HIGH
spi Controller Double-Free
CVE-2026-43460
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: spi: rockchip-sfc: Fix double-free in remove() callback The driver uses devm_spi_register_controller() for registration, which automatically unregisters the controller via devm cleanup when the device is removed. The manual call to spi_unregister_controller() in the remove() callback can lead to a double-free. And to make sure controller is unregistered before DMA buffer is unmapped, switch to use spi_register_controller() in probe().
02KernelScan AI Analysis
Risk summary
A double-free vulnerability in the Rockchip SFC SPI driver can cause kernel crashes when the driver is unbound or the module is removed. This affects systems with the Rockchip SFC SPI flash controller driver loaded and requires root privileges to trigger via standard device unbinding or module unloading.
Vulnerability analysis
The vulnerability occurs because the driver uses devm_spi_register_controller() for automatic cleanup while also manually calling spi_unregister_controller() in the remove callback, causing the same controller to be unregistered twice. The fix switches to manual registration only (spi_register_controller()) in probe() to eliminate the automatic cleanup and prevent the double-free. Triggering the remove() path requires local root privileges (e.g., sysfs unbind or rmmod). The double-free corrupts heap metadata and typically results in a kernel panic.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.19 | b6051f2bdd4b |
| 6.19 | 6.19.9 | 85fb53351e6a |
| mainline | 7.0 | 111e2863372c |