CISA-2021-46959
Reported by Linux · Published February 29, 2024
In the Linux kernel, the following vulnerability has been resolved: spi: Fix use-after-free with devm_spi_alloc_* We can't rely on the contents of the devres list during spi_unregister_controller(), as the list is already torn down at the time we perform devres_find() for devm_spi_release_controller. This causes devices registered with devm_spi_alloc_{master,slave}() to be mistakenly identified as legacy, non-devm managed devices and have their reference counters decremented below 0. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 660 at lib/refcount.c:28 refcount_warn_saturate+0x108/0x174 [<b0396f04>] (refcount_warn_saturate) from [<b03c56a4>] (kobject_put+0x90/0x98) [<b03c5614>] (kobject_put) from [<b0447b4c>] (put_device+0x20/0x24) r4:b6700140 [<b0447b2c>] (put_device) from [<b07515e8>] (devm_spi_release_controller+0x3c/0x40) [<b07515ac>] (devm_spi_release_controller) from [<b045343c>] (release_nodes+0x84/0xc4) r5:b6700180 r4:b6700100 [<b04533b8>] (release_nodes) from [<b0454160>] (devres_release_all+0x5c/0x60) r8:b1638c54 r7:b117ad94 r6:b1638c10 r5:b117ad94 r4:b163dc10 [<b0454104>] (devres_release_all) from [<b044e41c>] (__device_release_driver+0x144/0x1ec) r5:b117ad94 r4:b163dc10 [<b044e2d8>] (__device_release_driver) from [<b044f70c>] (device_driver_detach+0x84/0xa0) r9:00000000 r8:00000000 r7:b117ad94 r6:b163dc54 r5:b1638c10 r4:b163dc10 [<b044f688>] (device_driver_detach) from [<b044d274>] (unbind_store+0xe4/0xf8) Instead, determine the devm allocation state as a flag on the controller which is guaranteed to be stable during cleanup.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux | a4add022c1552b0d51a0b89a4781919d6ebac4f9, 0870525cf94bc27907e94ce99afb6d7239ffd2f5, 8c45a1c6c951bbe7f95db78fcab46f7337364468 |
| Linux | Linux | 5.10, 0, 4.4.271 |
| linux | linux_kernel | 4.4.248, 4.9.248, 4.14.212 |
| Linux | Linux | 0870525cf94bc27907e94ce99afb6d7239ffd2f5, 8c45a1c6c951bbe7f95db78fcab46f7337364468, 3e04a4976addbedcad326f47b0dd4efc570a1fac |
Timeline
- Feb 29, 2024 CVE Published
- May 4, 2025 CVE Updated