appledisplay: fix error handling in the scheduled work

commit 91feb01596e5efc0cc922cc73f5583114dccf4d2 upstream.

The work item can operate on

1. stale memory left over from the last transfer
the actual length of the data transfered needs to be checked
2. memory already freed
the error handling in appledisplay_probe() needs
to cancel the work in that case

Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
index 39ca31b4de4667a49bc8016d79dd95be05f970f1..718d692b07ac8ab50de231ed59901df18631fc4f 100644 (file)
--- a/drivers/usb/misc/appledisplay.c
+++ b/drivers/usb/misc/appledisplay.c
@@ -170,7 +170,12 @@ static int appledisplay_bl_get_brightness(struct backlight_device *bd)
                0,
                pdata->msgdata, 2,
                ACD_USB_TIMEOUT);
-       brightness = pdata->msgdata[1];
+       if (retval < 2) {
+               if (retval >= 0)
+                       retval = -EMSGSIZE;
+       } else {
+               brightness = pdata->msgdata[1];
+       }
        mutex_unlock(&pdata->sysfslock);
 
        if (retval < 0)
@@ -305,6 +310,7 @@ error:
        if (pdata) {
                if (pdata->urb) {
                        usb_kill_urb(pdata->urb);
+                       cancel_delayed_work_sync(&pdata->work);
                        if (pdata->urbdata)
                                usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN,
                                        pdata->urbdata, pdata->urb->transfer_dma);