From 71f5e850c53da0b3f426a838d3f1775952dc0470 Mon Sep 17 00:00:00 2001
From: Daniel Tang <danielzgtg.opensource@gmail.com>
Date: Thu, 30 Apr 2026 04:32:59 -0400
Subject: [PATCH] Hotfix CVE-2026-31431 for Debian

I'm hotfixing this in surface-control because the kernel builds haven't
been working for weeks.

This hotfixes an escalation-to-root kernel vulnerability.

Apparently Fedora has it built into the kernel, so this modprobe hotfix
won't work. A GRUB `initcall_blacklist=algif_aead_init` is needed.

Fixes: https://github.com/linux-surface/linux-surface/issues/2090
---
 Cargo.lock                                       | 2 +-
 Cargo.toml                                       | 2 +-
 etc/modprobe.d/surface-debian-disable-algif.conf | 2 ++
 pkg/bin/makebin                                  | 3 +++
 pkg/deb/debian/changelog                         | 6 ++++++
 pkg/deb/debian/rules                             | 2 ++
 6 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 etc/modprobe.d/surface-debian-disable-algif.conf

diff --git a/Cargo.lock b/Cargo.lock
index fc90c6e..48bd16d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -407,7 +407,7 @@ checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
 
 [[package]]
 name = "surface"
-version = "0.5.0"
+version = "0.5.1"
 dependencies = [
  "anyhow",
  "clap",
diff --git a/Cargo.toml b/Cargo.toml
index f46e2c0..466b595 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "surface"
-version = "0.5.0"
+version = "0.5.1"
 authors = ["Maximilian Luz <luzmaximilian@gmail.com>"]
 description = "Control various aspects of Microsoft Surface devices on Linux from the Command-Line"
 
diff --git a/etc/modprobe.d/surface-debian-disable-algif.conf b/etc/modprobe.d/surface-debian-disable-algif.conf
new file mode 100644
index 0000000..be6103d
--- /dev/null
+++ b/etc/modprobe.d/surface-debian-disable-algif.conf
@@ -0,0 +1,2 @@
+# https://askubuntu.com/a/1566257/1004020
+install algif_aead /bin/false
diff --git a/pkg/bin/makebin b/pkg/bin/makebin
index a5296cb..08492aa 100755
--- a/pkg/bin/makebin
+++ b/pkg/bin/makebin
@@ -72,6 +72,9 @@ package() {
     mkdir -p "$pkgdir/usr/lib/systemd/system/suspend.target.wants"
     ln -sT "../surface-rapl.service" "$pkgdir/usr/lib/systemd/system/suspend.target.wants/surface-rapl.service"
 
+    # hotfixes
+    install -D -m644 "etc/modprobe.d/surface-debian-disable-algif.conf" "$pkgdir/etc/modprobe.d/surface-debian-disable-algif.conf"
+
     # copy license
     install -D -m644 "LICENSE" "$pkgdir/LICENSE"
 
diff --git a/pkg/deb/debian/changelog b/pkg/deb/debian/changelog
index a466dab..ecf1dfa 100644
--- a/pkg/deb/debian/changelog
+++ b/pkg/deb/debian/changelog
@@ -1,3 +1,9 @@
+surface-control (0.5.1-1) unstable; urgency=medium
+
+  * Hotfix kernel CVE-2026-31431
+
+ -- Daniel Tang <danielzgtg.opensource@gmail.com>  Thu, 30 Apr 2026 04:32:59 -0400
+
 surface-control (0.5.0-1) unstable; urgency=medium
 
   * Add systemd service to disable Intel RAPL PL4 on resume
diff --git a/pkg/deb/debian/rules b/pkg/deb/debian/rules
index 3a8b4fd..038dfd7 100755
--- a/pkg/deb/debian/rules
+++ b/pkg/deb/debian/rules
@@ -28,5 +28,7 @@ override_dh_install:
 	mkdir -p "${pkgdir}/usr/lib/systemd/system/suspend.target.wants"
 	ln -sT "../surface-rapl.service" "${pkgdir}/usr/lib/systemd/system/suspend.target.wants/surface-rapl.service"
 
+	# hotfixes
+	install -D -m644 "etc/modprobe.d/surface-debian-disable-algif.conf" "${pkgdir}/etc/modprobe.d/surface-debian-disable-algif.conf"
 %:
 	dh $@