* [PATCH] HID: asus: Add check for cancelling fn_lock_sync_work
@ 2026-01-30 15:52 Sahil Chandna
2026-02-02 20:51 ` Jiri Kosina
2026-02-03 3:27 ` Alan Stern
0 siblings, 2 replies; 5+ messages in thread
From: Sahil Chandna @ 2026-01-30 15:52 UTC (permalink / raw)
To: jikos, bentiss, connorbelli2003, linux-input, linux-kernel
Cc: Sahil Chandna, syzbot+13f8286fa2de04a7cd48
syzbot reported a workqueue warning where fn_lock_sync_work is cancelled
during device removal before the work has been initialized. This can
happen when the device is disconnected while initialization is still
in progress.
Fix this by initializing fn_lock_sync_work before marking fn_lock as
enabled, and by using fn_lock as a flag in the remove path. This
ensures cancel_work_sync() is only called for initialized work.
Fixes: f631011e36b8 ("HID: hid-asus: Implement fn lock for Asus ProArt P16")
Reported-by: syzbot+13f8286fa2de04a7cd48@syzkaller.appspotmail.com
Signed-off-by: Sahil Chandna <chandna.sahil@gmail.com>
---
drivers/hid/hid-asus.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index 1b9793f7c07e..bb85a36de14f 100644
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -960,8 +960,8 @@ static int asus_input_configured(struct hid_device *hdev, struct hid_input *hi)
}
if (drvdata->quirks & QUIRK_HID_FN_LOCK) {
- drvdata->fn_lock = true;
INIT_WORK(&drvdata->fn_lock_sync_work, asus_sync_fn_lock);
+ drvdata->fn_lock = true;
asus_kbd_set_fn_lock(hdev, true);
}
@@ -1343,7 +1343,7 @@ static void asus_remove(struct hid_device *hdev)
cancel_work_sync(&drvdata->kbd_backlight->work);
}
- if (drvdata->quirks & QUIRK_HID_FN_LOCK)
+ if ((drvdata->quirks & QUIRK_HID_FN_LOCK) && drvdata->fn_lock)
cancel_work_sync(&drvdata->fn_lock_sync_work);
hid_hw_stop(hdev);
--
2.50.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] HID: asus: Add check for cancelling fn_lock_sync_work
2026-01-30 15:52 [PATCH] HID: asus: Add check for cancelling fn_lock_sync_work Sahil Chandna
@ 2026-02-02 20:51 ` Jiri Kosina
2026-02-03 3:27 ` Alan Stern
1 sibling, 0 replies; 5+ messages in thread
From: Jiri Kosina @ 2026-02-02 20:51 UTC (permalink / raw)
To: Sahil Chandna
Cc: bentiss, connorbelli2003, linux-input, linux-kernel,
syzbot+13f8286fa2de04a7cd48
On Fri, 30 Jan 2026, Sahil Chandna wrote:
> syzbot reported a workqueue warning where fn_lock_sync_work is cancelled
> during device removal before the work has been initialized. This can
> happen when the device is disconnected while initialization is still
> in progress.
> Fix this by initializing fn_lock_sync_work before marking fn_lock as
> enabled, and by using fn_lock as a flag in the remove path. This
> ensures cancel_work_sync() is only called for initialized work.
>
> Fixes: f631011e36b8 ("HID: hid-asus: Implement fn lock for Asus ProArt P16")
> Reported-by: syzbot+13f8286fa2de04a7cd48@syzkaller.appspotmail.com
> Signed-off-by: Sahil Chandna <chandna.sahil@gmail.com>
Applied to hid.git#for-6.20/asus, thanks.
--
Jiri Kosina
SUSE Labs
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] HID: asus: Add check for cancelling fn_lock_sync_work
2026-01-30 15:52 [PATCH] HID: asus: Add check for cancelling fn_lock_sync_work Sahil Chandna
2026-02-02 20:51 ` Jiri Kosina
@ 2026-02-03 3:27 ` Alan Stern
2026-02-03 12:07 ` Sahil Chandna
2026-02-04 10:39 ` Jiri Kosina
1 sibling, 2 replies; 5+ messages in thread
From: Alan Stern @ 2026-02-03 3:27 UTC (permalink / raw)
To: Sahil Chandna, Jiri Kosina
Cc: bentiss, connorbelli2003, linux-input, linux-kernel
I just noticed this because of a related message in a different thread.
On Fri, Jan 26, 2026 at 09:22:04PM +0530, Sahil Chandna wrote:
> syzbot reported a workqueue warning where fn_lock_sync_work is cancelled
> during device removal before the work has been initialized. This can
> happen when the device is disconnected while initialization is still
> in progress.
> Fix this by initializing fn_lock_sync_work before marking fn_lock as
> enabled, and by using fn_lock as a flag in the remove path. This
> ensures cancel_work_sync() is only called for initialized work.
>
> Fixes: f631011e36b8 ("HID: hid-asus: Implement fn lock for Asus ProArt P16")
> Reported-by: syzbot+13f8286fa2de04a7cd48@syzkaller.appspotmail.com
> Signed-off-by: Sahil Chandna <chandna.sahil@gmail.com>
> ---
> drivers/hid/hid-asus.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
> index 1b9793f7c07e..bb85a36de14f 100644
> --- a/drivers/hid/hid-asus.c
> +++ b/drivers/hid/hid-asus.c
> @@ -960,8 +960,8 @@ static int asus_input_configured(struct hid_device *hdev, struct hid_input *hi)
> }
>
> if (drvdata->quirks & QUIRK_HID_FN_LOCK) {
> - drvdata->fn_lock = true;
> INIT_WORK(&drvdata->fn_lock_sync_work, asus_sync_fn_lock);
> + drvdata->fn_lock = true;
> asus_kbd_set_fn_lock(hdev, true);
> }
>
> @@ -1343,7 +1343,7 @@ static void asus_remove(struct hid_device *hdev)
> cancel_work_sync(&drvdata->kbd_backlight->work);
> }
>
> - if (drvdata->quirks & QUIRK_HID_FN_LOCK)
> + if ((drvdata->quirks & QUIRK_HID_FN_LOCK) && drvdata->fn_lock)
> cancel_work_sync(&drvdata->fn_lock_sync_work);
>
> hid_hw_stop(hdev);
With no synchronization between the two routines, this patch cannot
possibly be correct. There's nothing to prevent the CPU running
asus_input_configured() from executing the assignment to
drvdata->fn_lock before doing the INIT_WORK() (unless the INIT_WORK()
call itself contains some synchronization -- but obviously the code
shouldn't depend on that).
At the very least there should be a pair of memory barriers. A more
palatable substitute would be to protect both regions of code with a
mutex.
Alan Stern
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] HID: asus: Add check for cancelling fn_lock_sync_work
2026-02-03 3:27 ` Alan Stern
@ 2026-02-03 12:07 ` Sahil Chandna
2026-02-04 10:39 ` Jiri Kosina
1 sibling, 0 replies; 5+ messages in thread
From: Sahil Chandna @ 2026-02-03 12:07 UTC (permalink / raw)
To: Alan Stern
Cc: Jiri Kosina, bentiss, connorbelli2003, linux-input, linux-kernel
On Mon, Feb 02, 2026 at 10:27:33PM -0500, Alan Stern wrote:
>I just noticed this because of a related message in a different thread.
>
>On Fri, Jan 26, 2026 at 09:22:04PM +0530, Sahil Chandna wrote:
>
>> syzbot reported a workqueue warning where fn_lock_sync_work is cancelled
>> during device removal before the work has been initialized. This can
>> happen when the device is disconnected while initialization is still
>> in progress.
>> Fix this by initializing fn_lock_sync_work before marking fn_lock as
>> enabled, and by using fn_lock as a flag in the remove path. This
>> ensures cancel_work_sync() is only called for initialized work.
>>
>> Fixes: f631011e36b8 ("HID: hid-asus: Implement fn lock for Asus ProArt P16")
>> Reported-by: syzbot+13f8286fa2de04a7cd48@syzkaller.appspotmail.com
>> Signed-off-by: Sahil Chandna <chandna.sahil@gmail.com>
>> ---
>> drivers/hid/hid-asus.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
>> index 1b9793f7c07e..bb85a36de14f 100644
>> --- a/drivers/hid/hid-asus.c
>> +++ b/drivers/hid/hid-asus.c
>> @@ -960,8 +960,8 @@ static int asus_input_configured(struct hid_device *hdev, struct hid_input *hi)
>> }
>>
>> if (drvdata->quirks & QUIRK_HID_FN_LOCK) {
>> - drvdata->fn_lock = true;
>> INIT_WORK(&drvdata->fn_lock_sync_work, asus_sync_fn_lock);
>> + drvdata->fn_lock = true;
>> asus_kbd_set_fn_lock(hdev, true);
>> }
>>
>> @@ -1343,7 +1343,7 @@ static void asus_remove(struct hid_device *hdev)
>> cancel_work_sync(&drvdata->kbd_backlight->work);
>> }
>>
>> - if (drvdata->quirks & QUIRK_HID_FN_LOCK)
>> + if ((drvdata->quirks & QUIRK_HID_FN_LOCK) && drvdata->fn_lock)
>> cancel_work_sync(&drvdata->fn_lock_sync_work);
>>
>> hid_hw_stop(hdev);
>
>With no synchronization between the two routines, this patch cannot
>possibly be correct. There's nothing to prevent the CPU running
>asus_input_configured() from executing the assignment to
>drvdata->fn_lock before doing the INIT_WORK() (unless the INIT_WORK()
>call itself contains some synchronization -- but obviously the code
>shouldn't depend on that).
>
>At the very least there should be a pair of memory barriers. A more
>palatable substitute would be to protect both regions of code with a
>mutex.
>
>Alan Stern
Thanks, I will test with mutex between INIT_WORK and cancel_work
and share v2.
Regards,
Sahil
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] HID: asus: Add check for cancelling fn_lock_sync_work
2026-02-03 3:27 ` Alan Stern
2026-02-03 12:07 ` Sahil Chandna
@ 2026-02-04 10:39 ` Jiri Kosina
1 sibling, 0 replies; 5+ messages in thread
From: Jiri Kosina @ 2026-02-04 10:39 UTC (permalink / raw)
To: Alan Stern
Cc: Sahil Chandna, bentiss, connorbelli2003, linux-input,
linux-kernel
On Mon, 2 Feb 2026, Alan Stern wrote:
> With no synchronization between the two routines, this patch cannot
> possibly be correct. There's nothing to prevent the CPU running
> asus_input_configured() from executing the assignment to
> drvdata->fn_lock before doing the INIT_WORK() (unless the INIT_WORK()
> call itself contains some synchronization -- but obviously the code
> shouldn't depend on that).
Ouch, you are of course right, that escaped my attention. Thanks a lot for
catching this, Alan!
Now dropped from the queue.
--
Jiri Kosina
SUSE Labs
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-02-04 10:39 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-30 15:52 [PATCH] HID: asus: Add check for cancelling fn_lock_sync_work Sahil Chandna
2026-02-02 20:51 ` Jiri Kosina
2026-02-03 3:27 ` Alan Stern
2026-02-03 12:07 ` Sahil Chandna
2026-02-04 10:39 ` Jiri Kosina
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox