CVE-2026-43460

spi: rockchip-sfc: Fix double-free in remove() callback

Assigner: Linux
Reserved: 01.05.2026 Published: 08.05.2026 Updated: 08.05.2026

In the Linux kernel, the following vulnerability has been resolved:

spi: rockchip-sfc: Fix double-free in remove() callback

The driver uses devm_spi_register_controller() for registration, which automatically unregisters the controller via devm cleanup when the device is removed. The manual call to spi_unregister_controller() in the remove() callback can lead to a double-free.

And to make sure controller is unregistered before DMA buffer is unmapped, switch to use spi_register_controller() in probe().

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from 8011709906d0d6ff1ba9589de5a906bf6e430782 to b6051f2bdd4bd3dde85b68558edd3a6843489221 (excl.) affected from 8011709906d0d6ff1ba9589de5a906bf6e430782 to 85fb53351e6a3b921357a2178671e847a087e400 (excl.) affected from 8011709906d0d6ff1ba9589de5a906bf6e430782 to 111e2863372c322e836e0c896f6dd9cf4ee08c71 (excl.)

Vendor

Linux

Product

Linux

Versions

Default: unaffected

affected from 8011709906d0d6ff1ba9589de5a906bf6e430782 to b6051f2bdd4bd3dde85b68558edd3a6843489221 (excl.)
affected from 8011709906d0d6ff1ba9589de5a906bf6e430782 to 85fb53351e6a3b921357a2178671e847a087e400 (excl.)
affected from 8011709906d0d6ff1ba9589de5a906bf6e430782 to 111e2863372c322e836e0c896f6dd9cf4ee08c71 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected Version 6.14 is affected unaffected from 0 to 6.14 (excl.) unaffected from 6.18.19 to 6.18.* (incl.) unaffected from 6.19.9 to 6.19.* (incl.) unaffected from 7.0 to * (incl.)

Vendor

Linux

Product

Linux

Versions

Default: affected

Version 6.14 is affected
unaffected from 0 to 6.14 (excl.)
unaffected from 6.18.19 to 6.18.* (incl.)
unaffected from 6.19.9 to 6.19.* (incl.)
unaffected from 7.0 to * (incl.)

References

CVE-2026-43460 PUBLISHED

spi: rockchip-sfc: Fix double-free in remove() callback

Product Status

References