Linux Kernel LED Backlight Devlink Supplier Link Vulnerability

A vulnerability exists in the Linux kernel's handling of LED backlight devices and their associated class devices. The issue arises because the devlink system fails to establish correct supplier-producer relationships when the supplier is a class device, instead linking to the parent device, typically the I2C bus adapter. This mismanagement disrupts the proper removal order of devices, leading to potential null pointer dereference errors in the kernel. The vulnerability can be reproduced by unbinding the LED class device before the corresponding backlight consumer, or by using a device tree overlay that demonstrates the same issue.

Impact

The vulnerability can cause a kernel NULL pointer dereference, leading to a crash. This occurs when the LED driver is removed before the backlight device, allowing the system to attempt to access a non-existent memory address.

Reproduction

The vulnerability can be reproduced by unbinding a LED class device from its driver before unbinding the corresponding backlight consumer. This can be done by echoing the LED device address to the unbind file of the appropriate I2C driver, followed by unbinding the backlight device.

Remediation

The vulnerability has been addressed by modifying the LED backlight driver to correctly establish devlink connections between backlight devices and their corresponding LED suppliers, ensuring proper removal order and preventing null pointer dereference errors.