aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOliver Neukum <oneukum@suse.com>2019-11-06 13:49:01 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2019-12-01 09:17:42 +0100
commit356440a79b6b2faf796a65b9915b0882e9f1f73b (patch)
tree23afff9df93f76ca52667f3bfe3c27ebb7b6fe72
parent0439d6b901872933da7003413e1bae327c225717 (diff)
downloadlinux-yocto-356440a79b6b2faf796a65b9915b0882e9f1f73b.tar.gz
linux-yocto-356440a79b6b2faf796a65b9915b0882e9f1f73b.tar.bz2
linux-yocto-356440a79b6b2faf796a65b9915b0882e9f1f73b.zip
appledisplay: fix error handling in the scheduled work
commit 91feb01596e5efc0cc922cc73f5583114dccf4d2 upstream. The work item can operate on 1. stale memory left over from the last transfer the actual length of the data transfered needs to be checked 2. memory already freed the error handling in appledisplay_probe() needs to cancel the work in that case Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum <oneukum@suse.com> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/usb/misc/appledisplay.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
index 39ca31b4de46..718d692b07ac 100644
--- a/drivers/usb/misc/appledisplay.c
+++ b/drivers/usb/misc/appledisplay.c
@@ -170,7 +170,12 @@ static int appledisplay_bl_get_brightness(struct backlight_device *bd)
0,
pdata->msgdata, 2,
ACD_USB_TIMEOUT);
- brightness = pdata->msgdata[1];
+ if (retval < 2) {
+ if (retval >= 0)
+ retval = -EMSGSIZE;
+ } else {
+ brightness = pdata->msgdata[1];
+ }
mutex_unlock(&pdata->sysfslock);
if (retval < 0)
@@ -305,6 +310,7 @@ error:
if (pdata) {
if (pdata->urb) {
usb_kill_urb(pdata->urb);
+ cancel_delayed_work_sync(&pdata->work);
if (pdata->urbdata)
usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN,
pdata->urbdata, pdata->urb->transfer_dma);