CVE-2025-68822

In the Linux kernel, the following vulnerability has been resolved:

Input: alps - fix use-after-free bugs caused by dev3registerwork

The dev3registerwork delayed work item is initialized within alpsreconnect() and scheduled upon receipt of the first bare PS/2 packet from an external PS/2 device connected to the ALPS touchpad. During device detachment, the original implementation calls flushworkqueue() in psmousedisconnect() to ensure completion of dev3registerwork. However, the flushworkqueue() in psmousedisconnect() only blocks and waits for work items that were already queued to the workqueue prior to its invocation. Any work items submitted after flushworkqueue() is called are not included in the set of tasks that the flush operation awaits. This means that after flushworkqueue() has finished executing, the dev3registerwork could still be scheduled. Although the psmouse state is set to PSMOUSECMDMODE in psmousedisconnect(), the scheduling of dev3registerwork remains unaffected.

The race condition can occur as follows:

CPU 0 (cleanup path) | CPU 1 (delayed work) psmousedisconnect() | psmousesetstate() | flushworkqueue() | alpsreportbareps2packet() alpsdisconnect() | psmousequeuework() kfree(priv); // FREE | alpsregisterbareps2mouse() | priv = containerof(work...); // USE | priv->dev3 // USE

Add disabledelayedworksync() in alpsdisconnect() to ensure that dev3registerwork is properly canceled and prevented from executing after the alps_data structure has been deallocated.

This bug is identified by static analysis.