Use-After-Free (UAF) in kernel debugfs teardown (memory safety)
Description
The commit message and triage notes indicate a real memory-safety vulnerability fix: a Use-After-Free (UAF) in the debugfs teardown path of the EDT touchscreen driver (edt-ft5x06). The patch entry explicitly mentions "fix use-after-free in debugfs teardown" and shows accompanying driver cleanups (guard()/__free() usage) aimed at ensuring proper teardown and preventing dereferencing freed memory. While many changes are broader input subsystem updates, the security-relevant change is the UAF fix in the edt-ft5x06 debugfs teardown path. This is not merely a version bump or cleanup; it is a targeted memory-safety fix likely to prevent use-after-free exploitation when a debugfs-backed view interacts with a device being torn down or freed. The affected code path is the EDT touchscreen (edt-ft5x06) debugfs teardown, and the fix stabilizes the teardown sequence to avoid dereferencing freed objects.
Proof of Concept
Proof-of-concept (high level, requires root access):\nPrereqs:\n- A kernel with the edt-ft5x06 driver loaded and debugfs enabled.\n- A debugfs entry for the edt-ft5x06 touchscreen (path varies by kernel; common locations include under /sys/kernel/debug).\n- A connected EDT touchscreen device using the edt-ft5x06 driver.\n\nSteps:\n1) Open the debugfs entry (as a non-privileged or privileged user depending on system permissions):\n open("/sys/kernel/debug/edt/edt_debug", O_RDONLY);\n2) Trigger a teardown by unbinding/removing the device/driver while the debugfs entry is still in use:\n system("bash -c 'echo 1-<addr> > /sys/bus/i2c/drivers/edt-ft5x06/unbind'" );\n3) While the teardown race is in progress, attempt to read from the debugfs entry:\n read(fd, buf, sizeof(buf));\n4) If the underlying object has been freed but the debugfs read path still dereferences it, this can cause a kernel OOPS or crash, demonstrating the Use-After-Free condition.\n\nNotes:\n- The exact debugfs path and unbind command depend on kernel version and device tree; adapt the paths accordingly.\n- This PoC is intended for lab/research environments only and should be used responsibly to verify memory-safety improvements.\n
Commit Details
Author: Linus Torvalds
Date: 2026-04-23 01:36 UTC
Message:
Merge tag 'input-for-v7.1-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input updates from Dmitry Torokhov:
- a new charlieplex GPIO keypad driver
- an update to aw86927 driver to support 86938 chip
- an update for Chrome OS EC keyboard driver to support Fn-<key> keymap
extension
- an UAF fix in debugfs teardown in EDT touchscreen driver
- a number of conversions for input drivers to use guard() and __free()
cleanup primitives
- several drivers for bus mice (inport, logibm) and other very old
devices have been removed
- OLPC HGPK PS/2 protocol has been removed as it's been broken and
inactive for 10 something years
- dedicated kpsmoused has been removed from psmouse driver
- other assorted cleanups and fixups
* tag 'input-for-v7.1-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: (101 commits)
Input: charlieplex_keypad - add GPIO charlieplex keypad
dt-bindings: input: add GPIO charlieplex keypad
dt-bindings: input: add settling-time-us common property
dt-bindings: input: add debounce-delay-ms common property
Input: imx_keypad - fix spelling mistake "Colums" -> "Columns"
Input: edt-ft5x06 - fix use-after-free in debugfs teardown
Input: ims-pcu - fix heap-buffer-overflow in ims_pcu_process_data()
Input: ct82c710 - remove driver
Input: mk712 - remove driver
Input: logibm - remove driver
Input: inport - remove driver
Input: qt1070 - inline i2c_check_functionality check
Input: qt1050 - inline i2c_check_functionality check
Input: aiptek - validate raw macro indices before updating state
Input: gf2k - skip invalid hat lookup values
Input: xpad - add RedOctane Games vendor id
Input: xpad - remove stale TODO and changelog header
Input: usbtouchscreen - refactor endpoint lookup
Input: aw86927 - add support for Awinic AW86938
dt-bindings: input: awinic,aw86927: Add Awinic AW86938
...
Triage Assessment
Vulnerability Type: Memory Safety (Use-After-Free)
Confidence: HIGH
Reasoning:
Commit mentions an explicit memory safety fix: 'an UAF fix in debugfs teardown in EDT touchscreen driver', indicating a use-after-free bug fix with security implications. Other changes are driver updates and cleanups, but the UAF fix is a direct security-relevant fix.
Verification Assessment
Vulnerability Type: Use-After-Free (UAF) in kernel debugfs teardown (memory safety)
Confidence: HIGH
Affected Versions: v7.0-rc6 and older; pre-7.1-rc0 (before the fix in the input-for-v7.1-rc0 merge)
Code Diff
diff --git a/Documentation/devicetree/bindings/auxdisplay/holtek,ht16k33.yaml b/Documentation/devicetree/bindings/auxdisplay/holtek,ht16k33.yaml
index fe1272e86467eb..1d2e2429bd21f7 100644
--- a/Documentation/devicetree/bindings/auxdisplay/holtek,ht16k33.yaml
+++ b/Documentation/devicetree/bindings/auxdisplay/holtek,ht16k33.yaml
@@ -10,6 +10,7 @@ maintainers:
- Robin van der Gracht <robin@protonic.nl>
allOf:
+ - $ref: /schemas/input/input.yaml#
- $ref: /schemas/input/matrix-keymap.yaml#
properties:
@@ -33,9 +34,7 @@ properties:
interrupts:
maxItems: 1
- debounce-delay-ms:
- maxItems: 1
- description: Debouncing interval time in milliseconds
+ debounce-delay-ms: true
linux,keymap: true
diff --git a/Documentation/devicetree/bindings/input/awinic,aw86927.yaml b/Documentation/devicetree/bindings/input/awinic,aw86927.yaml
index b7252916bd7274..bd74b81488f61d 100644
--- a/Documentation/devicetree/bindings/input/awinic,aw86927.yaml
+++ b/Documentation/devicetree/bindings/input/awinic,aw86927.yaml
@@ -11,7 +11,12 @@ maintainers:
properties:
compatible:
- const: awinic,aw86927
+ oneOf:
+ - const: awinic,aw86927
+ - items:
+ - enum:
+ - awinic,aw86938
+ - const: awinic,aw86927
reg:
maxItems: 1
diff --git a/Documentation/devicetree/bindings/input/cirrus,ep9307-keypad.yaml b/Documentation/devicetree/bindings/input/cirrus,ep9307-keypad.yaml
index a0d2460c55ab6f..25b8b29c87d707 100644
--- a/Documentation/devicetree/bindings/input/cirrus,ep9307-keypad.yaml
+++ b/Documentation/devicetree/bindings/input/cirrus,ep9307-keypad.yaml
@@ -10,6 +10,7 @@ maintainers:
- Alexander Sverdlin <alexander.sverdlin@gmail.com>
allOf:
+ - $ref: input.yaml#
- $ref: /schemas/input/matrix-keymap.yaml#
description:
@@ -37,10 +38,8 @@ properties:
clocks:
maxItems: 1
- debounce-delay-ms:
- description: |
- Time in microseconds that key must be pressed or
- released for state change interrupt to trigger.
+ # Time for state change interrupt to trigger
+ debounce-delay-ms: true
cirrus,prescale:
description: row/column counter pre-scaler load value
diff --git a/Documentation/devicetree/bindings/input/gpio-charlieplex-keypad.yaml b/Documentation/devicetree/bindings/input/gpio-charlieplex-keypad.yaml
new file mode 100644
index 00000000000000..c085de6dab8548
--- /dev/null
+++ b/Documentation/devicetree/bindings/input/gpio-charlieplex-keypad.yaml
@@ -0,0 +1,108 @@
+# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+%YAML 1.2
+---
+
+$id: http://devicetree.org/schemas/input/gpio-charlieplex-keypad.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: GPIO charlieplex keypad
+
+maintainers:
+ - Hugo Villeneuve <hvilleneuve@dimonoff.com>
+
+description: |
+ The charlieplex keypad supports N^2)-N different key combinations (where N is
+ the number of I/O lines). Key presses and releases are detected by configuring
+ only one line as output at a time, and reading other line states. This process
+ is repeated for each line. Diodes are required to ensure current flows in only
+ one direction between any pair of pins, as well as pull-up or pull-down
+ resistors on all I/O lines.
+ This mechanism doesn't allow to detect simultaneous key presses.
+
+ Wiring example for 3 lines keyboard with 6 switches and 3 diodes (pull-up/down
+ resistors not shown but needed on L0, L1 and L2):
+
+ L0 --+---------------------+----------------------+
+ | | |
+ L1 -------+-----------+---------------------+ |
+ | | | | | |
+ L2 -------------+----------------+-----+ | |
+ | | | | | | | | |
+ | | | | | | | | |
+ | S1 \ S2 \ | S3 \ S4 \ | S5 \ S6 \
+ | | | | | | | | |
+ | +--+--+ | +--+--+ | +--+--+
+ | | | | | |
+ | D1 v | D2 v | D3 v
+ | - (k) | - (k) | - (k)
+ | | | | | |
+ +-------+ +-------+ +-------+
+
+ L: GPIO line
+ S: switch
+ D: diode (k indicates cathode)
+
+allOf:
+ - $ref: input.yaml#
+ - $ref: /schemas/input/matrix-keymap.yaml#
+
+properties:
+ compatible:
+ const: gpio-charlieplex-keypad
+
+ autorepeat: true
+
+ debounce-delay-ms:
+ default: 5
+
+ line-gpios:
+ description:
+ List of GPIOs used as lines. The gpio specifier for this property
+ depends on the gpio controller to which these lines are connected.
+
+ linux,keymap: true
+
+ poll-interval: true
+
+ settling-time-us: true
+
+ wakeup-source: true
+
+required:
+ - compatible
+ - line-gpios
+ - linux,keymap
+ - poll-interval
+
+additionalProperties: false
+
+examples:
+ - |
+ #include <dt-bindings/gpio/gpio.h>
+ #include <dt-bindings/input/input.h>
+
+ keyboard {
+ compatible = "gpio-charlieplex-keypad";
+ debounce-delay-ms = <20>;
+ poll-interval = <5>;
+ settling-time-us = <2>;
+
+ line-gpios = <&gpio2 25 (GPIO_ACTIVE_HIGH | GPIO_PULL_DOWN)
+ &gpio2 26 (GPIO_ACTIVE_HIGH | GPIO_PULL_DOWN)
+ &gpio2 27 (GPIO_ACTIVE_HIGH | GPIO_PULL_DOWN)>;
+
+ /* MATRIX_KEY(output, input, key-code) */
+ linux,keymap = <
+ /*
+ * According to wiring diagram above, if L1 is configured as
+ * output and HIGH, and we detect a HIGH level on input L0,
+ * then it means S1 is pressed: MATRIX_KEY(L1, L0, KEY...)
+ */
+ MATRIX_KEY(1, 0, KEY_F1) /* S1 */
+ MATRIX_KEY(2, 0, KEY_F2) /* S2 */
+ MATRIX_KEY(0, 1, KEY_F3) /* S3 */
+ MATRIX_KEY(2, 1, KEY_F4) /* S4 */
+ MATRIX_KEY(1, 2, KEY_F5) /* S5 */
+ MATRIX_KEY(0, 2, KEY_F6) /* S6 */
+ >;
+ };
diff --git a/Documentation/devicetree/bindings/input/gpio-matrix-keypad.yaml b/Documentation/devicetree/bindings/input/gpio-matrix-keypad.yaml
index ebfff9e42a3653..69df24a5ae7018 100644
--- a/Documentation/devicetree/bindings/input/gpio-matrix-keypad.yaml
+++ b/Documentation/devicetree/bindings/input/gpio-matrix-keypad.yaml
@@ -18,6 +18,7 @@ description:
report the event using GPIO interrupts to the cpu.
allOf:
+ - $ref: input.yaml#
- $ref: /schemas/input/matrix-keymap.yaml#
properties:
@@ -46,9 +47,7 @@ properties:
Force GPIO polarity to active low.
In the absence of this property GPIOs are treated as active high.
- debounce-delay-ms:
- description: Debounce interval in milliseconds.
- default: 0
+ debounce-delay-ms: true
col-scan-delay-us:
description:
diff --git a/Documentation/devicetree/bindings/input/input.yaml b/Documentation/devicetree/bindings/input/input.yaml
index 94f7942189e8c4..64d1c46cb2f2ad 100644
--- a/Documentation/devicetree/bindings/input/input.yaml
+++ b/Documentation/devicetree/bindings/input/input.yaml
@@ -14,6 +14,14 @@ properties:
description: Enable autorepeat when key is pressed and held down.
type: boolean
+ debounce-delay-ms:
+ description:
+ Debounce delay in milliseconds. This is the time during which the key
+ press or release signal must remain stable before it is considered valid.
+ minimum: 0
+ maximum: 999
+ default: 0
+
linux,keycodes:
description:
Specifies an array of numeric keycode values to be used for reporting
@@ -58,6 +66,14 @@ properties:
reset automatically. Device with key pressed reset feature can specify
this property.
+ settling-time-us:
+ description:
+ Delay, in microseconds, when activating an output line/col/row before
+ we can reliably read other input lines that maybe affected by this
+ output. This can be the case for an output with a RC circuit that affects
+ ramp-up/down times.
+ default: 0
+
dependencies:
linux,input-type: [ "linux,code" ]
diff --git a/Documentation/devicetree/bindings/input/matrix-keymap.yaml b/Documentation/devicetree/bindings/input/matrix-keymap.yaml
index a715c2a773fe08..ce910e4ac823ef 100644
--- a/Documentation/devicetree/bindings/input/matrix-keymap.yaml
+++ b/Documentation/devicetree/bindings/input/matrix-keymap.yaml
@@ -4,13 +4,13 @@
$id: http://devicetree.org/schemas/input/matrix-keymap.yaml#
$schema: http://devicetree.org/meta-schemas/core.yaml#
-title: Common Key Matrices on Matrix-connected Key Boards
+title: Common Key Matrices on Matrix-connected Keyboards
maintainers:
- Olof Johansson <olof@lixom.net>
description: |
- A simple common binding for matrix-connected key boards. Currently targeted at
+ A simple common binding for matrix-connected keyboards. Currently targeted at
defining the keys in the scope of linux key codes since that is a stable and
standardized interface at this time.
diff --git a/Documentation/devicetree/bindings/input/mediatek,mt6779-keypad.yaml b/Documentation/devicetree/bindings/input/mediatek,mt6779-keypad.yaml
index e365413732e7b9..914dd3283df330 100644
--- a/Documentation/devicetree/bindings/input/mediatek,mt6779-keypad.yaml
+++ b/Documentation/devicetree/bindings/input/mediatek,mt6779-keypad.yaml
@@ -10,6 +10,7 @@ maintainers:
- Mattijs Korpershoek <mkorpershoek@kernel.org>
allOf:
+ - $ref: input.yaml#
- $ref: /schemas/input/matrix-keymap.yaml#
description: |
diff --git a/Documentation/devicetree/bindings/input/parade,tc3408.yaml b/Documentation/devicetree/bindings/input/parade,tc3408.yaml
new file mode 100644
index 00000000000000..30ffefb96c68aa
--- /dev/null
+++ b/Documentation/devicetree/bindings/input/parade,tc3408.yaml
@@ -0,0 +1,68 @@
+# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/input/parade,tc3408.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: Parade TC3408 touchscreen controller
+
+maintainers:
+ - Langyan Ye <yelangyan@huaqin.corp-partner.google.com>
+
+description: |
+ Parade TC3408 is a touchscreen controller supporting the I2C-HID protocol.
+ It requires a reset GPIO and two power supplies (3.3V and 1.8V).
+
+allOf:
+ - $ref: /schemas/input/touchscreen/touchscreen.yaml#
+
+properties:
+ compatible:
+ const: parade,tc3408
+
+ reg:
+ maxItems: 1
+
+ interrupts:
+ maxItems: 1
+
+ reset-gpios:
+ maxItems: 1
+
+ vcc33-supply:
+ description: The 3.3V supply to the touchscreen.
+
+ vccio-supply:
+ description: The 1.8V supply to the touchscreen.
+
+required:
+ - compatible
+ - reg
+ - interrupts
+ - reset-gpios
+ - vcc33-supply
+ - vccio-supply
+
+unevaluatedProperties: false
+
+examples:
+ - |
+ #include <dt-bindings/gpio/gpio.h>
+ #include <dt-bindings/interrupt-controller/irq.h>
+
+ i2c {
+ #address-cells = <1>;
+ #size-cells = <0>;
+
+ touchscreen: touchscreen@24 {
+ compatible = "parade,tc3408";
+ reg = <0x24>;
+
+ interrupt-parent = <&pio>;
+ interrupts = <15 IRQ_TYPE_LEVEL_LOW>;
+
+ reset-gpios = <&pio 126 GPIO_ACTIVE_LOW>;
+ vcc33-supply = <&pp3300_tchscr_x>;
+ vccio-supply = <&pp1800_tchscr_report_disable>;
+ };
+ };
diff --git a/Documentation/devicetree/bindings/input/touchscreen/edt-ft5x06.yaml b/Documentation/devicetree/bindings/input/touchscreen/edt-ft5x06.yaml
index 6f90522de8c0af..68b2f160165439 100644
--- a/Documentation/devicetree/bindings/input/touchscreen/edt-ft5x06.yaml
+++ b/Documentation/devicetree/bindings/input/touchscreen/edt-ft5x06.yaml
@@ -33,19 +33,23 @@ allOf:
properties:
compatible:
- enum:
- - edt,edt-ft5206
- - edt,edt-ft5306
- - edt,edt-ft5406
- - edt,edt-ft5506
- - evervision,ev-ft5726
- - focaltech,ft3518
- - focaltech,ft5426
- - focaltech,ft5452
- - focaltech,ft6236
- - focaltech,ft8201
- - focaltech,ft8716
- - focaltech,ft8719
+ oneOf:
+ - enum:
+ - edt,edt-ft5206
+ - edt,edt-ft5306
+ - edt,edt-ft5406
+ - edt,edt-ft5506
+ - evervision,ev-ft5726
+ - focaltech,ft3518
+ - focaltech,ft5426
+ - focaltech,ft5452
+ - focaltech,ft6236
+ - focaltech,ft8201
+ - focaltech,ft8716
+ - focaltech,ft8719
+ - items:
+ - const: focaltech,ft3519
+ - const: focaltech,ft3518
reg:
maxItems: 1
diff --git a/Documentation/devicetree/bindings/input/touchscreen/sitronix,st1232.yaml b/Documentation/devicetree/bindings/input/touchscreen/sitronix,st1232.yaml
index 978afaa4fcef32..fe1fa217d8426e 100644
--- a/Documentation/devicetree/bindings/input/touchscreen/sitronix,st1232.yaml
+++ b/Documentation/devicetree/bindings/input/touchscreen/sitronix,st1232.yaml
@@ -32,6 +32,9 @@ properties:
description: A phandle to the reset GPIO
maxItems: 1
+ wakeup-source:
+ type: boolean
+
required:
- compatible
- reg
@@ -51,6 +54,7 @@ examples:
reg = <0x55>;
interrupts = <2 0>;
gpios = <&gpio1 166 0>;
+ wakeup-source;
touch-overlay {
segment-0 {
diff --git a/Documentation/devicetree/bindings/input/touchscreen/technologic,ts4800-ts.yaml b/Documentation/devicetree/bindings/input/touchscreen/technologic,ts4800-ts.yaml
new file mode 100644
index 00000000000000..c033774b4f44ef
--- /dev/null
+++ b/Documentation/devicetree/bindings/input/touchscreen/technologic,ts4800-ts.yaml
@@ -0,0 +1,42 @@
+# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/input/touchscreen/technologic,ts4800-ts.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: TS-4800 Touchscreen
+
+maintainers:
+ - Eduard Bostina <egbostina@gmail.com>
+
+properties:
+ compatible:
+ const: technologic,ts4800-ts
+
+ reg:
+ maxItems: 1
+
+ syscon:
+ $ref: /schemas/types.yaml#/definitions/phandle-array
+ items:
+ - items:
+ - description: Phandle to the FPGA's syscon
+ - description: Offset to the touchscreen register
+ - description: Offset to the touchscreen enable bit
+ description: Phandle / integers array that points to the syscon node which
+ describes the FPGA's syscon registers.
+
+required:
+ - compatible
+ - reg
+ - syscon
+
+additionalProperties: false
+
+examples:
+ - |
+ touchscreen@1000 {
+ compatible = "technologic,ts4800-ts";
+ reg = <0x1000 0x100>;
+ syscon = <&fpga_syscon 0x20 3>;
+ };
diff --git a/Documentation/devicetree/bindings/input/touchscreen/trivial-touch.yaml b/Documentation/devicetree/bindings/input/touchscreen/trivial-touch.yaml
ind
... [truncated]