[PATCH 0/2] Input: alps/psmouse: Fix UAF bugs and improve workqueue synchronization

[PATCH 0/2] Input: alps/psmouse: Fix UAF bugs and improve workqueue synchronization

[Duoming Zhou]

This patch series addresses use-after-free bugs in the ALPS
touchpad driver and enhances workqueue handling efficiency
in the psmouse subsystem.

The first patch fixes a critical use-after-free race condition
in the ALPS driver where dev3_register_work could be scheduled
after the alps_data structure was already freed. This was caused
by insufficient synchronization during device disconnection,
where flush_workqueue() couldn't prevent subsequent work item
submissions.

The second patch optimizes the psmouse disconnect path by replacing
flush_workqueue() with disable_delayed_work_sync() for better
efficiency and robustness.

Duoming Zhou (2):
  Input: alps - fix use-after-free bugs caused by dev3_register_work
  Input: psmouse - Replace flush_workqueue() with
    disable_delayed_work_sync()

 drivers/input/mouse/alps.c         | 1 +
 drivers/input/mouse/psmouse-base.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

-- 
2.34.1

[PATCH 1/2] Input: alps - fix use-after-free bugs caused by dev3_register_work

[Duoming Zhou]

The dev3_register_work delayed work item is initialized within
alps_reconnect() and scheduled upon receipt of the first bare
PS/2 packet from an external PS/2 device connected to the ALPS
touchpad. During device detachment, the original implementation
calls flush_workqueue() in psmouse_disconnect() to ensure
completion of dev3_register_work. However, the flush_workqueue()
in psmouse_disconnect() only blocks and waits for work items that
were already queued to the workqueue prior to its invocation. Any
work items submitted after flush_workqueue() is called are not
included in the set of tasks that the flush operation awaits.
This means that after flush_workqueue() has finished executing,
the dev3_register_work could still be scheduled. Although the
psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),
the scheduling of dev3_register_work remains unaffected.

The race condition can occur as follows:

CPU 0 (cleanup path)     | CPU 1 (delayed work)
psmouse_disconnect()     |
  psmouse_set_state()    |
  flush_workqueue()      | alps_report_bare_ps2_packet()
  alps_disconnect()      |   psmouse_queue_work()
    kfree(priv); // FREE | alps_register_bare_ps2_mouse()
                         |   priv = container_of(work...); // USE
                         |   priv->dev3 // USE

Add disable_delayed_work_sync() in alps_disconnect() to ensure
that dev3_register_work is properly canceled and prevented from
executing after the alps_data structure has been deallocated.

This bug is identified by static analysis.

Fixes: 04aae283ba6a ("Input: ALPS - do not mix trackstick and external PS/2 mouse data")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
---
 drivers/input/mouse/alps.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
index d0cb9fb9482..df8953a5196 100644
--- a/drivers/input/mouse/alps.c
+++ b/drivers/input/mouse/alps.c
@@ -2975,6 +2975,7 @@ static void alps_disconnect(struct psmouse *psmouse)
 
 	psmouse_reset(psmouse);
 	timer_shutdown_sync(&priv->timer);
+	disable_delayed_work_sync(&priv->dev3_register_work);
 	if (priv->dev2)
 		input_unregister_device(priv->dev2);
 	if (!IS_ERR_OR_NULL(priv->dev3))
-- 
2.34.1

[PATCH 2/2] Input: psmouse - Replace flush_workqueue() with disable_delayed_work_sync()

[Duoming Zhou]

The original code uses flush_workqueue() in psmouse_disconnect() to
ensure the completion of both resync_work and dev3_register_work.
Given that alps_disconnect() already uses disable_delayed_work_sync()
to cancel dev3_register_work, replacing flush_workqueue() with
disable_delayed_work_sync(&psmouse->resync_work) is more robust
and efficient.

Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
---
 drivers/input/mouse/psmouse-base.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c
index 77ea7da3b1c..eb41c553e80 100644
--- a/drivers/input/mouse/psmouse-base.c
+++ b/drivers/input/mouse/psmouse-base.c
@@ -1484,7 +1484,7 @@ static void psmouse_disconnect(struct serio *serio)
 
 	/* make sure we don't have a resync in progress */
 	mutex_unlock(&psmouse_mutex);
-	flush_workqueue(kpsmoused_wq);
+	disable_delayed_work_sync(&psmouse->resync_work);
 	mutex_lock(&psmouse_mutex);
 
 	if (serio->parent && serio->id.type == SERIO_PS_PSTHRU) {
-- 
2.34.1

Re: [PATCH 0/2] Input: alps/psmouse: Fix UAF bugs and improve workqueue synchronization

[Andy Shevchenko]

On Sat, Nov 08, 2025 at 08:40:03PM +0800, Duoming Zhou wrote:
> This patch series addresses use-after-free bugs in the ALPS
> touchpad driver and enhances workqueue handling efficiency
> in the psmouse subsystem.
> 
> The first patch fixes a critical use-after-free race condition
> in the ALPS driver where dev3_register_work could be scheduled
> after the alps_data structure was already freed. This was caused
> by insufficient synchronization during device disconnection,
> where flush_workqueue() couldn't prevent subsequent work item
> submissions.
> 
> The second patch optimizes the psmouse disconnect path by replacing
> flush_workqueue() with disable_delayed_work_sync() for better
> efficiency and robustness.

You forgot two things:
1) make it v2 (run `git format-patch -v<X> ...` where <X> is the version);
2) changelog.

No need to resend (unless requested by the maintainer), just reply with the
missed changelog for now.

-- 
With Best Regards,
Andy Shevchenko

Re: [PATCH 0/2] Input: alps/psmouse: Fix UAF bugs and improve workqueue synchronization

[duoming]

On Sun, 09 Nov 2025 18:13:38 +0200, Andy Shevchenko wrote:
> > This patch series addresses use-after-free bugs in the ALPS
> > touchpad driver and enhances workqueue handling efficiency
> > in the psmouse subsystem.
> > 
> > The first patch fixes a critical use-after-free race condition
> > in the ALPS driver where dev3_register_work could be scheduled
> > after the alps_data structure was already freed. This was caused
> > by insufficient synchronization during device disconnection,
> > where flush_workqueue() couldn't prevent subsequent work item
> > submissions.
> > 
> > The second patch optimizes the psmouse disconnect path by replacing
> > flush_workqueue() with disable_delayed_work_sync() for better
> > efficiency and robustness.
> 
> You forgot two things:
> 1) make it v2 (run `git format-patch -v<X> ...` where <X> is the version);
> 2) changelog.
> 
> No need to resend (unless requested by the maintainer), just reply with the
> missed changelog for now.

The changes in this version include the following:
1) Split the original patch into two separate patches (psmouse-base and alps).
2) For the psmouse patch, focus on the robustness and efficiency improvements
   of disable_delayed_work_sync(), not on the UAF aspect.

Best Regards,
Duoming Zhou