mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-21 18:11:39 +00:00
appledisplay: fix error handling in the scheduled work
commit 91feb01596
upstream.
The work item can operate on
1. stale memory left over from the last transfer
the actual length of the data transfered needs to be checked
2. memory already freed
the error handling in appledisplay_probe() needs
to cancel the work in that case
Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
878389a536
commit
04484bed9f
1 changed files with 7 additions and 1 deletions
|
@ -164,7 +164,12 @@ static int appledisplay_bl_get_brightness(struct backlight_device *bd)
|
|||
0,
|
||||
pdata->msgdata, 2,
|
||||
ACD_USB_TIMEOUT);
|
||||
brightness = pdata->msgdata[1];
|
||||
if (retval < 2) {
|
||||
if (retval >= 0)
|
||||
retval = -EMSGSIZE;
|
||||
} else {
|
||||
brightness = pdata->msgdata[1];
|
||||
}
|
||||
mutex_unlock(&pdata->sysfslock);
|
||||
|
||||
if (retval < 0)
|
||||
|
@ -299,6 +304,7 @@ static int appledisplay_probe(struct usb_interface *iface,
|
|||
if (pdata) {
|
||||
if (pdata->urb) {
|
||||
usb_kill_urb(pdata->urb);
|
||||
cancel_delayed_work_sync(&pdata->work);
|
||||
if (pdata->urbdata)
|
||||
usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN,
|
||||
pdata->urbdata, pdata->urb->transfer_dma);
|
||||
|
|
Loading…
Reference in a new issue