Linux Kernel Double Free Vulnerability in Rockchip USB2 PHY Driver

A double free vulnerability has been identified in the Rockchip USB2 PHY driver of the Linux kernel. This issue arises in the 'rockchip_usb2phy_probe()' function, where the 'of_node_put()' call is used to release child nodes. After exiting the loop that processes these child nodes, the function can inadvertently call 'of_node_put()' again if it encounters an error while requesting an interrupt. This behavior leads to a double free condition. The vulnerability has been addressed by modifying the function to return an error directly, preventing the duplicate 'of_node_put()' call.

Impact

Exploitation of this vulnerability could lead to memory corruption issues, potentially allowing for arbitrary code execution or causing a denial of service by crashing the system.

Reproduction

The vulnerability can be reproduced by loading the Rockchip USB2 PHY driver in a Linux kernel environment where the 'rockchip_usb2phy_probe()' function is called. This can be done by compiling the kernel with the driver included and then inserting the module. The double free condition will occur when the driver attempts to release child node references after an error in interrupt handling, creating a vulnerability that could be exploited.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The patch is available in the Linux stable tree.