Linux Kernel Double Free Vulnerability in GPIO Device Management on ThinkPad X9

A double free vulnerability has been identified in the Linux kernel's handling of GPIO devices within the Intel INT3472 platform driver. This issue arises because the 'regulator_unregister()' function frees the associated GPIO device, but the driver inadvertently releases it again, leading to a double free scenario. This flaw causes random failures in interrupt allocation for other drivers, particularly those related to Intel THC. The problem is exacerbated when the INT3472 driver defers its probe, causing the reference count of the 'pinctrl_intel_platform' module to drop to zero prematurely. The vulnerability can also be reproduced by manually unloading the INT3472 module.

Impact

Exploitation of this vulnerability leads to a double free condition, causing random failures in interrupt allocation for drivers that rely on the affected GPIO device. This can disrupt normal device operation and potentially lead to further issues, such as memory corruption.

Reproduction

The vulnerability can be reproduced by loading the Intel INT3472 platform driver on a ThinkPad X9 (Lunar Lake) device, allowing it to defer its probe. This will cause the reference count of the 'pinctrl_intel_platform' module to drop to zero, creating the conditions for the double free vulnerability. Alternatively, the issue can be triggered by manually unloading the INT3472 module, which will also result in the double free condition.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version available in the Linux kernel stable tree.