[RAMEN9610-21500]Input: ff-memless - kill timer in destroy()

commit fa3a5a1880c91bb92594ad42dfe9eedad7996b86 upstream.

No timer must be left running when the device goes away.

Change-Id: I7a5642e94ab73741cd4f2918a12d0299284d0715
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-and-tested-by: syzbot+b6c55daa701fc389e286@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/1573726121.17351.3.camel@suse.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 1ef39c8b753771622ff84b61d46130e36645251f)

diff --git a/drivers/input/ff-memless.c b/drivers/input/ff-memless.c
index fcc6c3368182b9c376c01a4506d60a276dbceb1a..ea3f0f5eb534667b6ab15cc88c3acaf6a39121f0 100644 (file)
--- a/drivers/input/ff-memless.c
+++ b/drivers/input/ff-memless.c
@@ -501,6 +501,15 @@ static void ml_ff_destroy(struct ff_device *ff)
 {
        struct ml_device *ml = ff->private;
 
+       /*
+        * Even though we stop all playing effects when tearing down
+        * an input device (via input_device_flush() that calls into
+        * input_ff_flush() that stops and erases all effects), we
+        * do not actually stop the timer, and therefore we should
+        * do it here.
+        */
+       del_timer_sync(&ml->timer);
+
        kfree(ml->private);
 }