From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-dl1-f44.google.com (mail-dl1-f44.google.com [74.125.82.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 151A53E8341 for ; Fri, 15 May 2026 17:45:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.44 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778867123; cv=none; b=qjumd6c9HLdaUFUl1nzo3uIY77jvuKZZAiJD3TG8q2de4XkxwiVNU3hcTbXrVYm3GQOUmG4df1/zkbKbbV/ooDekfHfgxV5tGgWCGXi/5g+6kCarayeOgmH2P+cmL4MtGVhEVk9684jIm3s9lwR1x8WlnMdPGJCY8NnXyarjnQk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778867123; c=relaxed/simple; bh=lY3mPCtu+bzXQAlyB+1PlAaCjNdyoD9LDvEgTeIHHrU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DvNGp7WdRdQyx9eGaqgMtWwN8tdSnRKsIwWthNLeI7bdZXXIjd7S/QYNHRW/UDW7y8tfNzw4+5qyUnCBkK4tcYoe/XJMSMxqcjyHWzlSo09r99emiJZGZvk80ZvZM5OWoA2tjyObp85pjxqz/UYFdGGXsE1uNJ/wg+eb+8W/t6c= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Iz3d/FVn; arc=none smtp.client-ip=74.125.82.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Iz3d/FVn" Received: by mail-dl1-f44.google.com with SMTP id a92af1059eb24-1309f4ee97fso9278c88.1 for ; Fri, 15 May 2026 10:45:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778867121; x=1779471921; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=whvroEO+X7eMUK2dr+RVLAdwgnO7cj8qqzWq2UgbsyA=; b=Iz3d/FVnwTcUwLDSyofYWZ7gvneJjjbNLT7u0sa64WsHijUDLYcnjrz0fAylWQFJFn hLuf1J8k9XXjvSX58QXSybWao0s1Akcqsf0grFWug7e1MYE+Udk9Gj1pJH0jIagGIHCR yneUB8WMeQbaRjYeqI2H7t86F7VGLHschZATArOcLyJN1+nObeA2EcMHvrPveUBChbXa FaIaQx/x90/guFUxtxFuviVTnzPCcF/VD/3eYFpF0TpfhtYq3oRXkSVme8wGVPef0R2F tNL2Cf/z9J8UHUPMvpeBEUzK3ONEHcvBg2WbfjgXFFL+ef1VrOusoxZGYX/wdWQTkeLc TbSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778867121; x=1779471921; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=whvroEO+X7eMUK2dr+RVLAdwgnO7cj8qqzWq2UgbsyA=; b=F0UkZjIG/r+SMeOs+mHPWx6OnMB13DTBVXQOXfE0MUHIIPHFH0rV9aEeYMI9yPbPWW 7YdSRkEmZgX28fzR1BBgqaoOHGgwo74kkrhK2VDT8z4DN/LaoBzApHo31VZ0joBJBAVf yPtTFESsgJ25F1n8EMzfbshvGKMU68O14OU1UZ/60ntuJYwYsWwJeIp5by1sx9IL7K/T NOC+6kpc8VrDuw+UTP2vVUE80wiPv4V6AxHnYVtEK/WO5FY+lz1Nho/XFPVI+nUx2yoz pLrlAh5R9zYPoKb4bHo24li/y0E3EBZiHE3Vtsl/Bt0Jf78DYbDOtcJqxNksewffOq7G nZNg== X-Forwarded-Encrypted: i=1; AFNElJ/CcxWCABkg5VihQWqH9x+2J0TMqyYWfpYIW9Tsf+hEkoZjBTn8sSdJaEkeNZ72xuMNTBkIA5PzQ93tvNc=@vger.kernel.org X-Gm-Message-State: AOJu0YxLsu9j7DzExcQ44AvzBfq0KozMKW3bvZYpwXVK9z+KUstWbwvs oKuq3AjsTB9Zt10L7wYCm08rFbLM0OHy39w9kc4NpSMwc7vIMibCE7yD X-Gm-Gg: Acq92OEEWMyp929OMN+wCpFg/c1xvZM7NpJTXKoTgiYAQ/h1n1bxttLXpdARaewUvlL vbvI9hqzQHvcBCTfXmhDhvjJ9V+I7GaEy1f1bEZZZh0eq/dgAr04Q8bi5uEpvu9aiPdqWdLR/Di DfuV0wbKWKSPbMj+552csbR/CnaIq+1yuLcQ1NXtuM99bOAniPw4Kp+TDZcybfOomIQViPNsoDh FT8mznMzbtfBgZHF+fLfI2L3kz5PJP95TUirS07f3hpvX1SEsO1d69MLiL8+xD2tc+pU+X16Oqd II9QiHaKgXEE6O9+IVZi7RSnLkayTYXJYQFPig6RRsb96G9VBOyt26FBJp7HkDMG6865j5hF1V+ 7GoC8Jrc6xgEc0R5UYBTnC/jjMomw/yzJBR33wnXdvj0sb4ZwtzLRMwxen3PJP9bNSwScNOu/36 eDAY4YU+AGQpk49ww4imhgGyEX2D2XF5EviVW97RyZ0lES4GSC3we/cMBqwe7kWNp9rcXIAyP4v zoBi3nw6gmEn6FCubcTmxXKP7f0bLU6we1urOhRTG1e4B0yi0f/2vz3g4HLbgarDkcKrZUehjzG eRKfVmc+ZofWcq7bA3v77daCQ70u48Y= X-Received: by 2002:a05:7301:688:b0:2e2:5bc5:f8eb with SMTP id 5a478bee46e88-303982c04demr2637806eec.9.1778867121023; Fri, 15 May 2026 10:45:21 -0700 (PDT) Received: from lima-kernel-dev.google.com (ec2-13-52-214-175.us-west-1.compute.amazonaws.com. [13.52.214.175]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-30293e2e686sm8900318eec.5.2026.05.15.10.45.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 May 2026 10:45:20 -0700 (PDT) From: Manish Khadka To: linux-input@vger.kernel.org Cc: "Derek J . Clark" , Mark Pearson , Jiri Kosina , Benjamin Tissoires , linux-kernel@vger.kernel.org Subject: [PATCH v2] HID: hid-lenovo-go: cancel cfg_setup work in hid_go_cfg_remove() Date: Fri, 15 May 2026 23:30:11 +0545 Message-ID: <20260515174511.78486-1-maskmemanish@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260515161830.E6E2BC2BCB3@smtp.kernel.org> References: <20260515161830.E6E2BC2BCB3@smtp.kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit hid_go_cfg_probe() initialises drvdata.go_cfg_setup and schedules it to run 2 ms later: INIT_DELAYED_WORK(&drvdata.go_cfg_setup, &cfg_setup); schedule_delayed_work(&drvdata.go_cfg_setup, msecs_to_jiffies(2)); cfg_setup() dereferences drvdata.hdev to issue MCU command requests. hid_go_cfg_remove() tears down sysfs and stops the HID device, but never drains the delayed work. If the device is unbound within the 2 ms scheduling delay (a probe failure rolling back via remove, or a fast rmmod after probe), the work fires after hid_destroy_device() has dropped its reference and released the underlying hdev struct, leaving cfg_setup() with a stale drvdata.hdev pointer. Mirror the sibling driver hid-lenovo-go-s.c, whose hid_gos_cfg_remove() already calls cancel_delayed_work_sync() on its analogous work, and drain go_cfg_setup at the top of hid_go_cfg_remove(). The cancel must come before guard(mutex)(&drvdata.cfg_mutex) because cfg_setup() acquires that mutex; reversing the order would deadlock. Fixes: d69ccfcbc955 ("HID: hid-lenovo-go: Add Lenovo Legion Go Series HID Driver") Cc: stable@vger.kernel.org Signed-off-by: Manish Khadka --- v1 -> v2: - Address Sashiko AI review feedback: * [Low] Correct the inaccurate description of how drvdata.hdev becomes stale. hid_set_drvdata(hdev, NULL) only clears the per-hdev driver_data, not the global drvdata.hdev; the actual stale-pointer mechanism is hid_destroy_device()'s put_device() releasing the underlying hdev struct. Commit message and the inline comment in hid_go_cfg_remove() are corrected accordingly. - The other six review points (ABBA deadlock with sysfs_remove_groups, global static drvdata corruption on multi-device/rebind, devm vs. explicit teardown race, probe error-path leaks, mcu_property_out unconditional return 0, schedule_delayed_work boolean misuse) are all valid pre-existing bugs in the driver but predate and are independent of this patch. Each deserves its own fix; will be addressed in separate patches. Thanks to Sashiko AI review for all seven points. drivers/hid/hid-lenovo-go.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/hid/hid-lenovo-go.c b/drivers/hid/hid-lenovo-go.c index d4d26c783356..b9d8cde53136 100644 --- a/drivers/hid/hid-lenovo-go.c +++ b/drivers/hid/hid-lenovo-go.c @@ -2408,6 +2408,15 @@ static int hid_go_cfg_probe(struct hid_device *hdev, static void hid_go_cfg_remove(struct hid_device *hdev) { + /* + * cfg_setup is scheduled from hid_go_cfg_probe() with a 2 ms delay + * and dereferences drvdata.hdev. Drain it here before tearing + * down so the workqueue cannot run after hid_destroy_device()'s + * put_device() has released the underlying hdev and dereference + * a stale drvdata.hdev pointer. + */ + cancel_delayed_work_sync(&drvdata.go_cfg_setup); + guard(mutex)(&drvdata.cfg_mutex); sysfs_remove_groups(&hdev->dev.kobj, top_level_attr_groups); hid_hw_close(hdev); -- 2.43.0