0Lw6ZRt7jyNIInvpSTIfY2i0PbxHAm2LJ0TU5kmL69KZb X-Received: by 2002:a05:6402:2d8:: with SMTP id b24mr9512342edx.67.1574888166099; Wed, 27 Nov 2019 12:56:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574888166; cv=none; d=google.com; s=arc-20160816; b=JqEdwEUfLcryxgBDqcdzgOJjHua4cs/PNG3PuXWmoqw4GvG75vHILmKs4EIYc5FBj0 AQVVThHEKzbnUPCWxB333NQq0TTevY9Hyr/RRjIm2L9VeThyJCC+qPzaJZJ6mZMKdOPM pY+Eqg/5l6fnd/uKNNELpg8qyBCH16WdNyekRBsCWdFiqOUxbHZ4j6G8lbNB8RaNitsn DVhrdO8Eepnfi32VvS4RES2ZZ/Orry8ExEt93sM5+Ef8Dr0zN6aNzeFA/qIkQoJzKjUv r8qmGf9GTxLmbXz2ENg3kvy51xIZx44LQyDuBdqWTyAbkPx3iAPRfYwPqYbSWGIpIaof 65cQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=MacLED4i1767Q/QHEpLOvwYFjAXUirModu5c8flH5Fc=; b=CU58PJxfD0JI8bddfciak4Md/SuAQtwVsPXOr4S/ydg8QF0b3CNCX0goiOL7RmyjsR mzyN9Owy9igrovK+3ZMkpSq4JEZTHZDVqKh4pDPF3c1VM7r0K2xzZG/+b0Y9M1K6kJoj 7mijfLaAPZO+OATsMVPEX4mVIxPVtnnAdp+MY3jrY/wtFssrNz7JXRGJ/jd6NOtEMHzH CfGk4wSwUX6Z9kSOiw9BthWJYale9G8xLq1AWSlY5xffShl0eupCrENygpnCX2jfwdYi yHa9NS+9iduHSdbseio/laWsxw+1vn9+JfdZ0nX8Sk2N59fykUX48qybNslKuU9LvCQN d6Zw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=JzUm5eQa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c26si11890391edc.416.2019.11.27.12.55.42; Wed, 27 Nov 2019 12:56:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=JzUm5eQa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730106AbfK0Uy1 (ORCPT + 99 others); Wed, 27 Nov 2019 15:54:27 -0500 Received: from mail.kernel.org ([198.145.29.99]:44284 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730815AbfK0UyW (ORCPT ); Wed, 27 Nov 2019 15:54:22 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D73532154A; Wed, 27 Nov 2019 20:54:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1574888062; bh=7xQS1hoyAVX65UesJZ3oHwBIp4zUXaCx0n/ntoXsj+M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JzUm5eQaIcaX2QNYvWMid+siw3nENdy/30Gnqwospas+qTlqtIFKlmRSanfVrD19z Ko2Opq79+5VeOWkZRqp/ri19DDX778YkkJSIVTNtL//YcdHsnWTXjQj7om5WB5JE4Q XmPSoXcIr535e0sRZ4zJrQWy8hocPyRNtCo7b2H8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oliver Neukum , syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com Subject: [PATCH 4.14 201/211] appledisplay: fix error handling in the scheduled work Date: Wed, 27 Nov 2019 21:32:14 +0100 Message-Id: <20191127203112.575337093@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191127203049.431810767@linuxfoundation.org> References: <20191127203049.431810767@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Oliver Neukum commit 91feb01596e5efc0cc922cc73f5583114dccf4d2 upstream. The work item can operate on 1. stale memory left over from the last transfer the actual length of the data transfered needs to be checked 2. memory already freed the error handling in appledisplay_probe() needs to cancel the work in that case Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum Cc: stable Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/appledisplay.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/drivers/usb/misc/appledisplay.c +++ b/drivers/usb/misc/appledisplay.c @@ -182,7 +182,12 @@ static int appledisplay_bl_get_brightnes 0, pdata->msgdata, 2, ACD_USB_TIMEOUT); - brightness = pdata->msgdata[1]; + if (retval < 2) { + if (retval >= 0) + retval = -EMSGSIZE; + } else { + brightness = pdata->msgdata[1]; + } mutex_unlock(&pdata->sysfslock); if (retval < 0) @@ -317,6 +322,7 @@ error: if (pdata) { if (pdata->urb) { usb_kill_urb(pdata->urb); + cancel_delayed_work_sync(&pdata->work); if (pdata->urbdata) usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN, pdata->urbdata, pdata->urb->transfer_dma);