lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <xeski4dr32zbxvupofis5azlq2s6fwtnuya7f3kjfz5t7c2wnq@jbvlajechlrd>
Date: Tue, 9 Dec 2025 20:40:54 -0800
From: Dmitry Torokhov <dmitry.torokhov@...il.com>
To: Minseong Kim <ii4gsp@...il.com>, Mike Rapoport <rppt@...nel.org>
Cc: linux-input@...r.kernel.org, linux-kernel@...r.kernel.org, 
	stable@...r.kernel.org
Subject: Re: [PATCH] input: synaptics_i2c - cancel delayed work before
 freeing device

Hi Minseong,

On Wed, Dec 10, 2025 at 12:20:27PM +0900, Minseong Kim wrote:
> synaptics_i2c_irq() schedules touch->dwork via mod_delayed_work().
> The delayed work performs I2C transactions and may still be running
> (or get queued) when the device is removed.
> 
> synaptics_i2c_remove() currently frees 'touch' without canceling
> touch->dwork. If removal happens while the work is pending/running,
> the work handler may dereference freed memory, leading to a potential
> use-after-free.
> 
> Cancel the delayed work synchronously before unregistering/freeing
> the device.
> 
> Fixes: eef3e4cab72e Input: add driver for Synaptics I2C touchpad
> Reported-by: Minseong Kim <ii4gsp@...il.com>
> Cc: stable@...r.kernel.org
> Signed-off-by: Minseong Kim <ii4gsp@...il.com>
> ---
>  drivers/input/mouse/synaptics_i2c.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/input/mouse/synaptics_i2c.c b/drivers/input/mouse/synaptics_i2c.c
> index a0d707e47d93..fe30bf9aea3a 100644
> --- a/drivers/input/mouse/synaptics_i2c.c
> +++ b/drivers/input/mouse/synaptics_i2c.c
> @@ -593,6 +593,8 @@ static void synaptics_i2c_remove(struct i2c_client *client)
>  	if (!polling_req)
>  		free_irq(client->irq, touch);
>  
> +	cancel_delayed_work_sync(&touch->dwork);
> +

The call to cancel_delayed_work_sync() happens in the close() handler
for the device. I see that in resume we restart the polling without
checking if the device is opened, so if we want to fix it we should add
the checks there.

However support for the PXA board using in the device with this touch
controller (eXeda) was removed a while ago. Mike, you're one of the
authors, any objections to simply removing the driver? 

Thanks.

-- 
Dmitry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ