{"id":"CVE-2021-46959","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: Fix use-after-free with devm_spi_alloc_*\n\nWe can't rely on the contents of the devres list during\nspi_unregister_controller(), as the list is already torn down at the\ntime we perform devres_find() for devm_spi_release_controller. This\ncauses devices registered with devm_spi_alloc_{master,slave}() to be\nmistakenly identified as legacy, non-devm managed devices and have their\nreference counters decremented below 0.\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 660 at lib/refcount.c:28 refcount_warn_saturate+0x108/0x174\n[\u003cb0396f04\u003e] (refcount_warn_saturate) from [\u003cb03c56a4\u003e] (kobject_put+0x90/0x98)\n[\u003cb03c5614\u003e] (kobject_put) from [\u003cb0447b4c\u003e] (put_device+0x20/0x24)\n r4:b6700140\n[\u003cb0447b2c\u003e] (put_device) from [\u003cb07515e8\u003e] (devm_spi_release_controller+0x3c/0x40)\n[\u003cb07515ac\u003e] (devm_spi_release_controller) from [\u003cb045343c\u003e] (release_nodes+0x84/0xc4)\n r5:b6700180 r4:b6700100\n[\u003cb04533b8\u003e] (release_nodes) from [\u003cb0454160\u003e] (devres_release_all+0x5c/0x60)\n r8:b1638c54 r7:b117ad94 r6:b1638c10 r5:b117ad94 r4:b163dc10\n[\u003cb0454104\u003e] (devres_release_all) from [\u003cb044e41c\u003e] (__device_release_driver+0x144/0x1ec)\n r5:b117ad94 r4:b163dc10\n[\u003cb044e2d8\u003e] (__device_release_driver) from [\u003cb044f70c\u003e] (device_driver_detach+0x84/0xa0)\n r9:00000000 r8:00000000 r7:b117ad94 r6:b163dc54 r5:b1638c10 r4:b163dc10\n[\u003cb044f688\u003e] (device_driver_detach) from [\u003cb044d274\u003e] (unbind_store+0xe4/0xf8)\n\nInstead, determine the devm allocation state as a flag on the\ncontroller which is guaranteed to be stable during cleanup.","modified":"2026-03-13T05:16:29.921512Z","published":"2024-02-29T23:15:07.230Z","related":["SUSE-SU-2024:1465-1","SUSE-SU-2024:1489-1"],"references":[{"type":"FIX","url":"https://git.kernel.org/stable/c/c7fabe372a9031acd00498bc718ce27c253abfd1"},{"type":"FIX","url":"https://git.kernel.org/stable/c/001c8e83646ad3b847b18f6ac55a54367d917d74"},{"type":"FIX","url":"https://git.kernel.org/stable/c/62bb2c7f2411a0045c24831f11ecacfc35610815"},{"type":"FIX","url":"https://git.kernel.org/stable/c/794aaf01444d4e765e2b067cba01cc69c1c68ed9"},{"type":"FIX","url":"https://git.kernel.org/stable/c/8bf96425c90f5c1dcf3b7b9df568019a1d4b8a0e"},{"type":"FIX","url":"https://git.kernel.org/stable/c/8e029707f50a82c53172359c686b2536ab54e58c"},{"type":"FIX","url":"https://git.kernel.org/stable/c/cee78aa24578edac8cf00513dca618c0acc17cd7"},{"type":"FIX","url":"https://git.kernel.org/stable/c/28a5529068c51cdf0295ab1e11a99a3a909a03e4"},{"type":"FIX","url":"https://git.kernel.org/stable/c/8735248ebb918d25427965f0db07939ed0473ec6"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-46959.json","unresolved_ranges":[{"events":[{"introduced":"4.4.248"},{"fixed":"4.4.271"}]},{"events":[{"introduced":"4.9.248"},{"fixed":"4.9.271"}]},{"events":[{"introduced":"4.14.212"},{"fixed":"4.14.233"}]},{"events":[{"introduced":"4.19.163"},{"fixed":"4.19.191"}]},{"events":[{"introduced":"5.4.80"},{"fixed":"5.4.119"}]},{"events":[{"introduced":"5.10"},{"fixed":"5.10.37"}]},{"events":[{"introduced":"5.11"},{"fixed":"5.11.21"}]},{"events":[{"introduced":"5.12"},{"fixed":"5.12.4"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}