HIGH Published 2026-02-04

spi sprd-adi Controller Double-Free

CVE-2026-23068

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: spi: spi-sprd-adi: Fix double free in probe error path The driver currently uses spi_alloc_host() to allocate the controller but registers it using devm_spi_register_controller(). If devm_register_restart_handler() fails, the code jumps to the put_ctlr label and calls spi_controller_put(). However, since the controller was registered via a devm function, the device core will automatically call spi_controller_put() again when the probe fails. This results in a double-free of the spi_controller structure. Fix this by switching to devm_spi_alloc_host() and removing the manual spi_controller_put() call.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A double-free vulnerability in the Spreadtrum SPI ADI driver can cause kernel crashes or memory corruption when the driver probe fails during restart handler registration. This affects system stability and could potentially be exploited by an attacker with local access to trigger controlled probe failures, though exploitation requires specific timing and hardware conditions.

Affecteddrivers/spi/spi-sprd-adi.c

Vulnerability analysis

Root Cause: The driver uses spi_alloc_host() to allocate an SPI controller but registers it with devm_spi_register_controller(). In the probe error path, when devm_register_restart_handler() fails, the code manually calls spi_controller_put(). However, since the controller was registered using a devm function, the device core automatically calls spi_controller_put() again during probe cleanup, resulting in a double-free of the spi_controller structure.

Attack Surface: Local attack surface requiring physical access to the device or ability to trigger SPI driver probe failures. The vulnerability occurs during device initialization when the restart handler registration fails, making it dependent on specific hardware configurations and timing conditions.

Fix Mechanism: The patch switches from spi_alloc_host() to devm_spi_alloc_host() for controller allocation and removes all manual spi_controller_put() calls. This ensures consistent device-managed resource handling where the device core automatically handles cleanup without manual intervention, eliminating the double-free condition.

03Fix Versions

Branch	Fixed in	Patch commit
6.1	6.1.162	`bddd3d10d039`
6.12	6.12.68	`346775f2b4cf`
6.18	6.18.8	`f6d6b3f172df`
6.6	6.6.122	`417cdfd9b9f9`
mainline	6.19	`383d4f5cffcc`