Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp6028950ybc; Wed, 27 Nov 2019 13:41:21 -0800 (PST) X-Google-Smtp-Source: APXvYqz5ZS+hE1RHG49QpVDSsD/KKSE4DBTtwxLJTzTD/pqw/D85PmF+qBP8Zfyw80VvsveotuCN X-Received: by 2002:a05:6402:28d:: with SMTP id l13mr35101520edv.286.1574890881465; Wed, 27 Nov 2019 13:41:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574890881; cv=none; d=google.com; s=arc-20160816; b=tjREy7RVT7V5BF+PG3JC6LIlRGYPXfwJkPE4F/CTMcNjVZcE+gnkfgpwGtS1Z9JYD8 Atn4Po4HhQdWNh0HaNgejwVvaN3RWiFk6ZBb5TInyxJBbV5apFxn5WJ4vZAsvUz3e6Sp jwRpfDS5gKkzMhayak4HlvXYdA1CZ/NMO6I+sSCbOxe3mkuDVsoDDOSOJyvJ2Cwmlv/E wn2WkAZYFA4zhuSBxf6fWa/RlXJE8mFxyGaMQ18ZmN7Lq5WK7F/l4ZkYTuBwwscecyRx /ICBtA9M85Bh6mNPDgtW2bivEiwCx7WSDERrCb7uqMyOgPnqSsPjMP06AoBQC4tMEXwr jXVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=AArhZuwO6vzTHFqRNnB0Anwixta8YH49bOVaWLShQks=; b=lxNGyDn+Sxdvc3ECYfZ3LvcIehYXSF3sibt47k/EwOI1TNIG9ug3im5Z0knExCVp2R hmZiYc7W0O0xA0umozx2l1gev1Lqn/Pc0Lc4/VxL9Rt5/Ffl56E0A6BjaehV9YZbSqmh P0XKLdSVPrSNIVlo/Ij6otXpSKtcS9IorwIOr+UocCG/RJTi0Pif2vMI5eOj4+F4Mcep 1OLnqMGqv4W6XoRueBb6Xphw6Pu9L90eQJruogvIpO3UqNmeoVsftIjYUMGWQUsjzrrv xa4NaLxMGdWnUQffYyeCU1o1ljlmIH0GkH9js4IlQ+jWDgeKM62pf10W9ouBh1lkqZAE 7pnA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=OECsIFU3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e4si537481ejr.210.2019.11.27.13.40.57; Wed, 27 Nov 2019 13:41:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=OECsIFU3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728551AbfK0UpW (ORCPT + 99 others); Wed, 27 Nov 2019 15:45:22 -0500 Received: from mail.kernel.org ([198.145.29.99]:55918 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728535AbfK0UpU (ORCPT ); Wed, 27 Nov 2019 15:45:20 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 864B52166E; Wed, 27 Nov 2019 20:45:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1574887520; bh=0GZ1QDRmv1Yd2SEj8LE3ig5owC1stBMxq0NMsin0smg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OECsIFU3oeIddi3FZHgf0tJsyfYQXdcGR91I+sULLn8HHpBI93PYHUys3ufgnPzq0 T4ZWmYWOrzs6dbB2i2jBKRzT09JSO1u1r5Q1JrWsrIiCPHzv3t2lwrL5OVRytn3rCt vHXCm3zKTHS60ZnxX5xwXhQx2UGxm6WAo/hOuHmE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oliver Neukum , syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com Subject: [PATCH 4.9 142/151] appledisplay: fix error handling in the scheduled work Date: Wed, 27 Nov 2019 21:32:05 +0100 Message-Id: <20191127203047.166875788@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191127203000.773542911@linuxfoundation.org> References: <20191127203000.773542911@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Oliver Neukum commit 91feb01596e5efc0cc922cc73f5583114dccf4d2 upstream. The work item can operate on 1. stale memory left over from the last transfer the actual length of the data transfered needs to be checked 2. memory already freed the error handling in appledisplay_probe() needs to cancel the work in that case Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum Cc: stable Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/appledisplay.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/drivers/usb/misc/appledisplay.c +++ b/drivers/usb/misc/appledisplay.c @@ -182,7 +182,12 @@ static int appledisplay_bl_get_brightnes 0, pdata->msgdata, 2, ACD_USB_TIMEOUT); - brightness = pdata->msgdata[1]; + if (retval < 2) { + if (retval >= 0) + retval = -EMSGSIZE; + } else { + brightness = pdata->msgdata[1]; + } mutex_unlock(&pdata->sysfslock); if (retval < 0) @@ -324,6 +329,7 @@ error: if (pdata) { if (pdata->urb) { usb_kill_urb(pdata->urb); + cancel_delayed_work_sync(&pdata->work); if (pdata->urbdata) usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN, pdata->urbdata, pdata->urb->transfer_dma);