In ish_probe, it calls ish_dev_init to init the device. In this function,
ishtp_device_init is called and &dev->bh_hbm_work is bound with
bh_hbm_work_fn. recv_hbm may be called to start the timer work.
If we remove the module which will call ish_remove to make cleanup,
there may be an unfinished work. The possible sequence is as follows:
Fix it by canceling the work before cleanup in ishtp_bus_remove_all_clients
CPU0 CPUc1
|bh_hbm_work_fn
ish_remove |
ishtp_bus_remove_all_clients |
kfree(ishtp_dev->fw_clients); |
|
|&dev->fw_clients[...]
| //use
Fixes: 3703f53b99e4 ("HID: intel_ish-hid: ISH Transport layer")
Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
---
drivers/hid/intel-ish-hid/ishtp/bus.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c
index 81385ab37fa9..ada7cd08dbeb 100644
--- a/drivers/hid/intel-ish-hid/ishtp/bus.c
+++ b/drivers/hid/intel-ish-hid/ishtp/bus.c
@@ -744,6 +744,7 @@ void ishtp_bus_remove_all_clients(struct ishtp_device *ishtp_dev,
*/
}
spin_unlock_irqrestore(&ishtp_dev->cl_list_lock, flags);
+ cancel_work_sync(&ishtp_dev->bh_hbm_work);
/* Release DMA buffers for client messages */
ishtp_cl_free_dma_buf(ishtp_dev);
--
2.25.1
