[PATCH 04/10] Input: synaptics-rmi4 - cancel delayed work on F54 remove

Next message: Dmitry Torokhov: "[PATCH 06/10] Input: synaptics-rmi4 - propagate F54 worker errors to V4L2 queue"
Previous message: Dmitry Torokhov: "[PATCH 05/10] Input: synaptics-rmi4 - block s_input when F54 queue is busy"
In reply to: Hans Verkuil: "Re: [PATCH 05/10] Input: synaptics-rmi4 - block s_input when F54 queue is busy"
Next in thread: Dmitry Torokhov: "[PATCH 06/10] Input: synaptics-rmi4 - propagate F54 worker errors to V4L2 queue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dmitry Torokhov

Date: Fri Jun 26 2026 - 01:19:05 EST

Ensure that any pending delayed work is cancelled before destroying
the workqueue in rmi_f54_remove() to prevent a potential Use-After-Free.

While destroy_workqueue() drains the queue, it does not cancel pending
timers for delayed work. If the timer has not yet expired when
destroy_workqueue() is called, the work is not in the queue yet. Once
the timer expires later, the timer handler will attempt to queue the
work onto the already destroyed workqueue, or access the freed f54
structure (since it is devm-allocated), leading to a crash.

Fixes: 3a762dbd5347 ("[media] Input: synaptics-rmi4 - add support for F54 diagnostics")
Reported-by: sashiko-bot@xxxxxxxxxx
Cc: stable@xxxxxxxxxxxxxxx
Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
---
drivers/input/rmi4/rmi_f54.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/input/rmi4/rmi_f54.c b/drivers/input/rmi4/rmi_f54.c
index 75839a54656b..aebe74d2032c 100644
--- a/drivers/input/rmi4/rmi_f54.c
+++ b/drivers/input/rmi4/rmi_f54.c
@@ -749,6 +749,7 @@ static void rmi_f54_remove(struct rmi_function *fn)

video_unregister_device(&f54->vdev);
v4l2_device_unregister(&f54->v4l2);
+ cancel_delayed_work_sync(&f54->work);
destroy_workqueue(f54->workqueue);
}

--
2.55.0.rc0.799.gd6f94ed593-goog