Commit 60171534 authored by Armin Wolf's avatar Armin Wolf Committed by liwei
Browse files

ACPI: battery: Fix possible crash when unregistering a battery hook 

stable inclusion
from stable-v6.6.55
commit ce31847f109c3a5b2abdd19d7bcaafaacfde53de
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRCN
CVE: CVE-2024-49955

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ce31847f109c3a5b2abdd19d7bcaafaacfde53de



--------------------------------

[ Upstream commit 76959aff14a0012ad6b984ec7686d163deccdc16 ]

When a battery hook returns an error when adding a new battery, then
the battery hook is automatically unregistered.
However the battery hook provider cannot know that, so it will later
call battery_hook_unregister() on the already unregistered battery
hook, resulting in a crash.

Fix this by using the list head to mark already unregistered battery
hooks as already being unregistered so that they can be ignored by
battery_hook_unregister().

Fixes: fa93854f ("battery: Add the battery hooking API")
Signed-off-by: default avatarArmin Wolf <W_Armin@gmx.de>
Link: https://patch.msgid.link/20241001212835.341788-3-W_Armin@gmx.de


Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarliwei <liwei728@huawei.com>
parent d501edd9

drivers/acpi/battery.c

+9 −3
Original line number Diff line number Diff line
@@ -715,7 +715,7 @@ static void battery_hook_unregister_unlocked(struct acpi_battery_hook *hook) 
		if (!hook->remove_battery(battery->bat, hook))

			power_supply_changed(battery->bat);

	}

	list_del(&hook->list);

	list_del_init(&hook->list);



	pr_info("extension unregistered: %s\n", hook->name);

}
@@ -723,7 +723,14 @@ static void battery_hook_unregister_unlocked(struct acpi_battery_hook *hook) 
void battery_hook_unregister(struct acpi_battery_hook *hook)

{

	mutex_lock(&hook_mutex);

	/*

	 * Ignore already unregistered battery hooks. This might happen

	 * if a battery hook was previously unloaded due to an error when

	 * adding a new battery.

	 */

	if (!list_empty(&hook->list))

		battery_hook_unregister_unlocked(hook);



	mutex_unlock(&hook_mutex);

}

EXPORT_SYMBOL_GPL(battery_hook_unregister);
@@ -733,7 +740,6 @@ void battery_hook_register(struct acpi_battery_hook *hook) 
	struct acpi_battery *battery;



	mutex_lock(&hook_mutex);

	INIT_LIST_HEAD(&hook->list);

	list_add(&hook->list, &battery_hook_list);

	/*

	 * Now that the driver is registered, we need