CVE-2025-68822

Vulnerability

In the Linux kernel's ALPS touchpad driver, a use-after-free bug exists in the handling of dev3_register_work, a delayed work item initialized during alps_reconnect() and scheduled upon receiving the first bare PS/2 packet from an external PS/2 device connected to the touchpad. The root cause is a race condition between the cleanup path and the delayed work execution. During device detachment, psmouse_disconnect() calls flush_workqueue() to wait for queued work items, but this only blocks for work already queued before the flush call. Work items submitted after flush_workqueue() returns are not awaited, so dev3_register_work can still be scheduled after the flush completes. Although the psmouse state is set to `PSMOUSE_CMD_MODE, this does not prevent scheduling of the delayed work.

Exploitation

An attacker would need physical access to the system to connect an external PS/2 device to the ALPS touchpad port, triggering the bare PS/2 packet that schedules dev3_register_work. The race occurs when the device is triggered during device disconnection (e.g., when the touchpad is removed or the driver is unbound). No authentication is required, but the attacker must be able to cause the device to be disconnected while the delayed work is pending or being scheduled.

Impact

If the race is successfully exploited, the delayed work executes after alps_disconnect() has freed the alps_data structure (priv). The work function then dereferences the freed memory, leading to a use-after-free. This can result in memory corruption, system crash, or potentially arbitrary code execution in kernel context, depending on the state of the freed memory.

Mitigation

The fix adds disable_delayed_work_sync() in alps_disconnect() to ensure that dev3_register_work is properly canceled and prevented from executing after the `alps_data structure is deallocated. The patch has been applied to the Linux kernel stable tree [1]. Users should update to a kernel version containing this commit to mitigate the vulnerability.