From 676e9dad8847bf19ea8f227d9b18d20dddd4d765 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 23 Dec 2025 17:59:12 +0100 Subject: [PATCH] drop some input patches that broke the build --- ...e-pending-work-before-freeing-device.patch | 52 ---------------- queue-5.10/series | 1 - ...e-pending-work-before-freeing-device.patch | 52 ---------------- queue-5.15/series | 1 - ...e-pending-work-before-freeing-device.patch | 52 ---------------- queue-6.1/series | 1 - ...ee-bugs-caused-by-dev3_register_work.patch | 61 ------------------- ...e-pending-work-before-freeing-device.patch | 52 ---------------- queue-6.6/series | 2 - 9 files changed, 274 deletions(-) delete mode 100644 queue-5.10/input-lkkbd-disable-pending-work-before-freeing-device.patch delete mode 100644 queue-5.15/input-lkkbd-disable-pending-work-before-freeing-device.patch delete mode 100644 queue-6.1/input-lkkbd-disable-pending-work-before-freeing-device.patch delete mode 100644 queue-6.6/input-alps-fix-use-after-free-bugs-caused-by-dev3_register_work.patch delete mode 100644 queue-6.6/input-lkkbd-disable-pending-work-before-freeing-device.patch diff --git a/queue-5.10/input-lkkbd-disable-pending-work-before-freeing-device.patch b/queue-5.10/input-lkkbd-disable-pending-work-before-freeing-device.patch deleted file mode 100644 index cac32540b0..0000000000 --- a/queue-5.10/input-lkkbd-disable-pending-work-before-freeing-device.patch +++ /dev/null @@ -1,52 +0,0 @@ -From e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c Mon Sep 17 00:00:00 2001 -From: Minseong Kim -Date: Fri, 12 Dec 2025 00:29:23 -0800 -Subject: Input: lkkbd - disable pending work before freeing device - -From: Minseong Kim - -commit e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c upstream. - -lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work -handler lkkbd_reinit() dereferences the lkkbd structure and its -serio/input_dev fields. - -lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd -structure without preventing the reinit work from being queued again -until serio_close() returns. This can allow the work handler to run -after the structure has been freed, leading to a potential use-after-free. - -Use disable_work_sync() instead of cancel_work_sync() to ensure the -reinit work cannot be re-queued, and call it both in lkkbd_disconnect() -and in lkkbd_connect() error paths after serio_open(). - -Signed-off-by: Minseong Kim -Cc: stable@vger.kernel.org -Link: https://patch.msgid.link/20251212052314.16139-1-ii4gsp@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/keyboard/lkkbd.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/drivers/input/keyboard/lkkbd.c -+++ b/drivers/input/keyboard/lkkbd.c -@@ -673,7 +673,8 @@ static int lkkbd_connect(struct serio *s - - return 0; - -- fail3: serio_close(serio); -+ fail3: disable_work_sync(&lk->tq); -+ serio_close(serio); - fail2: serio_set_drvdata(serio, NULL); - fail1: input_free_device(input_dev); - kfree(lk); -@@ -687,6 +688,8 @@ static void lkkbd_disconnect(struct seri - { - struct lkkbd *lk = serio_get_drvdata(serio); - -+ disable_work_sync(&lk->tq); -+ - input_get_device(lk->dev); - input_unregister_device(lk->dev); - serio_close(serio); diff --git a/queue-5.10/series b/queue-5.10/series index cfe900d896..90187caea9 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -193,7 +193,6 @@ block-rnbd-clt-fix-wrong-max-id-in-ida_alloc_max.patch block-rnbd-clt-fix-leaked-id-in-init_dev.patch hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch -input-lkkbd-disable-pending-work-before-freeing-device.patch input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch diff --git a/queue-5.15/input-lkkbd-disable-pending-work-before-freeing-device.patch b/queue-5.15/input-lkkbd-disable-pending-work-before-freeing-device.patch deleted file mode 100644 index cac32540b0..0000000000 --- a/queue-5.15/input-lkkbd-disable-pending-work-before-freeing-device.patch +++ /dev/null @@ -1,52 +0,0 @@ -From e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c Mon Sep 17 00:00:00 2001 -From: Minseong Kim -Date: Fri, 12 Dec 2025 00:29:23 -0800 -Subject: Input: lkkbd - disable pending work before freeing device - -From: Minseong Kim - -commit e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c upstream. - -lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work -handler lkkbd_reinit() dereferences the lkkbd structure and its -serio/input_dev fields. - -lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd -structure without preventing the reinit work from being queued again -until serio_close() returns. This can allow the work handler to run -after the structure has been freed, leading to a potential use-after-free. - -Use disable_work_sync() instead of cancel_work_sync() to ensure the -reinit work cannot be re-queued, and call it both in lkkbd_disconnect() -and in lkkbd_connect() error paths after serio_open(). - -Signed-off-by: Minseong Kim -Cc: stable@vger.kernel.org -Link: https://patch.msgid.link/20251212052314.16139-1-ii4gsp@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/keyboard/lkkbd.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/drivers/input/keyboard/lkkbd.c -+++ b/drivers/input/keyboard/lkkbd.c -@@ -673,7 +673,8 @@ static int lkkbd_connect(struct serio *s - - return 0; - -- fail3: serio_close(serio); -+ fail3: disable_work_sync(&lk->tq); -+ serio_close(serio); - fail2: serio_set_drvdata(serio, NULL); - fail1: input_free_device(input_dev); - kfree(lk); -@@ -687,6 +688,8 @@ static void lkkbd_disconnect(struct seri - { - struct lkkbd *lk = serio_get_drvdata(serio); - -+ disable_work_sync(&lk->tq); -+ - input_get_device(lk->dev); - input_unregister_device(lk->dev); - serio_close(serio); diff --git a/queue-5.15/series b/queue-5.15/series index 82618cb3f8..4f820a10d5 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -245,7 +245,6 @@ net-hns3-using-the-num_tqps-to-check-whether-tqp_ind.patch net-hns3-add-vlan-id-validation-before-using.patch hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch -input-lkkbd-disable-pending-work-before-freeing-device.patch input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch diff --git a/queue-6.1/input-lkkbd-disable-pending-work-before-freeing-device.patch b/queue-6.1/input-lkkbd-disable-pending-work-before-freeing-device.patch deleted file mode 100644 index 4237777936..0000000000 --- a/queue-6.1/input-lkkbd-disable-pending-work-before-freeing-device.patch +++ /dev/null @@ -1,52 +0,0 @@ -From e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c Mon Sep 17 00:00:00 2001 -From: Minseong Kim -Date: Fri, 12 Dec 2025 00:29:23 -0800 -Subject: Input: lkkbd - disable pending work before freeing device - -From: Minseong Kim - -commit e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c upstream. - -lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work -handler lkkbd_reinit() dereferences the lkkbd structure and its -serio/input_dev fields. - -lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd -structure without preventing the reinit work from being queued again -until serio_close() returns. This can allow the work handler to run -after the structure has been freed, leading to a potential use-after-free. - -Use disable_work_sync() instead of cancel_work_sync() to ensure the -reinit work cannot be re-queued, and call it both in lkkbd_disconnect() -and in lkkbd_connect() error paths after serio_open(). - -Signed-off-by: Minseong Kim -Cc: stable@vger.kernel.org -Link: https://patch.msgid.link/20251212052314.16139-1-ii4gsp@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/keyboard/lkkbd.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/drivers/input/keyboard/lkkbd.c -+++ b/drivers/input/keyboard/lkkbd.c -@@ -670,7 +670,8 @@ static int lkkbd_connect(struct serio *s - - return 0; - -- fail3: serio_close(serio); -+ fail3: disable_work_sync(&lk->tq); -+ serio_close(serio); - fail2: serio_set_drvdata(serio, NULL); - fail1: input_free_device(input_dev); - kfree(lk); -@@ -684,6 +685,8 @@ static void lkkbd_disconnect(struct seri - { - struct lkkbd *lk = serio_get_drvdata(serio); - -+ disable_work_sync(&lk->tq); -+ - input_get_device(lk->dev); - input_unregister_device(lk->dev); - serio_close(serio); diff --git a/queue-6.1/series b/queue-6.1/series index 2b25a8e3a3..b18c911e3c 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -285,7 +285,6 @@ ksmbd-fix-refcount-leak-when-invalid-session-is-found-on-session-lookup.patch ksmbd-fix-buffer-validation-by-including-null-terminator-size-in-ea-length.patch hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch -input-lkkbd-disable-pending-work-before-freeing-device.patch input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch diff --git a/queue-6.6/input-alps-fix-use-after-free-bugs-caused-by-dev3_register_work.patch b/queue-6.6/input-alps-fix-use-after-free-bugs-caused-by-dev3_register_work.patch deleted file mode 100644 index a4706cb84b..0000000000 --- a/queue-6.6/input-alps-fix-use-after-free-bugs-caused-by-dev3_register_work.patch +++ /dev/null @@ -1,61 +0,0 @@ -From bf40644ef8c8a288742fa45580897ed0e0289474 Mon Sep 17 00:00:00 2001 -From: Duoming Zhou -Date: Wed, 17 Dec 2025 11:00:17 +0800 -Subject: Input: alps - fix use-after-free bugs caused by dev3_register_work - -From: Duoming Zhou - -commit bf40644ef8c8a288742fa45580897ed0e0289474 upstream. - -The dev3_register_work delayed work item is initialized within -alps_reconnect() and scheduled upon receipt of the first bare -PS/2 packet from an external PS/2 device connected to the ALPS -touchpad. During device detachment, the original implementation -calls flush_workqueue() in psmouse_disconnect() to ensure -completion of dev3_register_work. However, the flush_workqueue() -in psmouse_disconnect() only blocks and waits for work items that -were already queued to the workqueue prior to its invocation. Any -work items submitted after flush_workqueue() is called are not -included in the set of tasks that the flush operation awaits. -This means that after flush_workqueue() has finished executing, -the dev3_register_work could still be scheduled. Although the -psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(), -the scheduling of dev3_register_work remains unaffected. - -The race condition can occur as follows: - -CPU 0 (cleanup path) | CPU 1 (delayed work) -psmouse_disconnect() | - psmouse_set_state() | - flush_workqueue() | alps_report_bare_ps2_packet() - alps_disconnect() | psmouse_queue_work() - kfree(priv); // FREE | alps_register_bare_ps2_mouse() - | priv = container_of(work...); // USE - | priv->dev3 // USE - -Add disable_delayed_work_sync() in alps_disconnect() to ensure -that dev3_register_work is properly canceled and prevented from -executing after the alps_data structure has been deallocated. - -This bug is identified by static analysis. - -Fixes: 04aae283ba6a ("Input: ALPS - do not mix trackstick and external PS/2 mouse data") -Cc: stable@kernel.org -Signed-off-by: Duoming Zhou -Link: https://patch.msgid.link/b57b0a9ccca51a3f06be141bfc02b9ffe69d1845.1765939397.git.duoming@zju.edu.cn -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/mouse/alps.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/input/mouse/alps.c -+++ b/drivers/input/mouse/alps.c -@@ -2971,6 +2971,7 @@ static void alps_disconnect(struct psmou - - psmouse_reset(psmouse); - timer_shutdown_sync(&priv->timer); -+ disable_delayed_work_sync(&priv->dev3_register_work); - if (priv->dev2) - input_unregister_device(priv->dev2); - if (!IS_ERR_OR_NULL(priv->dev3)) diff --git a/queue-6.6/input-lkkbd-disable-pending-work-before-freeing-device.patch b/queue-6.6/input-lkkbd-disable-pending-work-before-freeing-device.patch deleted file mode 100644 index 4237777936..0000000000 --- a/queue-6.6/input-lkkbd-disable-pending-work-before-freeing-device.patch +++ /dev/null @@ -1,52 +0,0 @@ -From e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c Mon Sep 17 00:00:00 2001 -From: Minseong Kim -Date: Fri, 12 Dec 2025 00:29:23 -0800 -Subject: Input: lkkbd - disable pending work before freeing device - -From: Minseong Kim - -commit e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c upstream. - -lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work -handler lkkbd_reinit() dereferences the lkkbd structure and its -serio/input_dev fields. - -lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd -structure without preventing the reinit work from being queued again -until serio_close() returns. This can allow the work handler to run -after the structure has been freed, leading to a potential use-after-free. - -Use disable_work_sync() instead of cancel_work_sync() to ensure the -reinit work cannot be re-queued, and call it both in lkkbd_disconnect() -and in lkkbd_connect() error paths after serio_open(). - -Signed-off-by: Minseong Kim -Cc: stable@vger.kernel.org -Link: https://patch.msgid.link/20251212052314.16139-1-ii4gsp@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/keyboard/lkkbd.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/drivers/input/keyboard/lkkbd.c -+++ b/drivers/input/keyboard/lkkbd.c -@@ -670,7 +670,8 @@ static int lkkbd_connect(struct serio *s - - return 0; - -- fail3: serio_close(serio); -+ fail3: disable_work_sync(&lk->tq); -+ serio_close(serio); - fail2: serio_set_drvdata(serio, NULL); - fail1: input_free_device(input_dev); - kfree(lk); -@@ -684,6 +685,8 @@ static void lkkbd_disconnect(struct seri - { - struct lkkbd *lk = serio_get_drvdata(serio); - -+ disable_work_sync(&lk->tq); -+ - input_get_device(lk->dev); - input_unregister_device(lk->dev); - serio_close(serio); diff --git a/queue-6.6/series b/queue-6.6/series index 665ccbf8e8..f1c7c5a110 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -371,8 +371,6 @@ ksmbd-fix-refcount-leak-when-invalid-session-is-found-on-session-lookup.patch ksmbd-fix-buffer-validation-by-including-null-terminator-size-in-ea-length.patch hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch -input-lkkbd-disable-pending-work-before-freeing-device.patch -input-alps-fix-use-after-free-bugs-caused-by-dev3_register_work.patch input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch can-gs_usb-gs_can_open-fix-error-handling.patch acpi-pcc-fix-race-condition-by-removing-static-qualifier.patch -- 2.47.3