The watchdog_timer can schedule tx_timeout_task and watchdog_work
can also arm watchdog_timer. The process is shown below:

----------- timer schedules work ------------
cyttsp4_watchdog_timer() //timer handler
  schedule_work(&cd->watchdog_work)

----------- work arms timer ------------
cyttsp4_watchdog_work() //workqueue callback function
  cyttsp4_start_wd_timer()
    mod_timer(&cd->watchdog_timer, ...)

Although del_timer_sync() and cancel_work_sync() are called in
cyttsp4_remove(), the timer and workqueue could still be rearmed.
As a result, the possible use after free bugs could happen. The
process is shown below:

  (cleanup routine)           |  (timer and workqueue routine)
cyttsp4_remove()              | cyttsp4_watchdog_timer() //timer
  cyttsp4_stop_wd_timer()     |   schedule_work()
    del_timer_sync()          |
                              | cyttsp4_watchdog_work() //worker
                              |   cyttsp4_start_wd_timer()
                              |     mod_timer()
    cancel_work_sync()        |
                              | cyttsp4_watchdog_timer() //timer
                              |   schedule_work()
    del_timer_sync()          |
  kfree(cd) //FREE            |
                              | cyttsp4_watchdog_work() // reschedule!
                              |   cd-> //USE

This patch changes del_timer_sync() to timer_shutdown_sync(),
which could prevent rearming of the timer from the workqueue.

Fixes: 17fb1563 ("Input: cyttsp4 - add core driver for Cypress TMA4XX touchscreen devices")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://lore.kernel.org/r/20230421082919.8471-1-duoming@zju.edu.cnSigned-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>