summaryrefslogtreecommitdiff
path: root/drivers/usb
diff options
context:
space:
mode:
authorOliver Neukum <oneukum@suse.com>2019-11-06 13:49:01 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2019-11-28 18:26:24 +0100
commit6f10c432716f868ef5995c2a24bea0eab59777be (patch)
tree3b4c6de95a9ab319e76109c54b960f9ba6864295 /drivers/usb
parentefb975b43222441da75a98e7ee112ded4daf0c1a (diff)
appledisplay: fix error handling in the scheduled work
commit 91feb01596e5efc0cc922cc73f5583114dccf4d2 upstream. The work item can operate on 1. stale memory left over from the last transfer the actual length of the data transfered needs to be checked 2. memory already freed the error handling in appledisplay_probe() needs to cancel the work in that case Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum <oneukum@suse.com> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb')
-rw-r--r--drivers/usb/misc/appledisplay.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
index dabd1077d03c..8b7d43c282f8 100644
--- a/drivers/usb/misc/appledisplay.c
+++ b/drivers/usb/misc/appledisplay.c
@@ -183,7 +183,12 @@ static int appledisplay_bl_get_brightness(struct backlight_device *bd)
0,
pdata->msgdata, 2,
ACD_USB_TIMEOUT);
- brightness = pdata->msgdata[1];
+ if (retval < 2) {
+ if (retval >= 0)
+ retval = -EMSGSIZE;
+ } else {
+ brightness = pdata->msgdata[1];
+ }
mutex_unlock(&pdata->sysfslock);
if (retval < 0)
@@ -329,6 +334,7 @@ error:
if (pdata) {
if (pdata->urb) {
usb_kill_urb(pdata->urb);
+ cancel_delayed_work_sync(&pdata->work);
if (pdata->urbdata)
usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN,
pdata->urbdata, pdata->urb->transfer_dma);
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-21 04:55:21 +0000