From: Oliver Neukum <oneukum@suse.com>
Date: Fri, 15 Nov 2019 19:35:05 +0000 (-0800)
Subject: [RAMEN9610-21500]Input: ff-memless - kill timer in destroy()
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=03efb433a606f40c32ccc2eaabcd39d824990953;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git

[RAMEN9610-21500]Input: ff-memless - kill timer in destroy()

commit fa3a5a1880c91bb92594ad42dfe9eedad7996b86 upstream.

No timer must be left running when the device goes away.

Change-Id: I7a5642e94ab73741cd4f2918a12d0299284d0715
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-and-tested-by: syzbot+b6c55daa701fc389e286@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/1573726121.17351.3.camel@suse.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 1ef39c8b753771622ff84b61d46130e36645251f)
---

diff --git a/drivers/input/ff-memless.c b/drivers/input/ff-memless.c
index fcc6c3368182..ea3f0f5eb534 100644
--- a/drivers/input/ff-memless.c
+++ b/drivers/input/ff-memless.c
@@ -501,6 +501,15 @@ static void ml_ff_destroy(struct ff_device *ff)
 {
 	struct ml_device *ml = ff->private;
 
+	/*
+	 * Even though we stop all playing effects when tearing down
+	 * an input device (via input_device_flush() that calls into
+	 * input_ff_flush() that stops and erases all effects), we
+	 * do not actually stop the timer, and therefore we should
+	 * do it here.
+	 */
+	del_timer_sync(&ml->timer);
+
 	kfree(ml->private);
 }