appledisplay: fix error handling in the scheduled work

The work item can operate on

1. stale memory left over from the last transfer
the actual length of the data transfered needs to be checked
2. memory already freed
the error handling in appledisplay_probe() needs
to cancel the work in that case

Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
index ac92725458b59622b894704ae749bf4fcb12888c..ba1eaabc779698f50b94f47409095aa75e47a763 100644 (file)
--- a/drivers/usb/misc/appledisplay.c
+++ b/drivers/usb/misc/appledisplay.c
@@ -164,7 +164,12 @@ static int appledisplay_bl_get_brightness(struct backlight_device *bd)
                0,
                pdata->msgdata, 2,
                ACD_USB_TIMEOUT);
-       brightness = pdata->msgdata[1];
+       if (retval < 2) {
+               if (retval >= 0)
+                       retval = -EMSGSIZE;
+       } else {
+               brightness = pdata->msgdata[1];
+       }
        mutex_unlock(&pdata->sysfslock);
 
        if (retval < 0)
@@ -299,6 +304,7 @@ static int appledisplay_probe(struct usb_interface *iface,
        if (pdata) {
                if (pdata->urb) {
                        usb_kill_urb(pdata->urb);
+                       cancel_delayed_work_sync(&pdata->work);
                        if (pdata->urbdata)
                                usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN,
                                        pdata->urbdata, pdata->urb->transfer_dma);