Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp1401015ybx;
        Tue, 5 Nov 2019 15:39:01 -0800 (PST)
X-Google-Smtp-Source: APXvYqyA/ymsYfqk3UqT+/2zr4QHeb169nG5XAr+GOPQAsjBcCvzdbi0cpK1BqyDpkPwbiTAHZmP
X-Received: by 2002:a17:906:300a:: with SMTP id 10mr32244231ejz.104.1572997141031;
        Tue, 05 Nov 2019 15:39:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1572997141; cv=none;
        d=google.com; s=arc-20160816;
        b=eZ4MBmEXBcGJNq+DuTw6VGiaEW7reXC31jrUgpVV6piJmlRemwE0c85xuGMA3jq+0/
         rJV65OGszwNqpFbiyTk0wRU3+gIlOPA2rG80dQM66zkwhS3PC/UHfQHqTeXMNGBozlcj
         Df4lJBphvzkBWmTq5himNl2Nh3ksTcUc/50UIpKRb6PjTDlCQYECwbF6JI8KRgJYolcA
         yU6dhEPbdd+z+A+PhdWGJv0sOG2oiVLSgebGwomD7qWy74VXbC7OlcY45uNz6IhqKknV
         uBCAODO3eDpDX7Bk/ZziOi/kgx3JYLHm3nuuIVAqhm1WIMt/XtC2TfOCfga3TpRxUlW6
         ZRMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=jbOa8JF4MBQR2lZ6+xvcROFm9Impr2oKxSGxSOq96pg=;
        b=Ki7ATOzD52DFrNIS699E7bhsld2S34Hu+ZAO6rO7GBuJhTmJ+LVoimQ80niZ69ndrk
         FxXnF3zYBglXPbbgpiASYcvgZRVK0/vbxxLysyixI+NNYaeOLJR1D2alkfa4VKJrpJI6
         r/eDv+DYBym5pftuXl5aaD4aAobincMJbBENNu2+lons2xpHNNAYK9dJKSvNS9qoVoj7
         DtHQCzOgbk7l3o4UYDSRjOWVfsQUF3qiQgrV8dsRNkEYtBQhuph3ELnu0r8/aSKmq6wR
         wsGuFjaFVaNVpVM3APZgCgOWf7i57f9r7nD+LJzpLzVp6z5gN3ksUFmuJqBjYMg6ZhJd
         dFVQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=T7otIGjN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id o12si14734773ejn.292.2019.11.05.15.38.37;
        Tue, 05 Nov 2019 15:39:01 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=T7otIGjN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730110AbfKEXhE (ORCPT <rfc822;saikripd@gmail.com> + 99 others);
        Tue, 5 Nov 2019 18:37:04 -0500
Received: from mail-pg1-f196.google.com ([209.85.215.196]:39972 "EHLO
        mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729549AbfKEXhD (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Nov 2019 18:37:03 -0500
Received: by mail-pg1-f196.google.com with SMTP id 15so15744839pgt.7;
        Tue, 05 Nov 2019 15:37:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=jbOa8JF4MBQR2lZ6+xvcROFm9Impr2oKxSGxSOq96pg=;
        b=T7otIGjNM+rxJdQzdyBGLkV3wlSlK0ERKVBdMp3P/gK3s8k6YB+I9PX7WzR8GXVgPY
         FsORAyvugQ6ORE7htS3hSbnu6mVPwgJ5be3ZCjHR7OYWjOlp9F1CX23SX7pjXwoluPMh
         WEctsoRPF2XL7IV3Dnt249ls5LKiykIvFKx8LsdSwsfwXg4Hwi6AuBTpWNSWoGHBTwl6
         sbLonNw5C5GbYtxU8DGyl93/qHK/zUp+qP3cr6lpPzXNHR51cXMHYniT0Tt0AuBcnuoC
         vDTD3T5tfU4Ryc5DIDSAfRwjVavmYUq1TFL7QbVKwuu7WujskeUg5vOzIjOQNpTmzs5p
         gsBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=jbOa8JF4MBQR2lZ6+xvcROFm9Impr2oKxSGxSOq96pg=;
        b=ICHwwKcWwVhwEMEt7VkLaNf0aHOLS5Lu8AyDPMpRL2sUBu7WEZHmF+FKs3uOe6wFOs
         8sdDh2jumUupoG4ojpawUvjUUmJIQtb0lI5rtFbLdg09r3l+9gr+BkAfoayVGw9sAdPZ
         cHRRCZTGbluP93tJKI4zV1ULnBBd22LCDkshHrkn3qLHwDWCguZxVG/M1qy85UV4ji1U
         fSDhARonZuEkK7LtADCYzXrh+gnCnKiiRRNMhd7EYwL24WtiV9FXFQOGfUthwMcLUbPX
         RzIu6QEN0OOOquzky+E3QaEbmnlo/d8TYT0mNuG5nMeAiSVKvCRAq1/SFSibfKRSzm5H
         yUfw==
X-Gm-Message-State: APjAAAWWSuMKcGij5u7eCw+3Ja1VhOlyRZ3pSALu7/jPquI4no+Ivs94
        9mseGOG/RrFHvbLdSBK4CE8=
X-Received: by 2002:a17:90a:25e1:: with SMTP id k88mr2298501pje.14.1572997022758;
        Tue, 05 Nov 2019 15:37:02 -0800 (PST)
Received: from debian.net.fpt ([2405:4800:58f7:3f8f:27cb:abb4:d0bd:49cb])
        by smtp.gmail.com with ESMTPSA id y22sm13641688pfn.6.2019.11.05.15.36.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 Nov 2019 15:37:01 -0800 (PST)
From:   Phong Tran <tranmanphong@gmail.com>
To:     syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com
Cc:     2pi@mok.nu, alex.theissen@me.com, andreyknvl@google.com,
        gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
        linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com,
        linux-kernel-mentees@lists.linuxfoundation.org,
        Phong Tran <tranmanphong@gmail.com>
Subject: [PATCH] usb: appledisplay: fix use-after-free in bl_get_brightness
Date:   Wed,  6 Nov 2019 06:36:52 +0700
Message-Id: <20191105233652.21033-1-tranmanphong@gmail.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <00000000000042d60805933945b5@google.com>
References: <00000000000042d60805933945b5@google.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In context of USB disconnect, the delaywork trigger and calling
appledisplay_bl_get_brightness() and the msgdata was freed.

add the checking return value of usb_control_msg() and only update the
data while the retval is valid.

Reported-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com
Reported-and-tested-by:
syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com

https://groups.google.com/d/msg/syzkaller-bugs/dRmkh2UYusY/l2a6Mg3FAQAJ

Signed-off-by: Phong Tran <tranmanphong@gmail.com>
---
 drivers/usb/misc/appledisplay.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
index ac92725458b5..3e3dfa5a3954 100644
--- a/drivers/usb/misc/appledisplay.c
+++ b/drivers/usb/misc/appledisplay.c
@@ -164,7 +164,8 @@ static int appledisplay_bl_get_brightness(struct backlight_device *bd)
 		0,
 		pdata->msgdata, 2,
 		ACD_USB_TIMEOUT);
-	brightness = pdata->msgdata[1];
+	if (retval >= 0)
+		brightness = pdata->msgdata[1];
 	mutex_unlock(&pdata->sysfslock);
 
 	if (retval < 0)
-- 
2.20.1