HIGH
spi DMA Double-Free
CVE-2026-43461
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: spi: amlogic: spifc-a4: Fix DMA mapping error handling Fix three bugs in aml_sfc_dma_buffer_setup() error paths: 1. Unnecessary goto: When the first DMA mapping (sfc->daddr) fails, nothing needs cleanup. Use direct return instead of goto. 2. Double-unmap bug: When info DMA mapping failed, the code would unmap sfc->daddr inline, then fall through to out_map_data which would unmap it again, causing a double-unmap. 3. Wrong unmap size: The out_map_info label used datalen instead of infolen when unmapping sfc->iaddr, which could lead to incorrect DMA sync behavior.
02KernelScan AI Analysis
Risk summary
Local users with low privileges can trigger a double-unmap condition in the Amlogic SPI Flash Controller driver, leading to kernel panic and system denial of service. This affects systems with Amlogic SoCs that have on-board SPI flash storage and allow local access to SPI devices.
Vulnerability analysis
The vulnerability exists in the aml_sfc_dma_buffer_setup() function's error handling paths. When DMA mapping for the info buffer fails, the code unmaps sfc->daddr inline, then falls through to the out_map_data label which unmaps the same address again, creating a double-unmap condition. Additionally, the out_map_info label uses an incorrect size (datalen instead of infolen) when unmapping sfc->iaddr, which can lead to incorrect DMA sync behavior. The fix removes the inline unmap call and corrects the size parameter to prevent double-unmap and ensure proper DMA cleanup. This is locally exploitable through SPI device access but requires low privileges to access SPI interfaces.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.19 | 0a83d6c9e149 |
| 6.19 | 6.19.9 | c0b88f117607 |
| mainline | 7.0 | b20b437666e1 |