From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2FF1BC5DF60 for ; Fri, 8 Nov 2019 07:18:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id F05642178F for ; Fri, 8 Nov 2019 07:18:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1573197515; bh=XKTWza8Y9AOcKC66SVWC0rS/L5+fSVM2yshdZULFT8I=; h=Subject:To:From:Date:List-ID:From; b=t24vXER7hHxTiJBvI3y5WZ5LYhHUxKa8NhPBDQlR2Uxc7eICzfDbRh6Xp9ft3FC2l P1G1Kht0o10KtzQusyEE8Oc8Q8D7HJVrgskuYdO2Wc3V4kLTeuvTXvXlz8aF9R/7NN U9uGRm7EUnTizh7mepVq23HjngtPx3vhRjc+FlkU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729951AbfKHHSe (ORCPT ); Fri, 8 Nov 2019 02:18:34 -0500 Received: from mail.kernel.org ([198.145.29.99]:41770 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725886AbfKHHSe (ORCPT ); Fri, 8 Nov 2019 02:18:34 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 240F9214DB; Fri, 8 Nov 2019 07:18:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1573197513; bh=XKTWza8Y9AOcKC66SVWC0rS/L5+fSVM2yshdZULFT8I=; h=Subject:To:From:Date:From; b=mTjiPzG3zGzhhP7QPW6CZd/zNMMKVntcm+1jhsrop1tT/kLZpRdNgPhp+nM3hJRiL 74srx6O+M9yR2N/fNbSnw/qnY/Ql6y+efdTII+9NxpGv8lbqsg9BHPlIRsdTgVx3Hx tTexz4OXV8tWphZAcu+f6BIT4f1Kir/0Lf2rMgsQ= Subject: patch "appledisplay: fix error handling in the scheduled work" added to usb-next To: oneukum@suse.com, gregkh@linuxfoundation.org, stable@vger.kernel.org From: Date: Fri, 08 Nov 2019 08:17:37 +0100 Message-ID: <157319745722391@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org This is a note to let you know that I've just added the patch titled appledisplay: fix error handling in the scheduled work to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 91feb01596e5efc0cc922cc73f5583114dccf4d2 Mon Sep 17 00:00:00 2001 From: Oliver Neukum Date: Wed, 6 Nov 2019 13:49:01 +0100 Subject: appledisplay: fix error handling in the scheduled work The work item can operate on 1. stale memory left over from the last transfer the actual length of the data transfered needs to be checked 2. memory already freed the error handling in appledisplay_probe() needs to cancel the work in that case Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum Cc: stable Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/appledisplay.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c index ac92725458b5..ba1eaabc7796 100644 --- a/drivers/usb/misc/appledisplay.c +++ b/drivers/usb/misc/appledisplay.c @@ -164,7 +164,12 @@ static int appledisplay_bl_get_brightness(struct backlight_device *bd) 0, pdata->msgdata, 2, ACD_USB_TIMEOUT); - brightness = pdata->msgdata[1]; + if (retval < 2) { + if (retval >= 0) + retval = -EMSGSIZE; + } else { + brightness = pdata->msgdata[1]; + } mutex_unlock(&pdata->sysfslock); if (retval < 0) @@ -299,6 +304,7 @@ static int appledisplay_probe(struct usb_interface *iface, if (pdata) { if (pdata->urb) { usb_kill_urb(pdata->urb); + cancel_delayed_work_sync(&pdata->work); if (pdata->urbdata) usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN, pdata->urbdata, pdata->urb->transfer_dma); -- 2.24.0