+++ /dev/null
-From e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c Mon Sep 17 00:00:00 2001
-From: Minseong Kim <ii4gsp@gmail.com>
-Date: Fri, 12 Dec 2025 00:29:23 -0800
-Subject: Input: lkkbd - disable pending work before freeing device
-
-From: Minseong Kim <ii4gsp@gmail.com>
-
-commit e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c upstream.
-
-lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work
-handler lkkbd_reinit() dereferences the lkkbd structure and its
-serio/input_dev fields.
-
-lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd
-structure without preventing the reinit work from being queued again
-until serio_close() returns. This can allow the work handler to run
-after the structure has been freed, leading to a potential use-after-free.
-
-Use disable_work_sync() instead of cancel_work_sync() to ensure the
-reinit work cannot be re-queued, and call it both in lkkbd_disconnect()
-and in lkkbd_connect() error paths after serio_open().
-
-Signed-off-by: Minseong Kim <ii4gsp@gmail.com>
-Cc: stable@vger.kernel.org
-Link: https://patch.msgid.link/20251212052314.16139-1-ii4gsp@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/keyboard/lkkbd.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/drivers/input/keyboard/lkkbd.c
-+++ b/drivers/input/keyboard/lkkbd.c
-@@ -673,7 +673,8 @@ static int lkkbd_connect(struct serio *s
-
- return 0;
-
-- fail3: serio_close(serio);
-+ fail3: disable_work_sync(&lk->tq);
-+ serio_close(serio);
- fail2: serio_set_drvdata(serio, NULL);
- fail1: input_free_device(input_dev);
- kfree(lk);
-@@ -687,6 +688,8 @@ static void lkkbd_disconnect(struct seri
- {
- struct lkkbd *lk = serio_get_drvdata(serio);
-
-+ disable_work_sync(&lk->tq);
-+
- input_get_device(lk->dev);
- input_unregister_device(lk->dev);
- serio_close(serio);
block-rnbd-clt-fix-leaked-id-in-init_dev.patch
hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch
input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch
-input-lkkbd-disable-pending-work-before-freeing-device.patch
input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch
acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch
spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch
+++ /dev/null
-From e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c Mon Sep 17 00:00:00 2001
-From: Minseong Kim <ii4gsp@gmail.com>
-Date: Fri, 12 Dec 2025 00:29:23 -0800
-Subject: Input: lkkbd - disable pending work before freeing device
-
-From: Minseong Kim <ii4gsp@gmail.com>
-
-commit e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c upstream.
-
-lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work
-handler lkkbd_reinit() dereferences the lkkbd structure and its
-serio/input_dev fields.
-
-lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd
-structure without preventing the reinit work from being queued again
-until serio_close() returns. This can allow the work handler to run
-after the structure has been freed, leading to a potential use-after-free.
-
-Use disable_work_sync() instead of cancel_work_sync() to ensure the
-reinit work cannot be re-queued, and call it both in lkkbd_disconnect()
-and in lkkbd_connect() error paths after serio_open().
-
-Signed-off-by: Minseong Kim <ii4gsp@gmail.com>
-Cc: stable@vger.kernel.org
-Link: https://patch.msgid.link/20251212052314.16139-1-ii4gsp@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/keyboard/lkkbd.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/drivers/input/keyboard/lkkbd.c
-+++ b/drivers/input/keyboard/lkkbd.c
-@@ -673,7 +673,8 @@ static int lkkbd_connect(struct serio *s
-
- return 0;
-
-- fail3: serio_close(serio);
-+ fail3: disable_work_sync(&lk->tq);
-+ serio_close(serio);
- fail2: serio_set_drvdata(serio, NULL);
- fail1: input_free_device(input_dev);
- kfree(lk);
-@@ -687,6 +688,8 @@ static void lkkbd_disconnect(struct seri
- {
- struct lkkbd *lk = serio_get_drvdata(serio);
-
-+ disable_work_sync(&lk->tq);
-+
- input_get_device(lk->dev);
- input_unregister_device(lk->dev);
- serio_close(serio);
net-hns3-add-vlan-id-validation-before-using.patch
hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch
input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch
-input-lkkbd-disable-pending-work-before-freeing-device.patch
input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch
acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch
spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch
+++ /dev/null
-From e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c Mon Sep 17 00:00:00 2001
-From: Minseong Kim <ii4gsp@gmail.com>
-Date: Fri, 12 Dec 2025 00:29:23 -0800
-Subject: Input: lkkbd - disable pending work before freeing device
-
-From: Minseong Kim <ii4gsp@gmail.com>
-
-commit e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c upstream.
-
-lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work
-handler lkkbd_reinit() dereferences the lkkbd structure and its
-serio/input_dev fields.
-
-lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd
-structure without preventing the reinit work from being queued again
-until serio_close() returns. This can allow the work handler to run
-after the structure has been freed, leading to a potential use-after-free.
-
-Use disable_work_sync() instead of cancel_work_sync() to ensure the
-reinit work cannot be re-queued, and call it both in lkkbd_disconnect()
-and in lkkbd_connect() error paths after serio_open().
-
-Signed-off-by: Minseong Kim <ii4gsp@gmail.com>
-Cc: stable@vger.kernel.org
-Link: https://patch.msgid.link/20251212052314.16139-1-ii4gsp@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/keyboard/lkkbd.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/drivers/input/keyboard/lkkbd.c
-+++ b/drivers/input/keyboard/lkkbd.c
-@@ -670,7 +670,8 @@ static int lkkbd_connect(struct serio *s
-
- return 0;
-
-- fail3: serio_close(serio);
-+ fail3: disable_work_sync(&lk->tq);
-+ serio_close(serio);
- fail2: serio_set_drvdata(serio, NULL);
- fail1: input_free_device(input_dev);
- kfree(lk);
-@@ -684,6 +685,8 @@ static void lkkbd_disconnect(struct seri
- {
- struct lkkbd *lk = serio_get_drvdata(serio);
-
-+ disable_work_sync(&lk->tq);
-+
- input_get_device(lk->dev);
- input_unregister_device(lk->dev);
- serio_close(serio);
ksmbd-fix-buffer-validation-by-including-null-terminator-size-in-ea-length.patch
hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch
input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch
-input-lkkbd-disable-pending-work-before-freeing-device.patch
input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch
acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch
spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch
+++ /dev/null
-From bf40644ef8c8a288742fa45580897ed0e0289474 Mon Sep 17 00:00:00 2001
-From: Duoming Zhou <duoming@zju.edu.cn>
-Date: Wed, 17 Dec 2025 11:00:17 +0800
-Subject: Input: alps - fix use-after-free bugs caused by dev3_register_work
-
-From: Duoming Zhou <duoming@zju.edu.cn>
-
-commit bf40644ef8c8a288742fa45580897ed0e0289474 upstream.
-
-The dev3_register_work delayed work item is initialized within
-alps_reconnect() and scheduled upon receipt of the first bare
-PS/2 packet from an external PS/2 device connected to the ALPS
-touchpad. During device detachment, the original implementation
-calls flush_workqueue() in psmouse_disconnect() to ensure
-completion of dev3_register_work. However, the flush_workqueue()
-in psmouse_disconnect() only blocks and waits for work items that
-were already queued to the workqueue prior to its invocation. Any
-work items submitted after flush_workqueue() is called are not
-included in the set of tasks that the flush operation awaits.
-This means that after flush_workqueue() has finished executing,
-the dev3_register_work could still be scheduled. Although the
-psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),
-the scheduling of dev3_register_work remains unaffected.
-
-The race condition can occur as follows:
-
-CPU 0 (cleanup path) | CPU 1 (delayed work)
-psmouse_disconnect() |
- psmouse_set_state() |
- flush_workqueue() | alps_report_bare_ps2_packet()
- alps_disconnect() | psmouse_queue_work()
- kfree(priv); // FREE | alps_register_bare_ps2_mouse()
- | priv = container_of(work...); // USE
- | priv->dev3 // USE
-
-Add disable_delayed_work_sync() in alps_disconnect() to ensure
-that dev3_register_work is properly canceled and prevented from
-executing after the alps_data structure has been deallocated.
-
-This bug is identified by static analysis.
-
-Fixes: 04aae283ba6a ("Input: ALPS - do not mix trackstick and external PS/2 mouse data")
-Cc: stable@kernel.org
-Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
-Link: https://patch.msgid.link/b57b0a9ccca51a3f06be141bfc02b9ffe69d1845.1765939397.git.duoming@zju.edu.cn
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/mouse/alps.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/input/mouse/alps.c
-+++ b/drivers/input/mouse/alps.c
-@@ -2971,6 +2971,7 @@ static void alps_disconnect(struct psmou
-
- psmouse_reset(psmouse);
- timer_shutdown_sync(&priv->timer);
-+ disable_delayed_work_sync(&priv->dev3_register_work);
- if (priv->dev2)
- input_unregister_device(priv->dev2);
- if (!IS_ERR_OR_NULL(priv->dev3))
+++ /dev/null
-From e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c Mon Sep 17 00:00:00 2001
-From: Minseong Kim <ii4gsp@gmail.com>
-Date: Fri, 12 Dec 2025 00:29:23 -0800
-Subject: Input: lkkbd - disable pending work before freeing device
-
-From: Minseong Kim <ii4gsp@gmail.com>
-
-commit e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c upstream.
-
-lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work
-handler lkkbd_reinit() dereferences the lkkbd structure and its
-serio/input_dev fields.
-
-lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd
-structure without preventing the reinit work from being queued again
-until serio_close() returns. This can allow the work handler to run
-after the structure has been freed, leading to a potential use-after-free.
-
-Use disable_work_sync() instead of cancel_work_sync() to ensure the
-reinit work cannot be re-queued, and call it both in lkkbd_disconnect()
-and in lkkbd_connect() error paths after serio_open().
-
-Signed-off-by: Minseong Kim <ii4gsp@gmail.com>
-Cc: stable@vger.kernel.org
-Link: https://patch.msgid.link/20251212052314.16139-1-ii4gsp@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/keyboard/lkkbd.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/drivers/input/keyboard/lkkbd.c
-+++ b/drivers/input/keyboard/lkkbd.c
-@@ -670,7 +670,8 @@ static int lkkbd_connect(struct serio *s
-
- return 0;
-
-- fail3: serio_close(serio);
-+ fail3: disable_work_sync(&lk->tq);
-+ serio_close(serio);
- fail2: serio_set_drvdata(serio, NULL);
- fail1: input_free_device(input_dev);
- kfree(lk);
-@@ -684,6 +685,8 @@ static void lkkbd_disconnect(struct seri
- {
- struct lkkbd *lk = serio_get_drvdata(serio);
-
-+ disable_work_sync(&lk->tq);
-+
- input_get_device(lk->dev);
- input_unregister_device(lk->dev);
- serio_close(serio);
ksmbd-fix-buffer-validation-by-including-null-terminator-size-in-ea-length.patch
hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch
input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch
-input-lkkbd-disable-pending-work-before-freeing-device.patch
-input-alps-fix-use-after-free-bugs-caused-by-dev3_register_work.patch
input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch
can-gs_usb-gs_can_open-fix-error-handling.patch
acpi-pcc-fix-race-condition-by-removing-static-qualifier.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
