Home

Description

In the Linux kernel, the following vulnerability has been resolved: spi: spi-fsl-lpspi: fix teardown order issue (UAF) There is a teardown order issue in the driver. The SPI controller is registered using devm_spi_register_controller(), which delays unregistration of the SPI controller until after the fsl_lpspi_remove() function returns. As the fsl_lpspi_remove() function synchronously tears down the DMA channels, a running SPI transfer triggers the following NULL pointer dereference due to use after free: | fsl_lpspi 42550000.spi: I/O Error in DMA RX | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] | Call trace: | fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi] | fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi] | spi_transfer_one_message+0x49c/0x7c8 | __spi_pump_transfer_message+0x120/0x420 | __spi_sync+0x2c4/0x520 | spi_sync+0x34/0x60 | spidev_message+0x20c/0x378 [spidev] | spidev_ioctl+0x398/0x750 [spidev] [...] Switch from devm_spi_register_controller() to spi_register_controller() in fsl_lpspi_probe() and add the corresponding spi_unregister_controller() in fsl_lpspi_remove().

PUBLISHED Reserved 2026-03-09 | Published 2026-04-22 | Updated 2026-05-11 | Assigner Linux

Product status

Default status
unaffected

5314987de5e5f5e38436ef4a69328bc472bbd63e (git) before fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6
affected

5314987de5e5f5e38436ef4a69328bc472bbd63e (git) before ca4483f36ac1b62e69f8b182c5b8f059e0abecfb
affected

5314987de5e5f5e38436ef4a69328bc472bbd63e (git) before e3fd54f8b0317fbccc103961ddd660f2a32dcf0b
affected

5314987de5e5f5e38436ef4a69328bc472bbd63e (git) before adb25339b66112393fd6892ceff926765feb5b86
affected

5314987de5e5f5e38436ef4a69328bc472bbd63e (git) before d5d01f24bc6fbde40b4e567ef9160194b61267bc
affected

5314987de5e5f5e38436ef4a69328bc472bbd63e (git) before e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3
affected

5314987de5e5f5e38436ef4a69328bc472bbd63e (git) before 15650dfbaeeb14bcaaf053b93cf631db8d465300
affected

5314987de5e5f5e38436ef4a69328bc472bbd63e (git) before b341c1176f2e001b3adf0b47154fc31589f7410e
affected

Default status
affected

4.10
affected

Any version before 4.10
unaffected

5.10.253 (semver)
unaffected

5.15.203 (semver)
unaffected

6.1.168 (semver)
unaffected

6.6.131 (semver)
unaffected

6.12.80 (semver)
unaffected

6.18.21 (semver)
unaffected

6.19.11 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6

git.kernel.org/...c/ca4483f36ac1b62e69f8b182c5b8f059e0abecfb

git.kernel.org/...c/e3fd54f8b0317fbccc103961ddd660f2a32dcf0b

git.kernel.org/...c/adb25339b66112393fd6892ceff926765feb5b86

git.kernel.org/...c/d5d01f24bc6fbde40b4e567ef9160194b61267bc

git.kernel.org/...c/e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3

git.kernel.org/...c/15650dfbaeeb14bcaaf053b93cf631db8d465300

git.kernel.org/...c/b341c1176f2e001b3adf0b47154fc31589f7410e

cve.org (CVE-2026-31485)

nvd.nist.gov (CVE-2026-31485)

Download JSON