Linux Kernel Rockchip SPI Controller Double-Free Vulnerability

A double-free vulnerability has been identified in the Rockchip SPI controller driver of the Linux kernel. This issue arises because the driver improperly manages the registration and unregistration of the SPI controller. It uses 'devm_spi_register_controller()' for registration, which automatically handles unregistration when the device is removed. However, the manual call to 'spi_unregister_controller()' in the remove() callback can lead to a double-free condition. To prevent this, the driver should use 'spi_register_controller()' in the probe() function instead.

Impact

Exploitation of this vulnerability can lead to a double-free condition, which may cause memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by loading the Rockchip SPI controller driver that uses 'devm_spi_register_controller()' for registration. When the device is removed, the manual call to 'spi_unregister_controller()' in the remove() callback will trigger the double-free condition.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the Rockchip SPI controller driver to use 'spi_register_controller()' in the probe() function, ensuring proper management of the SPI controller's lifecycle.