8 files changed, 664 insertions, 0 deletions

diff --git a/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch b/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch
new file mode 100644
index 0000000000..313c0c5eb2
--- /dev/null
+++ b/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch
@@ -0,0 +1,360 @@
+From 2a8b8fde90d63d48ce09ddae44142674bbca1c28 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 30 Mar 2022 09:25:22 +1000
+Subject: [PATCH] evdev: strip the device name of format directives
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes a format string vulnerabilty.
+
+evdev_log_message() composes a format string consisting of a fixed
+prefix (including the rendered device name) and the passed-in format
+buffer. This format string is then passed with the arguments to the
+actual log handler, which usually and eventually ends up being printf.
+
+If the device name contains a printf-style format directive, these ended
+up in the format string and thus get interpreted correctly, e.g. for a
+device "Foo%sBar" the log message vs printf invocation ends up being:
+  evdev_log_message(device, "some message %s", "some argument");
+  printf("event9 - Foo%sBar: some message %s", "some argument");
+
+This can enable an attacker to execute malicious code with the
+privileges of the process using libinput.
+
+To exploit this, an attacker needs to be able to create a kernel device
+with a malicious name, e.g. through /dev/uinput or a Bluetooth device.
+
+To fix this, convert any potential format directives in the device name
+by duplicating percentages.
+
+Pre-rendering the device to avoid the issue altogether would be nicer
+but the current log level hooks do not easily allow for this. The device
+name is the only user-controlled part of the format string.
+
+A second potential issue is the sysname of the device which is also
+sanitized.
+
+This issue was found by Albin Eldstål-Ahrens and Benjamin Svensson from
+Assured AB, and independently by Lukas Lamster.
+
+Fixes #752
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit a423d7d3269dc32a87384f79e29bb5ac021c83d1)
+
+CVE: CVE-2022-1215
+Upstream Status: Backport [https://gitlab.freedesktop.org/libinput/libinput/-/commit/2a8b8fde90d63d48ce09ddae44142674bbca1c28]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+
+---
+ meson.build                        |  1 +
+ src/evdev.c                        | 31 +++++++++++------
+ src/evdev.h                        |  6 ++--
+ src/util-strings.h                 | 30 ++++++++++++++++
+ test/litest-device-format-string.c | 56 ++++++++++++++++++++++++++++++
+ test/litest.h                      |  1 +
+ test/test-utils.c                  | 26 ++++++++++++++
+ 7 files changed, 139 insertions(+), 12 deletions(-)
+ create mode 100644 test/litest-device-format-string.c
+
+diff --git a/meson.build b/meson.build
+index 90f528e6..1f6159e7 100644
+--- a/meson.build
++++ b/meson.build
+@@ -787,6 +787,7 @@
+                'test/litest-device-dell-canvas-totem-touch.c',
+                'test/litest-device-elantech-touchpad.c',
+                'test/litest-device-elan-tablet.c',
++               'test/litest-device-format-string.c',
+                'test/litest-device-generic-singletouch.c',
+                'test/litest-device-gpio-keys.c',
+                'test/litest-device-huion-pentablet.c',
+diff --git a/src/evdev.c b/src/evdev.c
+index 6d81f58f..d1c35c07 100644
+--- a/src/evdev.c
++++ b/src/evdev.c
+@@ -2356,19 +2356,19 @@ evdev_device_create(struct libinput_seat *seat,
+        struct libinput *libinput = seat->libinput;
+        struct evdev_device *device = NULL;
+        int rc;
+-       int fd;
++       int fd = -1;
+        int unhandled_device = 0;
+        const char *devnode = udev_device_get_devnode(udev_device);
+-       const char *sysname = udev_device_get_sysname(udev_device);
++       char *sysname = str_sanitize(udev_device_get_sysname(udev_device));
+ 
+        if (!devnode) {
+                log_info(libinput, "%s: no device node associated\n", sysname);
+-               return NULL;
++               goto err;
+        }
+ 
+        if (udev_device_should_be_ignored(udev_device)) {
+                log_debug(libinput, "%s: device is ignored\n", sysname);
+-               return NULL;
++               goto err;
+        }
+ 
+        /* Use non-blocking mode so that we can loop on read on
+@@ -2382,13 +2382,15 @@ evdev_device_create(struct libinput_seat *seat,
+                         sysname,
+                         devnode,
+                         strerror(-fd));
+-               return NULL;
++               goto err;
+        }
+ 
+        if (!evdev_device_have_same_syspath(udev_device, fd))
+                goto err;
+ 
+        device = zalloc(sizeof *device);
++       device->sysname = sysname;
++       sysname = NULL;
+ 
+        libinput_device_init(&device->base, seat);
+        libinput_seat_ref(seat);
+@@ -2411,6 +2413,9 @@ evdev_device_create(struct libinput_seat *seat,
+        device->dispatch = NULL;
+        device->fd = fd;
+        device->devname = libevdev_get_name(device->evdev);
++       /* the log_prefix_name is used as part of a printf format string and
++        * must not contain % directives, see evdev_log_msg */
++       device->log_prefix_name = str_sanitize(device->devname);
+        device->scroll.threshold = 5.0; /* Default may be overridden */
+        device->scroll.direction_lock_threshold = 5.0; /* Default may be overridden */
+        device->scroll.direction = 0;
+@@ -2238,9 +2238,14 @@
+        return device;
+ 
+ err:
+-       close_restricted(libinput, fd);
+-       if (device)
+-               evdev_device_destroy(device);
++       if (fd >= 0) {
++               close_restricted(libinput, fd);
++               if (device) {
++                       unhandled_device = device->seat_caps == 0;
++                       evdev_device_destroy(device);
++               }
++            }
++        free(sysname);
+ 
+        return unhandled_device ? EVDEV_UNHANDLED_DEVICE :  NULL;
+ }
+@@ -2469,7 +2478,7 @@ evdev_device_get_output(struct evdev_device *device)
+ const char *
+ evdev_device_get_sysname(struct evdev_device *device)
+ {
+-       return udev_device_get_sysname(device->udev_device);
++       return device->sysname;
+ }
+ 
+ const char *
+@@ -3066,6 +3075,8 @@ evdev_device_destroy(struct evdev_device *device)
+        if (device->base.group)
+                libinput_device_group_unref(device->base.group);
+ 
++       free(device->log_prefix_name);
++       free(device->sysname);
+        free(device->output_name);
+        filter_destroy(device->pointer.filter);
+        libinput_timer_destroy(&device->scroll.timer);
+diff --git a/src/evdev.h b/src/evdev.h
+index c7d130f8..980c5943 100644
+--- a/src/evdev.h
++++ b/src/evdev.h
+@@ -169,6 +169,8 @@ struct evdev_device {
+        struct udev_device *udev_device;
+        char *output_name;
+        const char *devname;
++       char *log_prefix_name;
++       char *sysname;
+        bool was_removed;
+        int fd;
+        enum evdev_device_seat_capability seat_caps;
+@@ -786,7 +788,7 @@ evdev_log_msg(struct evdev_device *device,
+                 sizeof(buf),
+                 "%-7s - %s%s%s",
+                 evdev_device_get_sysname(device),
+-                (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ?  device->devname : "",
++                (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ?  device->log_prefix_name : "",
+                 (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ?  ": " : "",
+                 format);
+ 
+@@ -824,7 +826,7 @@ evdev_log_msg_ratelimit(struct evdev_device *device,
+                 sizeof(buf),
+                 "%-7s - %s%s%s",
+                 evdev_device_get_sysname(device),
+-                (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ?  device->devname : "",
++                (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ?  device->log_prefix_name : "",
+                 (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ?  ": " : "",
+                 format);
+ 
+diff --git a/src/util-strings.h b/src/util-strings.h
+index 2a15fab3..d5a84146 100644
+--- a/src/util-strings.h
++++ b/src/util-strings.h
+@@ -42,6 +42,7 @@
+ #ifdef HAVE_XLOCALE_H
+ #include <xlocale.h>
+ #endif
++#include "util-macros.h"
+ 
+ #define streq(s1, s2) (strcmp((s1), (s2)) == 0)
+ #define strneq(s1, s2, n) (strncmp((s1), (s2), (n)) == 0)
+@@ -312,3 +313,31 @@
+        free(result);
+        return -1;
+ }
++
++/**
++ * Return a copy of str with all % converted to %% to make the string
++ * acceptable as printf format.
++ */
++static inline char *
++str_sanitize(const char *str)
++{
++       if (!str)
++               return NULL;
++
++       if (!strchr(str, '%'))
++               return strdup(str);
++
++       size_t slen = min(strlen(str), 512);
++       char *sanitized = zalloc(2 * slen + 1);
++       const char *src = str;
++       char *dst = sanitized;
++
++       for (size_t i = 0; i < slen; i++) {
++               if (*src == '%')
++                       *dst++ = '%';
++               *dst++ = *src++;
++       }
++       *dst = '\0';
++
++       return sanitized;
++}
+diff --git a/test/litest-device-format-string.c b/test/litest-device-format-string.c
+new file mode 100644
+index 00000000..aed15db4
+--- /dev/null
++++ b/test/litest-device-format-string.c
+@@ -0,0 +1,56 @@
++
++/*
++ * Copyright © 2013 Red Hat, Inc.
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a
++ * copy of this software and associated documentation files (the "Software"),
++ * to deal in the Software without restriction, including without limitation
++ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
++ * and/or sell copies of the Software, and to permit persons to whom the
++ * Software is furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice (including the next
++ * paragraph) shall be included in all copies or substantial portions of the
++ * Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
++ * DEALINGS IN THE SOFTWARE.
++ */
++
++#include "config.h"
++
++#include "litest.h"
++#include "litest-int.h"
++
++static struct input_id input_id = {
++       .bustype = 0x3,
++       .vendor = 0x0123,
++       .product = 0x0456,
++};
++
++static int events[] = {
++       EV_KEY, BTN_LEFT,
++       EV_KEY, BTN_RIGHT,
++       EV_KEY, BTN_MIDDLE,
++       EV_REL, REL_X,
++       EV_REL, REL_Y,
++       EV_REL, REL_WHEEL,
++       EV_REL, REL_WHEEL_HI_RES,
++       -1 , -1,
++};
++
++TEST_DEVICE("mouse-format-string",
++       .type = LITEST_MOUSE_FORMAT_STRING,
++       .features = LITEST_RELATIVE | LITEST_BUTTON | LITEST_WHEEL,
++       .interface = NULL,
++
++       .name = "Evil %s %d %x Mouse %p %",
++       .id = &input_id,
++       .absinfo = NULL,
++       .events = events,
++)
+diff --git a/test/litest.h b/test/litest.h
+index 4982e516..1b1daa90 100644
+--- a/test/litest.h
++++ b/test/litest.h
+@@ -303,6 +303,7 @@
+        LITEST_ALPS_3FG,
+        LITEST_ELAN_TABLET,
+        LITEST_ABSINFO_OVERRIDE,
++        LITEST_MOUSE_FORMAT_STRING,
+ };
+ 
+ #define LITEST_DEVICELESS      -2
+diff --git a/test/test-utils.c b/test/test-utils.c
+index 989adecd..e80754be 100644
+--- a/test/test-utils.c
++++ b/test/test-utils.c
+@@ -1267,6 +1267,31 @@ START_TEST(strstartswith_test)
+ }
+ END_TEST
+ 
++START_TEST(strsanitize_test)
++{
++       struct strsanitize_test {
++               const char *string;
++               const char *expected;
++       } tests[] = {
++               { "foobar", "foobar" },
++               { "", "" },
++               { "%", "%%" },
++               { "%%%%", "%%%%%%%%" },
++               { "x %s", "x %%s" },
++               { "x %", "x %%" },
++               { "%sx", "%%sx" },
++               { "%s%s", "%%s%%s" },
++               { NULL, NULL },
++       };
++
++       for (struct strsanitize_test *t = tests; t->string; t++) {
++               char *sanitized = str_sanitize(t->string);
++               ck_assert_str_eq(sanitized, t->expected);
++               free(sanitized);
++       }
++}
++END_TEST
++
+ START_TEST(list_test_insert)
+ {
+        struct list_test {
+@@ -1138,6 +1138,7 @@
+        tcase_add_test(tc, strsplit_test);
+        tcase_add_test(tc, kvsplit_double_test);
+        tcase_add_test(tc, strjoin_test);
++       tcase_add_test(tc, strsanitize_test);
+        tcase_add_test(tc, time_conversion);
+ 
+        tcase_add_test(tc, list_test_insert);
+
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/wayland/libinput_1.15.2.bb b/meta/recipes-graphics/wayland/libinput_1.15.2.bb
index 810532774e..d7927d132a 100644
--- a/meta/recipes-graphics/wayland/libinput_1.15.2.bb
+++ b/meta/recipes-graphics/wayland/libinput_1.15.2.bb
@@ -14,6 +14,7 @@ DEPENDS = "libevdev udev mtdev"
 
 SRC_URI = "http://www.freedesktop.org/software/${BPN}/${BP}.tar.xz \
            file://determinism.patch \
+           file://CVE-2022-1215.patch \
            "
 SRC_URI[md5sum] = "eb6bd2907ad33d53954d70dfb881a643"
 SRC_URI[sha256sum] = "971c3fbfb624f95c911adeb2803c372e4e3647d1b98f278f660051f834597747"
diff --git a/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch b/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch
new file mode 100644
index 0000000000..df204508e9
--- /dev/null
+++ b/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch
@@ -0,0 +1,111 @@
+From 5eed6609619cc2e4eaa8618d11c15d442abf54be Mon Sep 17 00:00:00 2001
+From: Derek Foreman <derek.foreman@collabora.com>
+Date: Fri, 28 Jan 2022 13:18:37 -0600
+Subject: [PATCH] util: Limit size of wl_map
+
+Since server IDs are basically indistinguishable from really big client
+IDs at many points in the source, it's theoretically possible to overflow
+a map and either overflow server IDs into the client ID space, or grow
+client IDs into the server ID space. This would currently take a massive
+amount of RAM, but the definition of massive changes yearly.
+
+Prevent this by placing a ridiculous but arbitrary upper bound on the
+number of items we can put in a map: 0xF00000, somewhere over 15 million.
+This should satisfy pathological clients without restriction, but stays
+well clear of the 0xFF000000 transition point between server and client
+IDs. It will still take an improbable amount of RAM to hit this, and a
+client could still exhaust all RAM in this way, but our goal is to prevent
+overflow and undefined behaviour.
+
+Fixes #224
+
+Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3782
+
+Reference to upstream patch:
+https://gitlab.freedesktop.org/wayland/wayland/-/commit/b19488c7154b902354cb26a27f11415d7799b0b2
+
+[DP: adjust context for wayland version 1.20.0]
+Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
+---
+ src/wayland-private.h |  1 +
+ src/wayland-util.c    | 25 +++++++++++++++++++++++--
+ 2 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/src/wayland-private.h b/src/wayland-private.h
+index 9bf8cb7..35dc40e 100644
+--- a/src/wayland-private.h
++++ b/src/wayland-private.h
+@@ -45,6 +45,7 @@
+ #define WL_MAP_SERVER_SIDE 0
+ #define WL_MAP_CLIENT_SIDE 1
+ #define WL_SERVER_ID_START 0xff000000
++#define WL_MAP_MAX_OBJECTS 0x00f00000
+ #define WL_CLOSURE_MAX_ARGS 20
+ 
+ struct wl_object {
+diff --git a/src/wayland-util.c b/src/wayland-util.c
+index d5973bf..3e45d19 100644
+--- a/src/wayland-util.c
++++ b/src/wayland-util.c
+@@ -195,6 +195,7 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data)
+        union map_entry *start, *entry;
+        struct wl_array *entries;
+        uint32_t base;
++       uint32_t count;
+ 
+        if (map->side == WL_MAP_CLIENT_SIDE) {
+                entries = &map->client_entries;
+@@ -215,10 +216,25 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data)
+                start = entries->data;
+        }
+ 
++       /* wl_array only grows, so if we have too many objects at
++        * this point there's no way to clean up. We could be more
++        * pro-active about trying to avoid this allocation, but
++        * it doesn't really matter because at this point there is
++        * nothing to be done but disconnect the client and delete
++        * the whole array either way.
++        */
++       count = entry - start;
++       if (count > WL_MAP_MAX_OBJECTS) {
++               /* entry->data is freshly malloced garbage, so we'd
++                * better make it a NULL so wl_map_for_each doesn't
++                * dereference it later. */
++               entry->data = NULL;
++               return 0;
++       }
+        entry->data = data;
+        entry->next |= (flags & 0x1) << 1;
+ 
+-       return (entry - start) + base;
++       return count + base;
+ }
+ 
+ int
+@@ -235,6 +251,9 @@ wl_map_insert_at(struct wl_map *map, uint32_t flags, uint32_t i, void *data)
+                i -= WL_SERVER_ID_START;
+        }
+ 
++       if (i > WL_MAP_MAX_OBJECTS)
++               return -1;
++
+        count = entries->size / sizeof *start;
+        if (count < i)
+                return -1;
+@@ -269,8 +288,10 @@ wl_map_reserve_new(struct wl_map *map, uint32_t i)
+                i -= WL_SERVER_ID_START;
+        }
+ 
+-       count = entries->size / sizeof *start;
++       if (i > WL_MAP_MAX_OBJECTS)
++               return -1;
+ 
++       count = entries->size / sizeof *start;
+        if (count < i)
+                return -1;
+ 
+-- 
+2.37.3
diff --git a/meta/recipes-graphics/wayland/wayland_1.18.0.bb b/meta/recipes-graphics/wayland/wayland_1.18.0.bb
index 00be3aac27..e621abddbf 100644
--- a/meta/recipes-graphics/wayland/wayland_1.18.0.bb
+++ b/meta/recipes-graphics/wayland/wayland_1.18.0.bb
@@ -18,6 +18,7 @@ SRC_URI = "https://wayland.freedesktop.org/releases/${BPN}-${PV}.tar.xz \
            file://0002-Do-not-hardcode-the-path-to-wayland-scanner.patch \
            file://0001-build-Fix-strndup-detection-on-MinGW.patch \
            file://0001-meson-tests-add-missing-dependencies-on-protocol-hea.patch \
+           file://CVE-2021-3782.patch \
            "
 SRC_URI[md5sum] = "23317697b6e3ff2e1ac8c5ba3ed57b65"
 SRC_URI[sha256sum] = "4675a79f091020817a98fd0484e7208c8762242266967f55a67776936c2e294d"
diff --git a/meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch b/meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch
new file mode 100644
index 0000000000..fb36d3817a
--- /dev/null
+++ b/meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch
@@ -0,0 +1,32 @@
+From 5c74a0640e873694bf60a88eceb21f664cb4b8f7 Mon Sep 17 00:00:00 2001
+From: Marius Vlad <marius.vlad@collabora.com>
+Date: Fri, 5 Mar 2021 20:03:49 +0200
+Subject: [PATCH 2/5] desktop-shell: Remove no-op de-activation of the xdg
+ top-level surface
+
+The shsurf is calloc'ed so the surface count is always 0.  Not only
+that but the surface is not set as active by default, so there's no
+need to de-activate it.
+
+Upstream-Status: Backport [05bef4c18a3e82376a46a4a28d978389c4c0fd0f]
+Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
+---
+ desktop-shell/shell.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c
+index 442a625f..3791be25 100644
+--- a/desktop-shell/shell.c
++++ b/desktop-shell/shell.c
+@@ -2427,8 +2427,6 @@ desktop_surface_added(struct weston_desktop_surface *desktop_surface,
+        wl_list_init(&shsurf->children_link);
+ 
+        weston_desktop_surface_set_user_data(desktop_surface, shsurf);
+-       weston_desktop_surface_set_activated(desktop_surface,
+-                                            shsurf->focus_count > 0);
+ }
+ 
+ static void
+-- 
+2.34.1
+
diff --git a/meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch b/meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch
new file mode 100644
index 0000000000..dcd0700fca
--- /dev/null
+++ b/meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch
@@ -0,0 +1,57 @@
+From edb31c456ae3da7ffffefb668a37ab88075c4b67 Mon Sep 17 00:00:00 2001
+From: Marius Vlad <marius.vlad@collabora.com>
+Date: Fri, 5 Mar 2021 21:40:22 +0200
+Subject: [PATCH 3/5] desktop-shell: Rename gain/lose keyboard focus to
+ activate/de-activate
+
+This way it better reflects that it handles activation rather that input
+focus.
+
+Upstream-Status: Backport [ab39e1d76d4f6715cb300bc37f5c2a0e2d426208]
+Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
+---
+ desktop-shell/shell.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c
+index 3791be25..c4669f11 100644
+--- a/desktop-shell/shell.c
++++ b/desktop-shell/shell.c
+@@ -1869,14 +1869,14 @@ handle_pointer_focus(struct wl_listener *listener, void *data)
+ }
+ 
+ static void
+-shell_surface_lose_keyboard_focus(struct shell_surface *shsurf)
++shell_surface_deactivate(struct shell_surface *shsurf)
+ {
+        if (--shsurf->focus_count == 0)
+                weston_desktop_surface_set_activated(shsurf->desktop_surface, false);
+ }
+ 
+ static void
+-shell_surface_gain_keyboard_focus(struct shell_surface *shsurf)
++shell_surface_activate(struct shell_surface *shsurf)
+ {
+        if (shsurf->focus_count++ == 0)
+                weston_desktop_surface_set_activated(shsurf->desktop_surface, true);
+@@ -1891,7 +1891,7 @@ handle_keyboard_focus(struct wl_listener *listener, void *data)
+        if (seat->focused_surface) {
+                struct shell_surface *shsurf = get_shell_surface(seat->focused_surface);
+                if (shsurf)
+-                       shell_surface_lose_keyboard_focus(shsurf);
++                       shell_surface_deactivate(shsurf);
+        }
+ 
+        seat->focused_surface = weston_surface_get_main_surface(keyboard->focus);
+@@ -1899,7 +1899,7 @@ handle_keyboard_focus(struct wl_listener *listener, void *data)
+        if (seat->focused_surface) {
+                struct shell_surface *shsurf = get_shell_surface(seat->focused_surface);
+                if (shsurf)
+-                       shell_surface_gain_keyboard_focus(shsurf);
++                       shell_surface_activate(shsurf);
+        }
+ }
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch b/meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch
new file mode 100644
index 0000000000..7ca72f8494
--- /dev/null
+++ b/meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch
@@ -0,0 +1,99 @@
+From 899ad5a6a8a92f2c10e0694a45c982b7d878aed6 Mon Sep 17 00:00:00 2001
+From: Marius Vlad <marius.vlad@collabora.com>
+Date: Fri, 5 Mar 2021 21:44:26 +0200
+Subject: [PATCH 4/5] desktop-shell: Embed keyboard focus handle code when
+ activating
+
+We shouldn't be constrained by having a keyboard plugged-in, so avoid
+activating/de-activating the window/surface in the keyboard focus
+handler and embed it straight into the window activation part.
+
+Upstream-Status: Backport [f12697bb3e4c6eb85437ed905e7de44ae2a0ba69]
+Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
+---
+ desktop-shell/shell.c | 41 +++++++++++++++++++++++++----------------
+ 1 file changed, 25 insertions(+), 16 deletions(-)
+
+diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c
+index c4669f11..c6a4fe91 100644
+--- a/desktop-shell/shell.c
++++ b/desktop-shell/shell.c
+@@ -1885,22 +1885,7 @@ shell_surface_activate(struct shell_surface *shsurf)
+ static void
+ handle_keyboard_focus(struct wl_listener *listener, void *data)
+ {
+-       struct weston_keyboard *keyboard = data;
+-       struct shell_seat *seat = get_shell_seat(keyboard->seat);
+-
+-       if (seat->focused_surface) {
+-               struct shell_surface *shsurf = get_shell_surface(seat->focused_surface);
+-               if (shsurf)
+-                       shell_surface_deactivate(shsurf);
+-       }
+-
+-       seat->focused_surface = weston_surface_get_main_surface(keyboard->focus);
+-
+-       if (seat->focused_surface) {
+-               struct shell_surface *shsurf = get_shell_surface(seat->focused_surface);
+-               if (shsurf)
+-                       shell_surface_activate(shsurf);
+-       }
++       /* FIXME: To be removed later. */
+ }
+ 
+ /* The surface will be inserted into the list immediately after the link
+@@ -2438,6 +2423,7 @@ desktop_surface_removed(struct weston_desktop_surface *desktop_surface,
+        struct shell_surface *shsurf_child, *tmp;
+        struct weston_surface *surface =
+                weston_desktop_surface_get_surface(desktop_surface);
++       struct weston_seat *seat;
+ 
+        if (!shsurf)
+                return;
+@@ -2448,6 +2434,18 @@ desktop_surface_removed(struct weston_desktop_surface *desktop_surface,
+        }
+        wl_list_remove(&shsurf->children_link);
+ 
++       wl_list_for_each(seat, &shsurf->shell->compositor->seat_list, link) {
++               struct shell_seat *shseat = get_shell_seat(seat);
++               /* activate() controls the focused surface activation and
++                * removal of a surface requires invalidating the
++                * focused_surface to avoid activate() use a stale (and just
++                * removed) surface when attempting to de-activate it. It will
++                * also update the focused_surface once it has a chance to run.
++                */
++               if (surface == shseat->focused_surface)
++                       shseat->focused_surface = NULL;
++       }
++
+        wl_signal_emit(&shsurf->destroy_signal, shsurf);
+ 
+        if (shsurf->fullscreen.black_view)
+@@ -3836,6 +3834,7 @@ activate(struct desktop_shell *shell, struct weston_view *view,
+        struct workspace *ws;
+        struct weston_surface *old_es;
+        struct shell_surface *shsurf, *shsurf_child;
++       struct shell_seat *shseat = get_shell_seat(seat);
+ 
+        main_surface = weston_surface_get_main_surface(es);
+        shsurf = get_shell_surface(main_surface);
+@@ -3855,6 +3854,16 @@ activate(struct desktop_shell *shell, struct weston_view *view,
+ 
+        weston_view_activate(view, seat, flags);
+ 
++       if (shseat->focused_surface) {
++               struct shell_surface *current_focus =
++                       get_shell_surface(shseat->focused_surface);
++               assert(current_focus);
++               shell_surface_deactivate(current_focus);
++       }
++
++       shseat->focused_surface = main_surface;
++       shell_surface_activate(shsurf);
++
+        state = ensure_focus_state(shell, seat);
+        if (state == NULL)
+                return;
+-- 
+2.34.1
+
diff --git a/meta/recipes-graphics/wayland/weston_8.0.0.bb b/meta/recipes-graphics/wayland/weston_8.0.0.bb
index 0b383f25f3..5e4e2032c9 100644
--- a/meta/recipes-graphics/wayland/weston_8.0.0.bb
+++ b/meta/recipes-graphics/wayland/weston_8.0.0.bb
@@ -10,6 +10,9 @@ SRC_URI = "https://wayland.freedesktop.org/releases/${BPN}-${PV}.tar.xz \
            file://weston.desktop \
            file://xwayland.weston-start \
            file://0001-weston-launch-Provide-a-default-version-that-doesn-t.patch \
+           file://0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch \
+           file://0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch \
+           file://0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch \
 "
 SRC_URI[md5sum] = "53e4810d852df0601d01fd986a5b22b3"
 SRC_URI[sha256sum] = "7518b49b2eaa1c3091f24671bdcc124fd49fc8f1af51161927afa4329c027848"