Description
In the Linux kernel, the following vulnerability has been resolved: power: supply: pm8916_bms_vm: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle.
Product status
098bce1838e0549228c8d426e5de72ec5594b5c4 (git) before b69bb88e20c6f8e998dff3e13a316207f49d3fa2
098bce1838e0549228c8d426e5de72ec5594b5c4 (git) before a8b7117ae3a791c6a328674d05a06cd45d8241bd
098bce1838e0549228c8d426e5de72ec5594b5c4 (git) before 17db6b3abd823c9fba3f3413c4f0f432d99d49dc
098bce1838e0549228c8d426e5de72ec5594b5c4 (git) before 62914959b35e9a1e29cc0f64cb8cfc5075a5366f
6.7
Any version before 6.7
6.12.75 (semver)
6.18.14 (semver)
6.19.4 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/b69bb88e20c6f8e998dff3e13a316207f49d3fa2
git.kernel.org/...c/a8b7117ae3a791c6a328674d05a06cd45d8241bd
git.kernel.org/...c/17db6b3abd823c9fba3f3413c4f0f432d99d49dc
git.kernel.org/...c/62914959b35e9a1e29cc0f64cb8cfc5075a5366f