List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3] ACPI: video: Fix use-after-free in acpi_video_switch_brightness() To: Yuhao Jiang , "Rafael J . Wysocki" Cc: Len Brown , linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org References: <20251022200704.2655507-1-danisjiang@gmail.com> From: Hans de Goede Content-Language: en-US, nl In-Reply-To: <20251022200704.2655507-1-danisjiang@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-DKIM: signer='kernel.org' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: -1.2 (-) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (-1.2 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [139.178.88.99 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender SpamTally: Final spam score: -11 Hi, On 22-Oct-25 10:07 PM, Yuhao Jiang wrote: > The switch_brightness_work delayed work accesses device->brightness > and device->backlight, which are freed by > acpi_video_dev_unregister_backlight() during device removal. > > If the work executes after acpi_video_bus_unregister_backlight() > frees these resources, it causes a use-after-free when > acpi_video_switch_brightness() dereferences device->brightness or > device->backlight. > > Fix this by calling cancel_delayed_work_sync() for each device's > switch_brightness_work in acpi_video_bus_remove_notify_handler() > after removing the notify handler that queues the work. This ensures > the work completes before the memory is freed. > > Fixes: 8ab58e8e7e097 ("ACPI / video: Fix backlight taking 2 steps on a brightness up/down keypress") > Cc: stable@vger.kernel.org > Signed-off-by: Yuhao Jiang > --- > Changes in v3: > - Move cancel_delayed_work_sync() to acpi_video_bus_remove_notify_handler() > instead of acpi_video_bus_unregister_backlight() for better logic placement > - Link to v2: https://lore.kernel.org/all/20251022042514.2167599-1-danisjiang@gmail.com/ Thanks, patch looks good to me: Reviewed-by: Hans de Goede Regards, Hans > --- > drivers/acpi/acpi_video.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c > index 103f29661576..be8e7e18abca 100644 > --- a/drivers/acpi/acpi_video.c > +++ b/drivers/acpi/acpi_video.c > @@ -1959,8 +1959,10 @@ static void acpi_video_bus_remove_notify_handler(struct acpi_video_bus *video) > struct acpi_video_device *dev; > > mutex_lock(&video->device_list_lock); > - list_for_each_entry(dev, &video->video_device_list, entry) > + list_for_each_entry(dev, &video->video_device_list, entry) { > acpi_video_dev_remove_notify_handler(dev); > + cancel_delayed_work_sync(&dev->switch_brightness_work); > + } > mutex_unlock(&video->device_list_lock); > > acpi_video_bus_stop_devices(video); From - Thu Oct 23 13:41:36 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id 0D4KI40w+mhbSysAYBR5ng (envelope-from ) for ; Thu, 23 Oct 2025 13:41:33 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Thu, 23 Oct 2025 13:41:33 +0000 Received: from ams.mirrors.kernel.org ([213.196.21.55]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vBvZN-0000000CJQj-0YrA for hi@josie.lol; Thu, 23 Oct 2025 13:41:33 +0000 Received: from smtp.subspace.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.mirrors.kernel.org (Postfix) with ESMTPS id 0BE6A35AAC2 for ; Thu, 23 Oct 2025 13:41:32 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E33DF314D1E; Thu, 23 Oct 2025 13:40:55 +0000 (UTC) X-Original-To: io-uring@vger.kernel.org Received: from verein.lst.de (verein.lst.de [213.95.11.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5BB2B3148C7; Thu, 23 Oct 2025 13:40:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.95.11.211 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761226855; cv=none; b=nWZ4TRosJR4Gxbtp4QJa4FCGUF/toFzGLGWydu7RqO409+4iRGDzIyvdnk9SJSw6573XwKO4tUvzBb6cUrKbug3CS9GYszCF8iC9/KU+MdLzBwSlxAgoObMntmVyX7Z3rAHXYneMwnMoVnIs3pVHf4hsLAEcvlPoMaAguM4GDC8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761226855; c=relaxed/simple; bh=irzMywcerFP2dFccXWPgmJSK9w7EvAi/JpG1EqYmHD8=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Y4/4AVZ30esAJURjYvKR8BreO7l8a9ZNo1HXiyn9MMXytRn1RvwkBRgudA6x1Px2mxxfs+SjWQ9z4xY1tTHC+irA6g777Sm+R/XUcTAwO4ToTDUMlLsA+u53Dpleh0GjnxAW+N8zOUhpG5ymWwKlibMJsHgrtz9qyih57me3Gmg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=lst.de; spf=pass smtp.mailfrom=lst.de; arc=none smtp.client-ip=213.95.11.211 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=lst.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=lst.de Received: by verein.lst.de (Postfix, from userid 2407) id 9E777227A8E; Thu, 23 Oct 2025 15:40:47 +0200 (CEST) Date: Thu, 23 Oct 2025 15:40:47 +0200 From: Christoph Hellwig To: Caleb Sander Mateos Cc: Jens Axboe , Miklos Szeredi , Ming Lei , Keith Busch , Christoph Hellwig , Sagi Grimberg , Chris Mason , David Sterba , io-uring@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-block@vger.kernel.org, linux-nvme@lists.infradead.org, linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 3/3] io_uring/uring_cmd: avoid double indirect call in task work dispatch Message-ID: <20251023134047.GA24570@lst.de> References: <20251022231326.2527838-1-csander@purestorage.com> <20251022231326.2527838-4-csander@purestorage.com> Precedence: bulk X-Mailing-List: io-uring@vg