HIGH
spi meson-spicc Controller Double-Put
CVE-2026-31489
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: spi: meson-spicc: Fix double-put in remove path meson_spicc_probe() registers the controller with devm_spi_register_controller(), so teardown already drops the controller reference via devm cleanup. Calling spi_controller_put() again in meson_spicc_remove() causes a double-put.
02KernelScan AI Analysis
Risk summary
A double-free vulnerability in the Meson SPI controller driver can cause kernel crashes or memory corruption when the driver is unloaded or the device is removed. This primarily affects embedded systems using Amlogic Meson processors and requires local access to trigger, but could lead to system instability or potential privilege escalation through memory corruption.
Vulnerability analysis
Root Cause: The meson_spicc_remove() function calls spi_controller_put() to release a reference to the SPI controller, but the controller was already registered using devm_spi_register_controller() in the probe function. The devm (device-managed) framework automatically handles cleanup and drops the controller reference when the device is removed, making the explicit spi_controller_put() call redundant and causing a double-put/double-free condition.
Attack Surface: This vulnerability affects systems with Amlogic Meson SoCs that use the SPICC (SPI Communication Controller) driver. The bug is triggered during device removal or driver unloading, which typically requires local access with sufficient privileges to manipulate device drivers or perform system shutdown/reboot operations.
Fix Mechanism: The patch removes the redundant spi_controller_put() call from meson_spicc_remove(), allowing the devm framework to handle the controller cleanup automatically. This eliminates the double-put condition while maintaining proper resource management.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 4.15 | 4.15 | d61bcec3aec6 |
| 4.20 | 4.20 | 7434c64ddae8 |
| 5.11 | 5.11 | 40ad0334c17b |
| 5.14 | 5.14 | da06a104f048 |
| 5.15 | 5.15.209 | 9b812ceb75a6 |
| 5.5 | 5.5 | 0d645c6d13fa |
| 6.1 | 6.1.175 | 63542bb402b7 |
| 6.12 | 6.12.80 | — |
| 6.18 | 6.18.21 | — |
| 6.19 | 6.19.11 | — |
| 6.6 | 6.6.140 | — |
| mainline | 7.0 | — |