Linux Kernel bq27xxx Battery Driver Poll Interval Race Condition Vulnerability

A vulnerability in the Linux kernel's bq27xxx battery driver has been addressed. The issue involved improper handling of the poll interval and race conditions when the driver is removed. Previously, the teardown function set the poll interval to zero to prevent the update function from requeuing a delayed work item. This approach introduced two problems: it unexpectedly altered the poll interval if the driver was unbound via sysfs instead of being removed as a module, and it created a race condition where the poll interval could be modified before the update function checked its value through the sysfs parameter. The vulnerability has been fixed by adding a 'removed' attribute to the device information structure and using it to manage the poll interval more effectively. Additionally, another race condition related to the poll interval was identified during the removal process, where writing to the sysfs parameter would requeue the delayed work for all devices on the battery devices list, potentially causing issues for the device being removed. This has been resolved by adjusting the order of operations during the removal process.

Impact

The vulnerability could lead to a race condition, causing the poll interval to be mismanaged and potentially leading to incorrect battery status updates.

Reproduction

The vulnerability can be reproduced by unbinding the bq27xxx battery driver through sysfs, which will cause the poll interval to be set to zero unexpectedly. This can be followed by a removal of a device that is still registered, which will cause a race condition by requeuing a work item that is not properly synchronized.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed.