The code contains a use-after-free vulnerability due to missing cancellation of delayed work during device removal. Specifically, in acpi_video_bus_remove(), the function acpi_video_bus_put_devices() is called, which frees all acpi_video_device structures without cancelling the associated delayed work (switch_brightness_work).

This work is scheduled via brightness_switch_event() in response to ACPI events (e.g., brightness key presses) with a 100ms delay. If the work is pending when the device is removed, it may execute after the memory is freed, leading to use-after-free when the work function acpi_video_switch_brightness() accesses the device structure.

Fix this by calling cancel_delayed_work_sync() before freeing each acpi_video_device to ensure the work is fully completed before the memory is released.

Fixes: 67b662e189f46 ("ACPI / video: seperate backlight control and event interface") Cc: stable@vger.kernel.org Signed-off-by: Yuhao Jiang danisjiang@gmail.com --- drivers/acpi/acpi_video.c | 1 + 1 file changed, 1 insertion(+)

diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c index 103f29661576..5b80f87e078f 100644 --- a/drivers/acpi/acpi_video.c +++ b/drivers/acpi/acpi_video.c @@ -1974,6 +1974,7 @@ static int acpi_video_bus_put_devices(struct acpi_video_bus *video)

mutex_lock(&video->device_list_lock); list_for_each_entry_safe(dev, next, &video->video_device_list, entry) { + cancel_delayed_work_sync(&dev->switch_brightness_work); list_del(&dev->entry); kfree(dev); }