From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 76C90C432C0 for ; Wed, 27 Nov 2019 20:39:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4BBB721770 for ; Wed, 27 Nov 2019 20:39:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1574887172; bh=kZg4vs002sTcmRB9DV51OzIupzLPccJ6bw1vGnr/U+w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=qLlB8j+fzmHNa1kLF30T9msVAkuAUmeHKxbeFn5cJK6FWXs/1gyOFevi2+LgIs2Hd QjWqu28qGm9Mq2v6rmHytrYKseCwhSz22d1DypGkaozcD+7e2m1I7bqHI2A7X+b6AI NKYrfKjo//zYhn8sPmWnSUy2rShTj8077bx1HkJg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728937AbfK0Ujb (ORCPT ); Wed, 27 Nov 2019 15:39:31 -0500 Received: from mail.kernel.org ([198.145.29.99]:43624 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727823AbfK0Uj2 (ORCPT ); Wed, 27 Nov 2019 15:39:28 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 21EA621569; Wed, 27 Nov 2019 20:39:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1574887167; bh=kZg4vs002sTcmRB9DV51OzIupzLPccJ6bw1vGnr/U+w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Y20OQt66Xp5+6V8gdd5b45JGtCm9R7WKeIrs8IuhbS4AFkbv/3jSrfmM/f0t7S2Gp qtDqTB4QrctoUFXLZCVNanlD1qXsnwA2irvKPFEJ7MKCvXBFspRyZZfpgRGwNQJ82L +5Cf/1DJ3hUcSfmELB5I++mR7Mxvi1svaqrTWlPU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oliver Neukum , syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com Subject: [PATCH 4.4 123/132] appledisplay: fix error handling in the scheduled work Date: Wed, 27 Nov 2019 21:31:54 +0100 Message-Id: <20191127203033.002013248@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191127202857.270233486@linuxfoundation.org> References: <20191127202857.270233486@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Oliver Neukum commit 91feb01596e5efc0cc922cc73f5583114dccf4d2 upstream. The work item can operate on 1. stale memory left over from the last transfer the actual length of the data transfered needs to be checked 2. memory already freed the error handling in appledisplay_probe() needs to cancel the work in that case Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum Cc: stable Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/appledisplay.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/drivers/usb/misc/appledisplay.c +++ b/drivers/usb/misc/appledisplay.c @@ -183,7 +183,12 @@ static int appledisplay_bl_get_brightnes 0, pdata->msgdata, 2, ACD_USB_TIMEOUT); - brightness = pdata->msgdata[1]; + if (retval < 2) { + if (retval >= 0) + retval = -EMSGSIZE; + } else { + brightness = pdata->msgdata[1]; + } mutex_unlock(&pdata->sysfslock); if (retval < 0) @@ -329,6 +334,7 @@ error: if (pdata) { if (pdata->urb) { usb_kill_urb(pdata->urb); + cancel_delayed_work_sync(&pdata->work); if (pdata->urbdata) usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN, pdata->urbdata, pdata->urb->transfer_dma);