From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F1583F1656 for ; Fri, 8 May 2026 14:27:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250453; cv=none; b=hmLqKuObT0AYwGXIpjWgBkrCCQWD8b4Mx3oaJv1Pp9ZyC9k0bC17dtveKXdZZ9OZLTXhpEoNsDgEqAXG0sSj9GU+htSAgPBKVNpJe5uQbRDiM90vEZlmdPAbtm79XwRWEwf5L8hafqr4AYcV293N5rBKbZPKmy9n9mqfhzObus4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250453; c=relaxed/simple; bh=/6wjjzJICKDULYcOnBA/EJ05h4OYUFtRKcZk++qvMUk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=n/v34m9tC15IIMM1VF7gRSwNIuG9+kuHcnBTHKlfvTNU7SsT0LcPAYUAKiYQtfnTQtpWDZi0DlkYz2vvW7fLn6czPDm3Ph445qFykM9pjstB9YSODzkmWSLxex2f8WMKdbIyKgPv2hRo0c3ZOIy6Gutgm+tUnOBZQWGvb+ObucQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=maepmjgS; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="maepmjgS" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D30BFC2BCB0; Fri, 8 May 2026 14:27:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250453; bh=/6wjjzJICKDULYcOnBA/EJ05h4OYUFtRKcZk++qvMUk=; h=From:To:Cc:Subject:Date:Reply-To:From; b=maepmjgSeX0kmQRTQ7hAlMZu0BpAEewOtMjo8IGgTzFKlslDqibPXvxn/wgN80hep +WKZiIjtaPtnbtQjiu8AV/qwwzgBHathT3Wd4smQbHf1eaDVTA7g0AqCkJSZH5UB2u NPNbJWaLyE0ey651n2c26PpiwplkjBrdk/ml/cl8= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43460: spi: rockchip-sfc: Fix double-free in remove() callback Date: Fri, 8 May 2026 16:23:09 +0200 Message-ID: <2026050801-CVE-2026-43460-5893@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2386; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=j3Rfo5I3+Q6q+q6b5EB7rZTheyad8NsGJDdxPsR2TJY=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P3Yqdt+V3rQ8stuPxdTtTnzN0oiu7SoRmhLKVauEo nQvbfnREcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABOR2sMwz0ZS/3vzvC+MlZbe Ot2RB7+VJP04zTCHO2L68stRdy4svhIf0eVgZFVvnysLAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: spi: rockchip-sfc: Fix double-free in remove() callback The driver uses devm_spi_register_controller() for registration, which automatically unregisters the controller via devm cleanup when the device is removed. The manual call to spi_unregister_controller() in the remove() callback can lead to a double-free. And to make sure controller is unregistered before DMA buffer is unmapped, switch to use spi_register_controller() in probe(). The Linux kernel CVE team has assigned CVE-2026-43460 to this issue. Affected and fixed versions =========================== Issue introduced in 6.14 with commit 8011709906d0d6ff1ba9589de5a906bf6e430782 and fixed in 6.18.19 with commit b6051f2bdd4bd3dde85b68558edd3a6843489221 Issue introduced in 6.14 with commit 8011709906d0d6ff1ba9589de5a906bf6e430782 and fixed in 6.19.9 with commit 85fb53351e6a3b921357a2178671e847a087e400 Issue introduced in 6.14 with commit 8011709906d0d6ff1ba9589de5a906bf6e430782 and fixed in 7.0 with commit 111e2863372c322e836e0c896f6dd9cf4ee08c71 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43460 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/spi/spi-rockchip-sfc.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/b6051f2bdd4bd3dde85b68558edd3a6843489221 https://git.kernel.org/stable/c/85fb53351e6a3b921357a2178671e847a087e400 https://git.kernel.org/stable/c/111e2863372c322e836e0c896f6dd9cf4ee08c71