Description
In the Linux kernel, the following vulnerability has been resolved: power: supply: axp288_fuel_gauge: Fix external_power_changed race fuel_gauge_external_power_changed() dereferences info->bat, which gets sets in axp288_fuel_gauge_probe() like this: info->bat = devm_power_supply_register(dev, &fuel_gauge_desc, &psy_cfg); As soon as devm_power_supply_register() has called device_add() the external_power_changed callback can get called. So there is a window where fuel_gauge_external_power_changed() may get called while info->bat has not been set yet leading to a NULL pointer dereference. Fixing this is easy. The external_power_changed callback gets passed the power_supply which will eventually get stored in info->bat, so fuel_gauge_external_power_changed() can simply directly use the passed in psy argument which is always valid.
Product status
30abb3d07929137bf72327560e1595508a692c4e (git) before 0456b912121e45b3ef54abe3135e5dcb541f956c
30abb3d07929137bf72327560e1595508a692c4e (git) before a636c6ba9ce898207f283271cb28511206ab739b
30abb3d07929137bf72327560e1595508a692c4e (git) before f8319774d6f1567d6e7d03653174ab0c82c5c66d
5.18
Any version before 5.18
6.1.31 (semver)
6.3.5 (semver)
6.4 (original_commit_for_fix)
References
git.kernel.org/...c/0456b912121e45b3ef54abe3135e5dcb541f956c
git.kernel.org/...c/a636c6ba9ce898207f283271cb28511206ab739b
git.kernel.org/...c/f8319774d6f1567d6e7d03653174ab0c82c5c66d
