HIGH
pinctrl cs42l43 FwNode Double-Free
CVE-2026-23387
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe() devm_add_action_or_reset() already invokes the action on failure, so the explicit put causes a double-put.
02KernelScan AI Analysis
Risk summary
A double-free vulnerability in the CS42L43 pinctrl driver could cause kernel crashes or memory corruption during device initialization failures. While exploitation requires local access and specific hardware, it could lead to denial of service or potentially privilege escalation in systems using this audio codec.
Vulnerability analysis
Root Cause: The code incorrectly performs an explicit fwnode_handle_put(child) after calling devm_add_action_or_reset() with cs42l43_fwnode_put as the cleanup action. The devm_add_action_or_reset() function automatically invokes the cleanup action (cs42l43_fwnode_put) on failure, which already releases the fwnode reference. The additional explicit put operation creates a double-free condition.
Attack Surface: This vulnerability affects systems using Cirrus Logic CS42L43 audio codec hardware with pinctrl functionality. The bug is triggered during device probe operations when devm_add_action_or_reset() fails, making it a local vulnerability that requires physical access to hardware or privileged access to trigger device probing.
Fix Mechanism: The patch removes the redundant explicit fwnode_handle_put(child) call in the error path, relying solely on devm_add_action_or_reset() to handle the cleanup. This ensures the fwnode reference is released exactly once, either by the devm cleanup action on success or by the automatic invocation on failure.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.77 | 188ba3468cb7 |
| 6.18 | 6.18.17 | ea07fcfbba43 |
| 6.19 | 6.19.7 | 1e0465139fd9 |
| 6.6 | 6.6.130 | 95b14ecc5688 |
| mainline | 7.0 | fd5bed798f45 |