Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp6011730ybc; Wed, 27 Nov 2019 13:21:56 -0800 (PST) X-Google-Smtp-Source: APXvYqxntm/FsjkC+qyAxMDlwxKm449DwcCBUKg5w7Wfl+Y9H4ezsJ8QozMCAoSxXyHniKb28toG X-Received: by 2002:aa7:d45a:: with SMTP id q26mr11676120edr.158.1574889716773; Wed, 27 Nov 2019 13:21:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574889716; cv=none; d=google.com; s=arc-20160816; b=J+Dzuga0U+fNLhnlkong0wR/0IxGjDt+AUVaxPnO9xwVB7WnfFDyXscTpD1/Qxw4sR ijWvo7FoIgisj3Oj9CANji/nwCLU1mw2854/t30GH1xrwOeDUZDSwWiwpXxBvn2fZ3Jx 15MfjUrTVCMfx8T69DZNL/pmfMVhR9Kk7r3Hr7tWVu9YvlTmrJ2In3fqAqUKmEbYwrLN PtYHPH9qrqU+XeN0a+9xJj5M71b0j8tsQXzXMQujnFgHj80Du6i2Xr1/oAy0zXCv6cLt yTxN3AyNvVaWOp8eVBz0pKG12v2fvaUFRLMUbIkWMYvF4IsQ9xo2hNDSAbG3doVS6OSn OL7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Pbnx1WkZO7AQrD6BktJEZYLfbQqwffmIQSXdZKqdZUM=; b=jGZmRuYVB5Y3+19rSVhpFnqViTXyGb01UZQQHhqK5Eals/YkZdS8I1G/6VmxqL+/Y9 yPZeXXPfTdMVUpLcvE2oZyHOaKMQLUYRjwT7xL6SaAzvLFH9W312o4r5E+b3AdUDs3jT esISDuCxQ45Bl+PvFgA90heME4v998yPskeH2w8g+al+T9P/PRkqH9GJT4z63UwE3Gzv gxqXOz+4pmqhJZ+7zGkF3DxnUPEy55BaKVVm/T5LRwX/1AE7l0neNw8hz3z2COQSLCgc /E1l/RDphPPBgiVnMjB9HWlOh6q3VLqx6Ok3xNVS5K2t4YH8pSFHIuuJ2XIPVf0EnziT 6AYQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SCzapFZJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j30si1720321ejo.214.2019.11.27.13.21.33; Wed, 27 Nov 2019 13:21:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SCzapFZJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733236AbfK0VLy (ORCPT + 99 others); Wed, 27 Nov 2019 16:11:54 -0500 Received: from mail.kernel.org ([198.145.29.99]:41234 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732782AbfK0VLw (ORCPT ); Wed, 27 Nov 2019 16:11:52 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B15EE21555; Wed, 27 Nov 2019 21:11:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1574889112; bh=6V7r6TB9qW/1X5KnQjTT2gyh0o0FqU2iM3qP87EZEXI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SCzapFZJp0rPqJHzKM93O1+CL8FVDdSKlS+20jr0ooIEkr4FnbP3TGdLIMlqdjyMd 84a1XRV9wYXQYPWj0Gxrm3zZrf+p7pS95v5oNFrOJb+7kuAU7cByQHLbor+AfMmEOp EOC+D+2SHUtEEKrH3sVZrX52TyP8anNZB62W3fe4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oliver Neukum , syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com Subject: [PATCH 5.3 86/95] appledisplay: fix error handling in the scheduled work Date: Wed, 27 Nov 2019 21:32:43 +0100 Message-Id: <20191127202955.638390156@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191127202845.651587549@linuxfoundation.org> References: <20191127202845.651587549@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Oliver Neukum commit 91feb01596e5efc0cc922cc73f5583114dccf4d2 upstream. The work item can operate on 1. stale memory left over from the last transfer the actual length of the data transfered needs to be checked 2. memory already freed the error handling in appledisplay_probe() needs to cancel the work in that case Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum Cc: stable Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/appledisplay.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/drivers/usb/misc/appledisplay.c +++ b/drivers/usb/misc/appledisplay.c @@ -164,7 +164,12 @@ static int appledisplay_bl_get_brightnes 0, pdata->msgdata, 2, ACD_USB_TIMEOUT); - brightness = pdata->msgdata[1]; + if (retval < 2) { + if (retval >= 0) + retval = -EMSGSIZE; + } else { + brightness = pdata->msgdata[1]; + } mutex_unlock(&pdata->sysfslock); if (retval < 0) @@ -299,6 +304,7 @@ error: if (pdata) { if (pdata->urb) { usb_kill_urb(pdata->urb); + cancel_delayed_work_sync(&pdata->work); if (pdata->urbdata) usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN, pdata->urbdata, pdata->urb->transfer_dma);