CVE Published: 29/02/2024 |
CVE Updated: 04/11/2024 |
CVE Year: 2021 Source: Linux |
Vendor: Linux |
Product: Linux Status : PUBLISHED
CVE-2021-46959 Description
In the Linux kernel, the following vulnerability has been resolved:
spi: Fix use-after-free with devm_spi_alloc_*
We can\'t rely on the contents of the devres list during
spi_unregister_controller(), as the list is already torn down at the
time we perform devres_find() for devm_spi_release_controller. This
causes devices registered with devm_spi_alloc_{master,slave}() to be
mistakenly identified as legacy, non-devm managed devices and have their
reference counters decremented below 0.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 660 at lib/refcount.c:28 refcount_warn_saturate+0x108/0x174
[] (refcount_warn_saturate) from [] (kobject_put+0x90/0x98)
[] (kobject_put) from [] (put_device+0x20/0x24)
r4:b6700140
[] (put_device) from [] (devm_spi_release_controller+0x3c/0x40)
[] (devm_spi_release_controller) from [] (release_nodes+0x84/0xc4)
r5:b6700180 r4:b6700100
[] (release_nodes) from [] (devres_release_all+0x5c/0x60)
r8:b1638c54 r7:b117ad94 r6:b1638c10 r5:b117ad94 r4:b163dc10
[] (devres_release_all) from [] (__device_release_driver+0x144/0x1ec)
r5:b117ad94 r4:b163dc10
[] (__device_release_driver) from [] (device_driver_detach+0x84/0xa0)
r9:00000000 r8:00000000 r7:b117ad94 r6:b163dc54 r5:b1638c10 r4:b163dc10
[] (device_driver_detach) from [] (unbind_store+0xe4/0xf8)
Instead, determine the devm allocation state as a flag on the
controller which is guaranteed to be stable during cleanup.