{"id":"CVE-2025-68758","summary":"backlight: led-bl: Add devlink to supplier LEDs","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: led-bl: Add devlink to supplier LEDs\n\nLED Backlight is a consumer of one or multiple LED class devices, but\ndevlink is currently unable to create correct supplier-producer links when\nthe supplier is a class device. It creates instead a link where the\nsupplier is the parent of the expected device.\n\nOne consequence is that removal order is not correctly enforced.\n\nIssues happen for example with the following sections in a device tree\noverlay:\n\n    // An LED driver chip\n    pca9632@62 {\n        compatible = \"nxp,pca9632\";\n        reg = \u003c0x62\u003e;\n\n\t// ...\n\n        addon_led_pwm: led-pwm@3 {\n            reg = \u003c3\u003e;\n            label = \"addon:led:pwm\";\n        };\n    };\n\n    backlight-addon {\n        compatible = \"led-backlight\";\n        leds = \u003c&addon_led_pwm\u003e;\n        brightness-levels = \u003c255\u003e;\n        default-brightness-level = \u003c255\u003e;\n    };\n\nIn this example, the devlink should be created between the backlight-addon\n(consumer) and the pca9632@62 (supplier). Instead it is created between the\nbacklight-addon (consumer) and the parent of the pca9632@62, which is\ntypically the I2C bus adapter.\n\nOn removal of the above overlay, the LED driver can be removed before the\nbacklight device, resulting in:\n\n    Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n    ...\n    Call trace:\n     led_put+0xe0/0x140\n     devm_led_release+0x6c/0x98\n\nAnother way to reproduce the bug without any device tree overlays is\nunbinding the LED class device (pca9632@62) before unbinding the consumer\n(backlight-addon):\n\n  echo 11-0062 \u003e/sys/bus/i2c/drivers/leds-pca963x/unbind\n  echo ...backlight-dock \u003e/sys/bus/platform/drivers/led-backlight/unbind\n\nFix by adding a devlink between the consuming led-backlight device and the\nsupplying LED device, as other drivers and subsystems do as well.","modified":"2026-03-31T17:29:39.553114Z","published":"2026-01-05T09:32:31.399Z","related":["SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:20207-1","SUSE-SU-2026:20220-1","SUSE-SU-2026:20228-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:10039-1","openSUSE-SU-2026:10301-1","openSUSE-SU-2026:20145-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68758.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/08c9dc6b0f2c68e5e7c374ac4499e321e435d46c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0e63ea4378489e09eb5e920c8a50c10caacf563a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/30cbe4b642745a9488a0f0d78be43afe69d7555c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/64739adf3eef063b8e2c72b7e919eac8c6480bf0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9341d6698f4cfdfc374fb6944158d111ebe16a9d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cd01a24b3e52d6777b49c917d841f125fe9eebd0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e06df738a9ad8417f1c4c7cd6992cda320e9e7ca"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68758.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68758"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ae232e45acf9621f2c96b41ca3af006ac7552c33"},{"fixed":"64739adf3eef063b8e2c72b7e919eac8c6480bf0"},{"fixed":"cd01a24b3e52d6777b49c917d841f125fe9eebd0"},{"fixed":"e06df738a9ad8417f1c4c7cd6992cda320e9e7ca"},{"fixed":"30cbe4b642745a9488a0f0d78be43afe69d7555c"},{"fixed":"0e63ea4378489e09eb5e920c8a50c10caacf563a"},{"fixed":"60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9"},{"fixed":"08c9dc6b0f2c68e5e7c374ac4499e321e435d46c"},{"fixed":"9341d6698f4cfdfc374fb6944158d111ebe16a9d"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68758.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.6.0"},{"fixed":"5.10.248"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.198"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.160"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.120"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.63"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.13"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.18.0"},{"fixed":"6.18.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68758.json"}}],"schema_version":"1.7.5"}