Description
In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ]
Product status
8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 (git) before de5fc93275a4a459fe2f7cb746984f2ab3e8292a
8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 (git) before 293125536ef5521328815fa7c76d5f9eb1635659
8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 (git) before 8f067aa59430266386b83c18b983ca583faa6a11
3.17
Any version before 3.17
6.12.58 (semver)
6.17.8 (semver)
6.18-rc4 (original_commit_for_fix)
References
git.kernel.org/...c/de5fc93275a4a459fe2f7cb746984f2ab3e8292a
git.kernel.org/...c/293125536ef5521328815fa7c76d5f9eb1635659
git.kernel.org/...c/8f067aa59430266386b83c18b983ca583faa6a11
