[PATCH OLK-5.10 2/2] ACPI: battery: Fix possible crash when unregistering a battery hook

From: Armin Wolf W_Armin@gmx.de

stable inclusion from stable-v6.6.55 commit da964de4c18199e14b961b5b2e5e6570552a313c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRCN CVE: CVE-2024-49955

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...

--------------------------------

[ Upstream commit 76959aff14a0012ad6b984ec7686d163deccdc16 ]

When a battery hook returns an error when adding a new battery, then the battery hook is automatically unregistered. However the battery hook provider cannot know that, so it will later call battery_hook_unregister() on the already unregistered battery hook, resulting in a crash.

Fix this by using the list head to mark already unregistered battery hooks as already being unregistered so that they can be ignored by battery_hook_unregister().

Fixes: fa93854f7a7e ("battery: Add the battery hooking API") Signed-off-by: Armin Wolf W_Armin@gmx.de Link: https://patch.msgid.link/20241001212835.341788-3-W_Armin@gmx.de Cc: All applicable stable@vger.kernel.org Signed-off-by: Rafael J. Wysocki rafael.j.wysocki@intel.com Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: liwei liwei728@huawei.com --- drivers/acpi/battery.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c index 1e782e332073..04ecda0d8560 100644 --- a/drivers/acpi/battery.c +++ b/drivers/acpi/battery.c @@ -700,7 +700,7 @@ static void battery_hook_unregister_unlocked(struct acpi_battery_hook *hook) list_for_each_entry(battery, &acpi_battery_list, list) { hook->remove_battery(battery->bat); } - list_del(&hook->list); + list_del_init(&hook->list);

pr_info("extension unregistered: %s\n", hook->name); } @@ -708,7 +708,14 @@ static void battery_hook_unregister_unlocked(struct acpi_battery_hook *hook) void battery_hook_unregister(struct acpi_battery_hook *hook) { mutex_lock(&hook_mutex); - battery_hook_unregister_unlocked(hook); + /* + * Ignore already unregistered battery hooks. This might happen + * if a battery hook was previously unloaded due to an error when + * adding a new battery. + */ + if (!list_empty(&hook->list)) + battery_hook_unregister_unlocked(hook); + mutex_unlock(&hook_mutex); } EXPORT_SYMBOL_GPL(battery_hook_unregister); @@ -718,7 +725,6 @@ void battery_hook_register(struct acpi_battery_hook *hook) struct acpi_battery *battery;

mutex_lock(&hook_mutex); - INIT_LIST_HEAD(&hook->list); list_add(&hook->list, &battery_hook_list); /* * Now that the driver is registered, we need