CVE-2023-54079

Summary

In the Linux kernel, the following vulnerability has been resolved:

power: supply: bq27xxx: Fix poll_interval handling and races on remove

Before this patch bq27xxx_battery_teardown() was setting poll_interval = 0 to avoid bq27xxx_battery_update() requeuing the delayed_work item.

There are 2 problems with this:

  1. If the driver is unbound through sysfs, rather then the module being rmmod-ed, this changes poll_interval unexpectedly

  2. This is racy, after it being set poll_interval could be changed before bq27xxx_battery_update() checks it through /sys/module/bq27xxx_battery/parameters/poll_interval

Fix this by added a removed attribute to struct bq27xxx_device_info and using that instead of setting poll_interval to 0.

There also is another poll_interval related race on remove(), writing /sys/module/bq27xxx_battery/parameters/poll_interval will requeue the delayed_work item for all devices on the bq27xxx_battery_devices list and the device being removed was only removed from that list after cancelling the delayed_work item.

Fix this by moving the removal from the bq27xxx_battery_devices list to before cancelling the delayed_work item.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db < 4c9615474fb0a41cfad658d78db3c9ec70912969affected
LinuxLinux8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db < 465d919151a1e8d40daf366b868914f59d073211affected
LinuxLinux8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db < 0c5f4cec759679c290720fbcf6bb81768e21c95baffected
LinuxLinux8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db < e85757da9091998276ff21a13915ac25229cc232affected
LinuxLinux8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db < e98e5bebfcafc75a7b41192a607dfea5c1268afaaffected
LinuxLinux8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db < d952a1eaafcc5f0351caad5dbe9b5b3300d1d529affected
LinuxLinux8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db < b12faeca0e819ea09051a705fef9df7ea7e9e18caffected
LinuxLinux8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db < c00bc80462afc7963f449d7f21d896d2f629caccaffected
LinuxLinux3.3affected
LinuxLinux0 < 3.3unaffected
LinuxLinux4.14.316 <= 4.14.*unaffected
LinuxLinux4.19.284 <= 4.19.*unaffected
LinuxLinux5.4.244 <= 5.4.*unaffected
LinuxLinux5.10.181 <= 5.10.*unaffected
LinuxLinux5.15.114 <= 5.15.*unaffected
LinuxLinux6.1.31 <= 6.1.*unaffected
LinuxLinux6.3.5 <= 6.3.*unaffected
LinuxLinux6.4 <= *unaffected

Weaknesses

References