Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp5999921ybc; Wed, 27 Nov 2019 13:10:20 -0800 (PST) X-Google-Smtp-Source: APXvYqygB7pxfza7L21ZpzkbLftKi7l3XQuTCkNt1WugAJ+oryJ76OaNm7kkaOtikWc0rqxDT7Ku X-Received: by 2002:a17:906:6dcf:: with SMTP id j15mr51818350ejt.104.1574889020370; Wed, 27 Nov 2019 13:10:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574889020; cv=none; d=google.com; s=arc-20160816; b=rokIH64DgWNy0sQCU3JDojarcKdpXftWHhq/LvgQk43f8D8U3iT2O2TiVBNiG+keb/ HMfxw8q/ebj0Bs7lsR5yFKIOgVQRnMpYDO/WGy0WDkFiBQsWtKUr7nlPzjL2+cTwEUmU Z7Z0LlmnPnD4G5LByKSXW+RaxLxsXqu33GU8Y7kNZwY79cC6Tmj5pXOjh3l6o+Lj5zD3 Fy9F+9yCvPL/BMvMCMDOfRO7EfO/Is7cmM24vWr3kURKao1DKVgQ2CXKk2mujWAtG3oE klqk77KL7XmV0wFKyQlQg0BI7/Itco98rAf+4s8az/owmo6XmifNVaZW+Pn0JsJQsxSl cy9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=VnriaSgu2DobYBCfthszxQ+hlwXHm6nx19TnlErcYOs=; b=dSRdM7aKoRyUb9yKuQ0jFTbCdWUsUBejjXVEpJVK75AUhliTIznEC3dvE6psa3tWiN ut+L+KDtAal/nRcCxubpEV7UYheIOyrUl73TEsKpAHPGgGwJGzgiOCM2eC3jTPZhE40l scfXKv2GPWYpUy6+KfaiEYFZ9QdmBtjjEnGPoUzTHBbKNGpMnxyE4PO5DrA8teTtHZW9 1qBrUicX2siQaOuL7slY5vQWC/j391DMybz21ZCDTpQBFVnzykKBgC7aSqt2gairEZIB N9fkE10IT6/XoiWb2g+qanTIyzN98K2ydlVKgRW+kyor7S8uos6/bJ2D5xfvV+/LYklx +2gQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=H8n4lVap; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a18si10288483ejj.100.2019.11.27.13.09.57; Wed, 27 Nov 2019 13:10:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=H8n4lVap; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732634AbfK0VHh (ORCPT + 99 others); Wed, 27 Nov 2019 16:07:37 -0500 Received: from mail.kernel.org ([198.145.29.99]:33802 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732631AbfK0VHg (ORCPT ); Wed, 27 Nov 2019 16:07:36 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1482A2086A; Wed, 27 Nov 2019 21:07:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1574888855; bh=TRb5HTTsZJoWoKSMnF7M7UQE1ZMd2U/s70WlhBbl5aw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=H8n4lVaplvtSm9DeooPZlDLgpw0Y2l+45s6SGO6zxrmz8NYBEmNKYpqVrzet4JCNL 19plrYTmjV3hyeeMJ8NIZ/YJSv/Y1MSFT5MmbdJ+N9GZqna2hzhTk36NFqBflh/uix TvcY6Z355AVzayiy8k9a11K7uaokLOeOxMg/G/IM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oliver Neukum , syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com Subject: [PATCH 4.19 297/306] appledisplay: fix error handling in the scheduled work Date: Wed, 27 Nov 2019 21:32:27 +0100 Message-Id: <20191127203136.435985288@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191127203114.766709977@linuxfoundation.org> References: <20191127203114.766709977@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Oliver Neukum commit 91feb01596e5efc0cc922cc73f5583114dccf4d2 upstream. The work item can operate on 1. stale memory left over from the last transfer the actual length of the data transfered needs to be checked 2. memory already freed the error handling in appledisplay_probe() needs to cancel the work in that case Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum Cc: stable Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/appledisplay.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/drivers/usb/misc/appledisplay.c +++ b/drivers/usb/misc/appledisplay.c @@ -170,7 +170,12 @@ static int appledisplay_bl_get_brightnes 0, pdata->msgdata, 2, ACD_USB_TIMEOUT); - brightness = pdata->msgdata[1]; + if (retval < 2) { + if (retval >= 0) + retval = -EMSGSIZE; + } else { + brightness = pdata->msgdata[1]; + } mutex_unlock(&pdata->sysfslock); if (retval < 0) @@ -305,6 +310,7 @@ error: if (pdata) { if (pdata->urb) { usb_kill_urb(pdata->urb); + cancel_delayed_work_sync(&pdata->work); if (pdata->urbdata) usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN, pdata->urbdata, pdata->urb->transfer_dma);