Description
In the Linux kernel, the following vulnerability has been resolved: leds: led-class: Only Add LED to leds_list when it is fully ready Before this change the LED was added to leds_list before led_init_core() gets called adding it the list before led_classdev.set_brightness_work gets initialized. This leaves a window where led_trigger_register() of a LED's default trigger will call led_trigger_set() which calls led_set_brightness() which in turn will end up queueing the *uninitialized* led_classdev.set_brightness_work. This race gets hit by the lenovo-thinkpad-t14s EC driver which registers 2 LEDs with a default trigger provided by snd_ctl_led.ko in quick succession. The first led_classdev_register() causes an async modprobe of snd_ctl_led to run and that async modprobe manages to exactly hit the window where the second LED is on the leds_list without led_init_core() being called for it, resulting in: ------------[ cut here ]------------ WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390 Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025 ... Call trace: __flush_work+0x344/0x390 (P) flush_work+0x2c/0x50 led_trigger_set+0x1c8/0x340 led_trigger_register+0x17c/0x1c0 led_trigger_register_simple+0x84/0xe8 snd_ctl_led_init+0x40/0xf88 [snd_ctl_led] do_one_initcall+0x5c/0x318 do_init_module+0x9c/0x2b8 load_module+0x7e0/0x998 Close the race window by moving the adding of the LED to leds_list to after the led_init_core() call.
Product status
d23a22a74fded23a12434c9463fe66cec2b0afcd (git) before f7a6df659af777058833802c29b3b7974db5e78a
d23a22a74fded23a12434c9463fe66cec2b0afcd (git) before d117fdcb21b05c0e0460261d017b92303cd9ba77
d23a22a74fded23a12434c9463fe66cec2b0afcd (git) before e90c861411fc84629a240384b0a72830539d3386
d23a22a74fded23a12434c9463fe66cec2b0afcd (git) before 2757f7748ce2d0fa44112024907bafb37e104d6e
d23a22a74fded23a12434c9463fe66cec2b0afcd (git) before da565bf98c9ad0eabcb09fc97859e0b52f98b7c3
d23a22a74fded23a12434c9463fe66cec2b0afcd (git) before 78822628165f3d817382f67f91129161159ca234
d23a22a74fded23a12434c9463fe66cec2b0afcd (git) before d1883cefd31752f0504b94c3bcfa1f6d511d6e87
3.7
Any version before 3.7
5.10.249 (semver)
5.15.199 (semver)
6.1.162 (semver)
6.6.122 (semver)
6.12.68 (semver)
6.18.8 (semver)
6.19 (original_commit_for_fix)
References
git.kernel.org/...c/f7a6df659af777058833802c29b3b7974db5e78a
git.kernel.org/...c/d117fdcb21b05c0e0460261d017b92303cd9ba77
git.kernel.org/...c/e90c861411fc84629a240384b0a72830539d3386
git.kernel.org/...c/2757f7748ce2d0fa44112024907bafb37e104d6e
git.kernel.org/...c/da565bf98c9ad0eabcb09fc97859e0b52f98b7c3
git.kernel.org/...c/78822628165f3d817382f67f91129161159ca234
git.kernel.org/...c/d1883cefd31752f0504b94c3bcfa1f6d511d6e87