From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-dy1-f174.google.com (mail-dy1-f174.google.com [74.125.82.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B1C4C280CFB
	for <linux-kernel@vger.kernel.org>; Sat, 11 Apr 2026 04:13:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.174
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775880828; cv=none; b=okQqL99E5ukICHj9HFP/qdAQSwJTrz4EyGl53heyGbfc99fO/BLP3pOVqW0UFE6XlKQb3Pl4Hu6Hc0JWMmERHpV0mByMrV0VWzYKIihb290IIpu4UvEHYfaCwjMknE34tMnPFvIOTUFUdYw5Eht34fAafj7OxHPSVDprI+lYElc=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775880828; c=relaxed/simple;
	bh=xZoJgL0pWd54xK6T7ncCbEYLmx9ZCILwjmKVz6EUJZk=;
	h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type:
	 Content-Disposition; b=j75WirTlIi5BgQn7wA0ftrexGTJotT6eiceXH9wAXouL/0r3BKQoxmlkeiCC5SzqpZjH1smqT+TOIbG/c7z5hllrUCjLdFnJZEmEvs8GhroEn+rm1vcCWbKMmuj9hcWWuB8G+Jv81RfEp8cySgiJrzQcMdcpXGjzsJf+e3ac9bY=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=JGtbHY0e; arc=none smtp.client-ip=74.125.82.174
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="JGtbHY0e"
Received: by mail-dy1-f174.google.com with SMTP id 5a478bee46e88-2c156c4a9efso3928123eec.1
        for <linux-kernel@vger.kernel.org>; Fri, 10 Apr 2026 21:13:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775880827; x=1776485627; darn=vger.kernel.org;
        h=content-disposition:mime-version:message-id:subject:cc:to:from:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=R0p0IRU1KSDrxTilJ3GLn5OhWBi4jSO5LLSmcLZSXUM=;
        b=JGtbHY0ejRWBAJaUwULldIiAF4RmxjIJkGzoRC3t0u8kHBOfHsfrtPWHO4wHm+VOSV
         a/SuQQQm/tQKWkeRq4C/g4qmd3aa5dDk4EU3ERr8SdtaSDoMOO7sl3Ow8jewFL2E9zJy
         taU/dtibDyOxiFuz4vXGOOugC+jzSf2Vu23mnBra7M1kZctdVV9vjV86gcqNFUj6yCDt
         xGiV7dvhrmHs0VBUkBXS9dS/BioTTWC3UFNl8mvC02b1p6Cq0Ev/P1123WKueakC1/a6
         ePc5Fwj5v2qguNUPboF9N4gWB2SyaLeyACfVBK+Oo+UU+cywPrKoJUruLRoAPXxsOEJh
         gbOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775880827; x=1776485627;
        h=content-disposition:mime-version:message-id:subject:cc:to:from:date
         :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=R0p0IRU1KSDrxTilJ3GLn5OhWBi4jSO5LLSmcLZSXUM=;
        b=rPGa+/0jXzeO3zB3Uav8QTGsN0x+0OqBFeW18OXdsKQC0xQVeLnngGDwAnPUbnuExN
         ns3Bu2zFd7j6VHwcH6A0cYNehVne/VWLw9vOni4Rj0C7hwXNP70XwHJS+ufAAvV399pe
         qbfdFWsT5d+/yotdXA3wckceny8aP3hc3N+NwM4nTHcUAHUWbLaSqMXgS7MjaydC8Qpt
         ISV5hh/vvpVRSrIXZA7wviAaKNqHxebdCLnr1xWoAYiv8tylLSSlnB6x0+sCjzeuaX4m
         5r0ViRqVdK+E+amnsuV1iInFK1Kqkh2iIKT1QN1vTrjR4R4kPo3k/IrdimlGAYBJcWUE
         g6nA==
X-Forwarded-Encrypted: i=1; AJvYcCUmLIP780xUCdSqOtYI6hu/yV7mMV+ZdjzAJUy6HRimhpcdU6RMI+8OsuAGqykyAc+D+WcPYFVmShsDE6k=@vger.kernel.org
X-Gm-Message-State: AOJu0YzRFwFfQ+WLbzFAQ1VVh6Typc6wu5/sp1cd7HsmDIOOOJf8dXLb
	gVcZw0x+Y5ziN66lnfVQaz7V/3FzsEEiLJK4E6X8TByYRPYw/cROTJlr
X-Gm-Gg: AeBDiesJ0DObZT5UekXy0pN4Bon/fAML2ldXnU8o9iH7zQcBI9IV67qnfKbO57zWU3b
	IPZ1gFSfFhLXZXkOqkSTssnIwHZHa1s3HgAP7NATAElA88g6vcoyMTeZN059yOU4Qccx0BpUFnE
	t9eKHDZv/UDQQ+hxoUjU4UugU5uVf6G72MnGPdd6Er7voLjO595QI11xf5tA1nq4UxNnpwCNotD
	O5EFjiT05Dpg5j7Nvuw+FNfez2fG4L10mMcckxFwwhXoq7w1Mz7KBBn1g9ngp50tyuEQUYAYqXc
	j283dFHKvx6L9vq6wP2EfDXa2sZG0Fsx2BiSy7hW+aei2O+QWNFrjG50DNxbgT5ZPsu4xtBp0md
	ZjBBuJLwwd6U9JNXsWP/8bhQq/AC0jodm5AQviVt7cloH9tEAmcYVb0AQUEf01J7owZTj6yiBhe
	hqOKzdro/hxbJLxnUzq5GE4oeeukqrTlr1osxOOsootFt1kP2Fq37uG2ACE1By5PBmH8I9gG0H8
	w==
X-Received: by 2002:a05:693c:2c85:b0:2d2:cf9b:ee6e with SMTP id 5a478bee46e88-2d5895690b4mr3325634eec.22.1775880826747;
        Fri, 10 Apr 2026 21:13:46 -0700 (PDT)
Received: from google.com ([2a00:79e0:2ebe:8:39ea:e04e:4043:56c])
        by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2d55f5c698esm7926503eec.6.2026.04.10.21.13.45
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 10 Apr 2026 21:13:46 -0700 (PDT)
Date: Fri, 10 Apr 2026 21:13:43 -0700
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: linux-input@vger.kernel.org
Cc: Wolfram Sang <wsa+renesas@sang-engineering.com>, 
	linux-kernel@vger.kernel.org
Subject: [PATCH] Input: edt-ft5x06 - fix use-after-free in debugfs teardown
Message-ID: <adnJicDh-bTUaWXP@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

The commit 68743c500c6e ("Input: edt-ft5x06 - use per-client debugfs
directory") removed the manual debugfs teardown, relying on the I2C core
to handle it. However, this creates a window where debugfs files are
still accessible after edt_ft5x06_ts_teardown_debugfs() frees
tsdata->raw_buffer.

To prevent a use-after-free, protect the freeing of raw_buffer with the
device mutex and set raw_buffer to NULL. The debugfs read function
already checks if raw_buffer is NULL under the same mutex, so this
safely avoids the use-after-free.

Fixes: 68743c500c6e ("Input: edt-ft5x06 - use per-client debugfs directory")
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
---
 drivers/input/touchscreen/edt-ft5x06.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/input/touchscreen/edt-ft5x06.c b/drivers/input/touchscreen/edt-ft5x06.c
index ba8ff65f7ea6..d3b1177185a3 100644
--- a/drivers/input/touchscreen/edt-ft5x06.c
+++ b/drivers/input/touchscreen/edt-ft5x06.c
@@ -804,7 +804,10 @@ static void edt_ft5x06_ts_prepare_debugfs(struct edt_ft5x06_ts_data *tsdata)
 
 static void edt_ft5x06_ts_teardown_debugfs(struct edt_ft5x06_ts_data *tsdata)
 {
+	guard(mutex)(&tsdata->mutex);
+
 	kfree(tsdata->raw_buffer);
+	tsdata->raw_buffer = NULL;
 }
 
 #else
-- 
2.54.0.rc0.605.g598a273b03-goog


-- 
Dmitry