CVE-2024-56587

In the Linux kernel, the following vulnerability has been resolved:

leds: class: Protect brightnessshow() with ledcdev->led_access mutex

There is NULL pointer issue observed if from Process A where hid device being added which results in adding a ledcdev addition and later a another call to access of ledcdev attribute from Process B can result in NULL pointer issue.

Use mutex ledcdev->ledaccess to protect access to led->cdev and its attribute inside brightnessshow() and maxbrightness_show() and also update the comment for mutex that it should be used to protect the led class device fields.

Process A               Process B

kthread+0x114 workerthread+0x244 processscheduledworks+0x248 uhiddeviceaddworker+0x24 hidadddevice+0x120 deviceadd+0x268 busprobedevice+0x94 deviceinitialprobe+0x14 _deviceattach+0xfc busforeachdrv+0x10c _deviceattachdriver+0x14c driverprobedevice+0x3c _driverprobedevice+0xa0 reallyprobe+0x190 hiddeviceprobe+0x130 psprobe+0x990 psledregister+0x94 devmledclassdevregisterext+0x58 ledclassdevregisterext+0x1f8 devicecreatewithgroups+0x48 devicecreategroupsvargs+0xc8 deviceadd+0x244 kobjectuevent+0x14 kobjectueventenv[jt]+0x224 mutexunlock[jt]+0xc4 _mutexunlockslowpath+0xd4 wakeupq+0x70 trytowakeup[jt]+0x48c preemptschedulecommon+0x28 _schedule+0x628 _switchto+0x174 el0t64sync+0x1a8/0x1ac el0t64synchandler+0x68/0xbc el0svc+0x38/0x68 doel0svc+0x1c/0x28 el0svccommon+0x80/0xe0 invokesyscall+0x58/0x114 _arm64sysread+0x1c/0x2c ksysread+0x78/0xe8 vfsread+0x1e0/0x2c8 kernfsfopreaditer+0x68/0x1b4 seqreaditer+0x158/0x4ec kernfsseqshow+0x44/0x54 sysfskfseqshow+0xb4/0x130 devattrshow+0x38/0x74 brightnessshow+0x20/0x4c dualshock4ledget_brightness+0xc/0x74

[ 3313.874295][ T4013] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 [ 3313.874301][ T4013] Mem abort info: [ 3313.874303][ T4013] ESR = 0x0000000096000006 [ 3313.874305][ T4013] EC = 0x25: DABT (current EL), IL = 32 bits [ 3313.874307][ T4013] SET = 0, FnV = 0 [ 3313.874309][ T4013] EA = 0, S1PTW = 0 [ 3313.874311][ T4013] FSC = 0x06: level 2 translation fault [ 3313.874313][ T4013] Data abort info: [ 3313.874314][ T4013] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 [ 3313.874316][ T4013] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 3313.874318][ T4013] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 3313.874320][ T4013] user pgtable: 4k pages, 39-bit VAs, pgdp=00000008f2b0a000 ..

[ 3313.874332][ T4013] Dumping ftrace buffer: [ 3313.874334][ T4013] (ftrace buffer empty) .. .. [ dd3313.874639][ T4013] CPU: 6 PID: 4013 Comm: InputReader [ 3313.874648][ T4013] pc : dualshock4ledgetbrightness+0xc/0x74 [ 3313.874653][ T4013] lr : ledupdatebrightness+0x38/0x60 [ 3313.874656][ T4013] sp : ffffffc0b910bbd0 .. .. [ 3313.874685][ T4013] Call trace: [ 3313.874687][ T4013] dualshock4ledgetbrightness+0xc/0x74 [ 3313.874690][ T4013] brightnessshow+0x20/0x4c [ 3313.874692][ T4013] devattrshow+0x38/0x74 [ 3313.874696][ T4013] sysfskfseqshow+0xb4/0x130 [ 3313.874700][ T4013] kernfsseqshow+0x44/0x54 [ 3313.874703][ T4013] seqreaditer+0x158/0x4ec [ 3313.874705][ T4013] kernfsfopreaditer+0x68/0x1b4 [ 3313.874708][ T4013] vfsread+0x1e0/0x2c8 [ 3313.874711][ T4013] ksysread+0x78/0xe8 [ 3313.874714][ T4013] _arm64sysread+0x1c/0x2c [ 3313.874718][ T4013] invokesyscall+0x58/0x114 [ 3313.874721][ T4013] el0svccommon+0x80/0xe0 [ 3313.874724][ T4013] doel0svc+0x1c/0x28 [ 3313.874727][ T4013] el0svc+0x38/0x68 [ 3313.874730][ T4013] el0t64synchandler+0x68/0xbc [ 3313.874732][ T4013] el0t64_sync+0x1a8/0x1ac