Hi Minseong,
On Wed, Dec 10, 2025 at 12:20:27PM +0900, Minseong Kim wrote:
synaptics_i2c_irq() schedules touch->dwork via mod_delayed_work(). The delayed work performs I2C transactions and may still be running (or get queued) when the device is removed.
synaptics_i2c_remove() currently frees 'touch' without canceling touch->dwork. If removal happens while the work is pending/running, the work handler may dereference freed memory, leading to a potential use-after-free.
Cancel the delayed work synchronously before unregistering/freeing the device.
Fixes: eef3e4cab72e Input: add driver for Synaptics I2C touchpad Reported-by: Minseong Kim ii4gsp@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Minseong Kim ii4gsp@gmail.com
drivers/input/mouse/synaptics_i2c.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/input/mouse/synaptics_i2c.c b/drivers/input/mouse/synaptics_i2c.c index a0d707e47d93..fe30bf9aea3a 100644 --- a/drivers/input/mouse/synaptics_i2c.c +++ b/drivers/input/mouse/synaptics_i2c.c @@ -593,6 +593,8 @@ static void synaptics_i2c_remove(struct i2c_client *client) if (!polling_req) free_irq(client->irq, touch);
- cancel_delayed_work_sync(&touch->dwork);
The call to cancel_delayed_work_sync() happens in the close() handler for the device. I see that in resume we restart the polling without checking if the device is opened, so if we want to fix it we should add the checks there.
However support for the PXA board using in the device with this touch controller (eXeda) was removed a while ago. Mike, you're one of the authors, any objections to simply removing the driver?
Thanks.