* [PATCH] input: synaptics_i2c - cancel delayed work before freeing device @ 2025-12-10 3:20 Minseong Kim 2025-12-10 4:40 ` Dmitry Torokhov 0 siblings, 1 reply; 5+ messages in thread From: Minseong Kim @ 2025-12-10 3:20 UTC (permalink / raw) To: Dmitry Torokhov; +Cc: linux-input, linux-kernel, stable, Minseong Kim synaptics_i2c_irq() schedules touch->dwork via mod_delayed_work(). The delayed work performs I2C transactions and may still be running (or get queued) when the device is removed. synaptics_i2c_remove() currently frees 'touch' without canceling touch->dwork. If removal happens while the work is pending/running, the work handler may dereference freed memory, leading to a potential use-after-free. Cancel the delayed work synchronously before unregistering/freeing the device. Fixes: eef3e4cab72e Input: add driver for Synaptics I2C touchpad Reported-by: Minseong Kim <ii4gsp@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Minseong Kim <ii4gsp@gmail.com> --- drivers/input/mouse/synaptics_i2c.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/input/mouse/synaptics_i2c.c b/drivers/input/mouse/synaptics_i2c.c index a0d707e47d93..fe30bf9aea3a 100644 --- a/drivers/input/mouse/synaptics_i2c.c +++ b/drivers/input/mouse/synaptics_i2c.c @@ -593,6 +593,8 @@ static void synaptics_i2c_remove(struct i2c_client *client) if (!polling_req) free_irq(client->irq, touch); + cancel_delayed_work_sync(&touch->dwork); + input_unregister_device(touch->input); kfree(touch); } -- 2.39.5 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] input: synaptics_i2c - cancel delayed work before freeing device 2025-12-10 3:20 [PATCH] input: synaptics_i2c - cancel delayed work before freeing device Minseong Kim @ 2025-12-10 4:40 ` Dmitry Torokhov 2025-12-10 5:17 ` Minseong Kim 2025-12-10 12:25 ` Mike Rapoport 0 siblings, 2 replies; 5+ messages in thread From: Dmitry Torokhov @ 2025-12-10 4:40 UTC (permalink / raw) To: Minseong Kim, Mike Rapoport; +Cc: linux-input, linux-kernel, stable Hi Minseong, On Wed, Dec 10, 2025 at 12:20:27PM +0900, Minseong Kim wrote: > synaptics_i2c_irq() schedules touch->dwork via mod_delayed_work(). > The delayed work performs I2C transactions and may still be running > (or get queued) when the device is removed. > > synaptics_i2c_remove() currently frees 'touch' without canceling > touch->dwork. If removal happens while the work is pending/running, > the work handler may dereference freed memory, leading to a potential > use-after-free. > > Cancel the delayed work synchronously before unregistering/freeing > the device. > > Fixes: eef3e4cab72e Input: add driver for Synaptics I2C touchpad > Reported-by: Minseong Kim <ii4gsp@gmail.com> > Cc: stable@vger.kernel.org > Signed-off-by: Minseong Kim <ii4gsp@gmail.com> > --- > drivers/input/mouse/synaptics_i2c.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/input/mouse/synaptics_i2c.c b/drivers/input/mouse/synaptics_i2c.c > index a0d707e47d93..fe30bf9aea3a 100644 > --- a/drivers/input/mouse/synaptics_i2c.c > +++ b/drivers/input/mouse/synaptics_i2c.c > @@ -593,6 +593,8 @@ static void synaptics_i2c_remove(struct i2c_client *client) > if (!polling_req) > free_irq(client->irq, touch); > > + cancel_delayed_work_sync(&touch->dwork); > + The call to cancel_delayed_work_sync() happens in the close() handler for the device. I see that in resume we restart the polling without checking if the device is opened, so if we want to fix it we should add the checks there. However support for the PXA board using in the device with this touch controller (eXeda) was removed a while ago. Mike, you're one of the authors, any objections to simply removing the driver? Thanks. -- Dmitry ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] input: synaptics_i2c - cancel delayed work before freeing device 2025-12-10 4:40 ` Dmitry Torokhov @ 2025-12-10 5:17 ` Minseong Kim 2025-12-10 12:25 ` Mike Rapoport 1 sibling, 0 replies; 5+ messages in thread From: Minseong Kim @ 2025-12-10 5:17 UTC (permalink / raw) To: Dmitry Torokhov Cc: linux-input, linux-kernel, Mike Rapoport, stable, Minseong Kim Hi Dmitry, Thanks for the review. Understood that cancel_delayed_work_sync() is already called from the close() handler, and that resume() can restart polling regardless of open state. If we keep this driver, I can send a v2 that adds an open-state guard in resume(). However, if this driver is no longer used and Mike confirms there are no remaining users, I have no objections to removing it instead. Thanks, Minseong ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] input: synaptics_i2c - cancel delayed work before freeing device 2025-12-10 4:40 ` Dmitry Torokhov 2025-12-10 5:17 ` Minseong Kim @ 2025-12-10 12:25 ` Mike Rapoport 2025-12-13 4:38 ` Dmitry Torokhov 1 sibling, 1 reply; 5+ messages in thread From: Mike Rapoport @ 2025-12-10 12:25 UTC (permalink / raw) To: Dmitry Torokhov; +Cc: Minseong Kim, linux-input, linux-kernel, stable Hi, On Tue, Dec 09, 2025 at 08:40:54PM -0800, Dmitry Torokhov wrote: > Hi Minseong, > > On Wed, Dec 10, 2025 at 12:20:27PM +0900, Minseong Kim wrote: > > synaptics_i2c_irq() schedules touch->dwork via mod_delayed_work(). > > The delayed work performs I2C transactions and may still be running > > (or get queued) when the device is removed. > > > > synaptics_i2c_remove() currently frees 'touch' without canceling > > touch->dwork. If removal happens while the work is pending/running, > > the work handler may dereference freed memory, leading to a potential > > use-after-free. > > > > Cancel the delayed work synchronously before unregistering/freeing > > the device. > > > > Fixes: eef3e4cab72e Input: add driver for Synaptics I2C touchpad > > Reported-by: Minseong Kim <ii4gsp@gmail.com> > > Cc: stable@vger.kernel.org > > Signed-off-by: Minseong Kim <ii4gsp@gmail.com> > > --- > > drivers/input/mouse/synaptics_i2c.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/drivers/input/mouse/synaptics_i2c.c b/drivers/input/mouse/synaptics_i2c.c > > index a0d707e47d93..fe30bf9aea3a 100644 > > --- a/drivers/input/mouse/synaptics_i2c.c > > +++ b/drivers/input/mouse/synaptics_i2c.c > > @@ -593,6 +593,8 @@ static void synaptics_i2c_remove(struct i2c_client *client) > > if (!polling_req) > > free_irq(client->irq, touch); > > > > + cancel_delayed_work_sync(&touch->dwork); > > + > > The call to cancel_delayed_work_sync() happens in the close() handler > for the device. I see that in resume we restart the polling without > checking if the device is opened, so if we want to fix it we should add > the checks there. > > However support for the PXA board using in the device with this touch > controller (eXeda) was removed a while ago. Mike, you're one of the > authors, any objections to simply removing the driver? No objections from my side. > Thanks. > > -- > Dmitry -- Sincerely yours, Mike. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] input: synaptics_i2c - cancel delayed work before freeing device 2025-12-10 12:25 ` Mike Rapoport @ 2025-12-13 4:38 ` Dmitry Torokhov 0 siblings, 0 replies; 5+ messages in thread From: Dmitry Torokhov @ 2025-12-13 4:38 UTC (permalink / raw) To: Mike Rapoport, Marek Vasut Cc: Minseong Kim, linux-input, linux-kernel, stable On Wed, Dec 10, 2025 at 09:25:38PM +0900, Mike Rapoport wrote: > Hi, > > On Tue, Dec 09, 2025 at 08:40:54PM -0800, Dmitry Torokhov wrote: > > Hi Minseong, > > > > On Wed, Dec 10, 2025 at 12:20:27PM +0900, Minseong Kim wrote: > > > synaptics_i2c_irq() schedules touch->dwork via mod_delayed_work(). > > > The delayed work performs I2C transactions and may still be running > > > (or get queued) when the device is removed. > > > > > > synaptics_i2c_remove() currently frees 'touch' without canceling > > > touch->dwork. If removal happens while the work is pending/running, > > > the work handler may dereference freed memory, leading to a potential > > > use-after-free. > > > > > > Cancel the delayed work synchronously before unregistering/freeing > > > the device. > > > > > > Fixes: eef3e4cab72e Input: add driver for Synaptics I2C touchpad > > > Reported-by: Minseong Kim <ii4gsp@gmail.com> > > > Cc: stable@vger.kernel.org > > > Signed-off-by: Minseong Kim <ii4gsp@gmail.com> > > > --- > > > drivers/input/mouse/synaptics_i2c.c | 2 ++ > > > 1 file changed, 2 insertions(+) > > > > > > diff --git a/drivers/input/mouse/synaptics_i2c.c b/drivers/input/mouse/synaptics_i2c.c > > > index a0d707e47d93..fe30bf9aea3a 100644 > > > --- a/drivers/input/mouse/synaptics_i2c.c > > > +++ b/drivers/input/mouse/synaptics_i2c.c > > > @@ -593,6 +593,8 @@ static void synaptics_i2c_remove(struct i2c_client *client) > > > if (!polling_req) > > > free_irq(client->irq, touch); > > > > > > + cancel_delayed_work_sync(&touch->dwork); > > > + > > > > The call to cancel_delayed_work_sync() happens in the close() handler > > for the device. I see that in resume we restart the polling without > > checking if the device is opened, so if we want to fix it we should add > > the checks there. > > > > However support for the PXA board using in the device with this touch > > controller (eXeda) was removed a while ago. Mike, you're one of the > > authors, any objections to simply removing the driver? > > No objections from my side. Hmm, it looks like it is still referenced from arch/arm/boot/dts/nxp/mxs/imx23-sansa.dts Marek, is this device still relevant? Thanks. -- Dmitry ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-12-13 4:38 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-12-10 3:20 [PATCH] input: synaptics_i2c - cancel delayed work before freeing device Minseong Kim 2025-12-10 4:40 ` Dmitry Torokhov 2025-12-10 5:17 ` Minseong Kim 2025-12-10 12:25 ` Mike Rapoport 2025-12-13 4:38 ` Dmitry Torokhov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).