| From 6f72c98049cdce984f3c464ca54f6ea1dec3a8a6 Mon Sep 17 00:00:00 2001 |
| From: Oliver Neukum <oneukum@suse.com> |
| Date: Fri, 15 Nov 2019 11:35:05 -0800 |
| Subject: [PATCH] Input: ff-memless - kill timer in destroy() |
| |
| commit fa3a5a1880c91bb92594ad42dfe9eedad7996b86 upstream. |
| |
| No timer must be left running when the device goes away. |
| |
| Signed-off-by: Oliver Neukum <oneukum@suse.com> |
| Reported-and-tested-by: syzbot+b6c55daa701fc389e286@syzkaller.appspotmail.com |
| Cc: stable@vger.kernel.org |
| Link: https://lore.kernel.org/r/1573726121.17351.3.camel@suse.com |
| Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/input/ff-memless.c b/drivers/input/ff-memless.c |
| index 1cb40c7475af..8229a9006917 100644 |
| --- a/drivers/input/ff-memless.c |
| +++ b/drivers/input/ff-memless.c |
| @@ -489,6 +489,15 @@ static void ml_ff_destroy(struct ff_device *ff) |
| { |
| struct ml_device *ml = ff->private; |
| |
| + /* |
| + * Even though we stop all playing effects when tearing down |
| + * an input device (via input_device_flush() that calls into |
| + * input_ff_flush() that stops and erases all effects), we |
| + * do not actually stop the timer, and therefore we should |
| + * do it here. |
| + */ |
| + del_timer_sync(&ml->timer); |
| + |
| kfree(ml->private); |
| } |
| |
| -- |
| 2.7.4 |
| |