1. Patchew
  2. linux
  3. [PATCH v2 RESEND 0/2] Input: alps/psmouse: Fix UAF bugs and improve workqueue synchronization
  4. View patch

[PATCH v2 RESEND 2/2] Input: psmouse - Replace flush_workqueue() with disable_delayed_work_sync()

Duoming Zhou posted 2 patches 1 day, 12 hours ago
[PATCH v2 RESEND 2/2] Input: psmouse - Replace flush_workqueue() with disable_delayed_work_sync()
Posted by Duoming Zhou 1 day, 12 hours ago 
The original code uses flush_workqueue() in psmouse_disconnect() to
ensure the completion of both resync_work and dev3_register_work.
Given that alps_disconnect() already uses disable_delayed_work_sync()
to cancel dev3_register_work, replacing flush_workqueue() with
disable_delayed_work_sync(&psmouse->resync_work) is more robust
and efficient.

Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
---
Changes in v2:
  - focus on the robustness and efficiency improvements of disable_delayed_work_sync(), not on the UAF aspect.

 drivers/input/mouse/psmouse-base.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c
index 77ea7da3b1c..eb41c553e80 100644
--- a/drivers/input/mouse/psmouse-base.c
+++ b/drivers/input/mouse/psmouse-base.c
@@ -1484,7 +1484,7 @@ static void psmouse_disconnect(struct serio *serio)
 
 	/* make sure we don't have a resync in progress */
 	mutex_unlock(&psmouse_mutex);
-	flush_workqueue(kpsmoused_wq);
+	disable_delayed_work_sync(&psmouse->resync_work);
 	mutex_lock(&psmouse_mutex);
 
 	if (serio->parent && serio->id.type == SERIO_PS_PSTHRU) {
-- 
2.34.1
Re: [PATCH v2 RESEND 2/2] Input: psmouse - Replace flush_workqueue() with disable_delayed_work_sync()
Posted by Dmitry Torokhov 20 hours ago 
On Wed, Dec 17, 2025 at 11:00:18AM +0800, Duoming Zhou wrote:
> The original code uses flush_workqueue() in psmouse_disconnect() to
> ensure the completion of both resync_work and dev3_register_work.
> Given that alps_disconnect() already uses disable_delayed_work_sync()
> to cancel dev3_register_work, replacing flush_workqueue() with
> disable_delayed_work_sync(&psmouse->resync_work) is more robust
> and efficient.
> 
> Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
> ---
> Changes in v2:
>   - focus on the robustness and efficiency improvements of disable_delayed_work_sync(), not on the UAF aspect.
> 
>  drivers/input/mouse/psmouse-base.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c
> index 77ea7da3b1c..eb41c553e80 100644
> --- a/drivers/input/mouse/psmouse-base.c
> +++ b/drivers/input/mouse/psmouse-base.c
> @@ -1484,7 +1484,7 @@ static void psmouse_disconnect(struct serio *serio)
>  
>  	/* make sure we don't have a resync in progress */
>  	mutex_unlock(&psmouse_mutex);
> -	flush_workqueue(kpsmoused_wq);
> +	disable_delayed_work_sync(&psmouse->resync_work);

Before we replace flush_workqueue() with disable_delayed_work_sync() we
need to also add disable_delayed_work_sync() to
drivers/input/mouse/hgpk.c that also queues work to psmouse workqueue
and relies on flushing it when disconnecting.

Thanks.

-- 
Dmitry
Re: [PATCH v2 RESEND 2/2] Input: psmouse - Replace flush_workqueue() with disable_delayed_work_sync()
Posted by duoming@zju.edu.cn 9 hours ago 
On Wed, 17 Dec 2025 10:13:16 -0800 Dmitry Torokhov wrote:
> > The original code uses flush_workqueue() in psmouse_disconnect() to
> > ensure the completion of both resync_work and dev3_register_work.
> > Given that alps_disconnect() already uses disable_delayed_work_sync()
> > to cancel dev3_register_work, replacing flush_workqueue() with
> > disable_delayed_work_sync(&psmouse->resync_work) is more robust
> > and efficient.
> > 
> > Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
> > ---
> > Changes in v2:
> >   - focus on the robustness and efficiency improvements of disable_delayed_work_sync(), not on the UAF aspect.
> > 
> >  drivers/input/mouse/psmouse-base.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c
> > index 77ea7da3b1c..eb41c553e80 100644
> > --- a/drivers/input/mouse/psmouse-base.c
> > +++ b/drivers/input/mouse/psmouse-base.c
> > @@ -1484,7 +1484,7 @@ static void psmouse_disconnect(struct serio *serio)
> >  
> >  	/* make sure we don't have a resync in progress */
> >  	mutex_unlock(&psmouse_mutex);
> > -	flush_workqueue(kpsmoused_wq);
> > +	disable_delayed_work_sync(&psmouse->resync_work);
> 
> Before we replace flush_workqueue() with disable_delayed_work_sync() we
> need to also add disable_delayed_work_sync() to
> drivers/input/mouse/hgpk.c that also queues work to psmouse workqueue
> and relies on flushing it when disconnecting.

The delayed work item recalib_wq could never be scheduled due to the 
touchpad driver only supports mouse mode and the hgpk_init() function
remains disabled.

Best regards,
Duoming Zhou
Re: [PATCH v2 RESEND 2/2] Input: psmouse - Replace flush_workqueue() with disable_delayed_work_sync()
Posted by Dmitry Torokhov 8 hours ago 
On Thu, Dec 18, 2025 at 01:49:03PM +0800, duoming@zju.edu.cn wrote:
> On Wed, 17 Dec 2025 10:13:16 -0800 Dmitry Torokhov wrote:
> > > The original code uses flush_workqueue() in psmouse_disconnect() to
> > > ensure the completion of both resync_work and dev3_register_work.
> > > Given that alps_disconnect() already uses disable_delayed_work_sync()
> > > to cancel dev3_register_work, replacing flush_workqueue() with
> > > disable_delayed_work_sync(&psmouse->resync_work) is more robust
> > > and efficient.
> > > 
> > > Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
> > > ---
> > > Changes in v2:
> > >   - focus on the robustness and efficiency improvements of disable_delayed_work_sync(), not on the UAF aspect.
> > > 
> > >  drivers/input/mouse/psmouse-base.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c
> > > index 77ea7da3b1c..eb41c553e80 100644
> > > --- a/drivers/input/mouse/psmouse-base.c
> > > +++ b/drivers/input/mouse/psmouse-base.c
> > > @@ -1484,7 +1484,7 @@ static void psmouse_disconnect(struct serio *serio)
> > >  
> > >  	/* make sure we don't have a resync in progress */
> > >  	mutex_unlock(&psmouse_mutex);
> > > -	flush_workqueue(kpsmoused_wq);
> > > +	disable_delayed_work_sync(&psmouse->resync_work);
> > 
> > Before we replace flush_workqueue() with disable_delayed_work_sync() we
> > need to also add disable_delayed_work_sync() to
> > drivers/input/mouse/hgpk.c that also queues work to psmouse workqueue
> > and relies on flushing it when disconnecting.
> 
> The delayed work item recalib_wq could never be scheduled due to the 
> touchpad driver only supports mouse mode and the hgpk_init() function
> remains disabled.

What do you mean? If you enable OLPC support the option to enable hgpk
protocol driver should become available, right?

Thanks.

-- 
Dmitry
Re: [PATCH v2 RESEND 2/2] Input: psmouse - Replace flush_workqueue() with disable_delayed_work_sync()
Posted by duoming@zju.edu.cn 41 minutes ago 
On Wed, 17 Dec 2025 22:58:33 -0800 Dmitry Torokhov wrote:
> > > > The original code uses flush_workqueue() in psmouse_disconnect() to
> > > > ensure the completion of both resync_work and dev3_register_work.
> > > > Given that alps_disconnect() already uses disable_delayed_work_sync()
> > > > to cancel dev3_register_work, replacing flush_workqueue() with
> > > > disable_delayed_work_sync(&psmouse->resync_work) is more robust
> > > > and efficient.
> > > > 
> > > > Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
> > > > ---
> > > > Changes in v2:
> > > >   - focus on the robustness and efficiency improvements of disable_delayed_work_sync(), not on the UAF aspect.
> > > > 
> > > >  drivers/input/mouse/psmouse-base.c | 2 +-
> > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > > 
> > > > diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c
> > > > index 77ea7da3b1c..eb41c553e80 100644
> > > > --- a/drivers/input/mouse/psmouse-base.c
> > > > +++ b/drivers/input/mouse/psmouse-base.c
> > > > @@ -1484,7 +1484,7 @@ static void psmouse_disconnect(struct serio *serio)
> > > >  
> > > >  	/* make sure we don't have a resync in progress */
> > > >  	mutex_unlock(&psmouse_mutex);
> > > > -	flush_workqueue(kpsmoused_wq);
> > > > +	disable_delayed_work_sync(&psmouse->resync_work);
> > > 
> > > Before we replace flush_workqueue() with disable_delayed_work_sync() we
> > > need to also add disable_delayed_work_sync() to
> > > drivers/input/mouse/hgpk.c that also queues work to psmouse workqueue
> > > and relies on flushing it when disconnecting.
> > 
> > The delayed work item recalib_wq could never be scheduled due to the 
> > touchpad driver only supports mouse mode and the hgpk_init() function
> > remains disabled.
> 
> What do you mean? If you enable OLPC support the option to enable hgpk
> protocol driver should become available, right?

The hgpk_init() function is never called by any other function in the
kernel and is therefore dead code. Since the delayed work item recalib_wq
is initialized within this function, it is consequently never scheduled
during runtime.

Best regards,
Duoming Zhou

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.