appledisplay: fix error handling in the scheduled work

commit 91feb01596e5efc0cc922cc73f5583114dccf4d2 upstream.

The work item can operate on

1. stale memory left over from the last transfer
the actual length of the data transfered needs to be checked
2. memory already freed
the error handling in appledisplay_probe() needs
to cancel the work in that case

Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
index a1648fe0937eb7316a7ba9b71123b93f60812915..eb9b60ea02a3901a89a0c601b03ad6b024d3d439 100644 (file)
--- a/drivers/usb/misc/appledisplay.c
+++ b/drivers/usb/misc/appledisplay.c
@@ -180,7 +180,12 @@ static int appledisplay_bl_get_brightness(struct backlight_device *bd)
                0,
                pdata->msgdata, 2,
                ACD_USB_TIMEOUT);
-       brightness = pdata->msgdata[1];
+       if (retval < 2) {
+               if (retval >= 0)
+                       retval = -EMSGSIZE;
+       } else {
+               brightness = pdata->msgdata[1];
+       }
        mutex_unlock(&pdata->sysfslock);
 
        if (retval < 0)
@@ -326,6 +331,7 @@ error:
        if (pdata) {
                if (pdata->urb) {
                        usb_kill_urb(pdata->urb);
+                       cancel_delayed_work_sync(&pdata->work);
                        if (pdata->urbdata)
                                usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN,
                                        pdata->urbdata, pdata->urb->transfer_dma);