VYPR
← All advisories
Unrated severityNVD Advisory· Published May 28, 2026

CVE-2026-46200

CVE-2026-46200

Description

In the Linux kernel, the following vulnerability has been resolved:

spi: mpc52xx: fix controller deregistration

Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.

Affected products

2

Patches

8
a3669f678d0e

spi: mpc52xx: fix controller deregistration

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJohan HovoldApr 14, 2026Fixed in 6.12.90via kernel-cna
commit
1 file changed · +2 2
  • drivers/spi/spi-mpc52xx.c+2 2 modified
    diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 8bc634bd40ab80..ad01dd1ad0b38b 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -523,6 +523,8 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 	struct mpc52xx_spi *ms = spi_controller_get_devdata(host);
 	int i;
 
+	spi_unregister_controller(host);
+
 	cancel_work_sync(&ms->work);
 	free_irq(ms->irq0, ms);
 	free_irq(ms->irq1, ms);
@@ -531,7 +533,6 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 		gpiod_put(ms->gpio_cs[i]);
 
 	kfree(ms->gpio_cs);
-	spi_unregister_controller(host);
 	iounmap(ms->regs);
 	spi_controller_put(host);
 }
-- 
cgit 1.3-korg
28f28a0f4e32

spi: mpc52xx: fix controller deregistration

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJohan HovoldApr 14, 2026Fixed in 6.18.32via kernel-cna
commit
1 file changed · +2 2
  • drivers/spi/spi-mpc52xx.c+2 2 modified
    diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index b022688221fa54..a8d3cecb276b23 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -523,6 +523,8 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 	struct mpc52xx_spi *ms = spi_controller_get_devdata(host);
 	int i;
 
+	spi_unregister_controller(host);
+
 	cancel_work_sync(&ms->work);
 	free_irq(ms->irq0, ms);
 	free_irq(ms->irq1, ms);
@@ -531,7 +533,6 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 		gpiod_put(ms->gpio_cs[i]);
 
 	kfree(ms->gpio_cs);
-	spi_unregister_controller(host);
 	iounmap(ms->regs);
 	spi_controller_put(host);
 }
-- 
cgit 1.3-korg
7fea80d93bfd

spi: mpc52xx: fix controller deregistration

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJohan HovoldApr 14, 2026Fixed in 7.0.9via kernel-cna
commit
1 file changed · +2 2
  • drivers/spi/spi-mpc52xx.c+2 2 modified
    diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index afef72896e65e7..157228562d65d8 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -520,6 +520,8 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 	struct mpc52xx_spi *ms = spi_controller_get_devdata(host);
 	int i;
 
+	spi_unregister_controller(host);
+
 	cancel_work_sync(&ms->work);
 	free_irq(ms->irq0, ms);
 	free_irq(ms->irq1, ms);
@@ -528,7 +530,6 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 		gpiod_put(ms->gpio_cs[i]);
 
 	kfree(ms->gpio_cs);
-	spi_unregister_controller(host);
 	iounmap(ms->regs);
 	spi_controller_put(host);
 }
-- 
cgit 1.3-korg
0f997fdae819

spi: mpc52xx: fix controller deregistration

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJohan HovoldApr 14, 2026Fixed in 7.1-rc1via kernel-cna
commit
1 file changed · +2 2
  • drivers/spi/spi-mpc52xx.c+2 2 modified
    diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 05bbd3795e7d80..823b49f8ece2a2 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -517,6 +517,8 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 	struct mpc52xx_spi *ms = spi_controller_get_devdata(host);
 	int i;
 
+	spi_unregister_controller(host);
+
 	cancel_work_sync(&ms->work);
 	free_irq(ms->irq0, ms);
 	free_irq(ms->irq1, ms);
@@ -525,7 +527,6 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 		gpiod_put(ms->gpio_cs[i]);
 
 	kfree(ms->gpio_cs);
-	spi_unregister_controller(host);
 	iounmap(ms->regs);
 	spi_controller_put(host);
 }
-- 
cgit 1.3-korg
a3669f678d0e

spi: mpc52xx: fix controller deregistration

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJohan HovoldApr 14, 2026via nvd-ref
commit
1 file changed · +2 2
  • drivers/spi/spi-mpc52xx.c+2 2 modified
    diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 8bc634bd40ab80..ad01dd1ad0b38b 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -523,6 +523,8 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 	struct mpc52xx_spi *ms = spi_controller_get_devdata(host);
 	int i;
 
+	spi_unregister_controller(host);
+
 	cancel_work_sync(&ms->work);
 	free_irq(ms->irq0, ms);
 	free_irq(ms->irq1, ms);
@@ -531,7 +533,6 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 		gpiod_put(ms->gpio_cs[i]);
 
 	kfree(ms->gpio_cs);
-	spi_unregister_controller(host);
 	iounmap(ms->regs);
 	spi_controller_put(host);
 }
-- 
cgit 1.3-korg
0f997fdae819

spi: mpc52xx: fix controller deregistration

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJohan HovoldApr 14, 2026via nvd-ref
commit
1 file changed · +2 2
  • drivers/spi/spi-mpc52xx.c+2 2 modified
    diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 05bbd3795e7d80..823b49f8ece2a2 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -517,6 +517,8 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 	struct mpc52xx_spi *ms = spi_controller_get_devdata(host);
 	int i;
 
+	spi_unregister_controller(host);
+
 	cancel_work_sync(&ms->work);
 	free_irq(ms->irq0, ms);
 	free_irq(ms->irq1, ms);
@@ -525,7 +527,6 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 		gpiod_put(ms->gpio_cs[i]);
 
 	kfree(ms->gpio_cs);
-	spi_unregister_controller(host);
 	iounmap(ms->regs);
 	spi_controller_put(host);
 }
-- 
cgit 1.3-korg
28f28a0f4e32

spi: mpc52xx: fix controller deregistration

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJohan HovoldApr 14, 2026via nvd-ref
commit
1 file changed · +2 2
  • drivers/spi/spi-mpc52xx.c+2 2 modified
    diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index b022688221fa54..a8d3cecb276b23 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -523,6 +523,8 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 	struct mpc52xx_spi *ms = spi_controller_get_devdata(host);
 	int i;
 
+	spi_unregister_controller(host);
+
 	cancel_work_sync(&ms->work);
 	free_irq(ms->irq0, ms);
 	free_irq(ms->irq1, ms);
@@ -531,7 +533,6 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 		gpiod_put(ms->gpio_cs[i]);
 
 	kfree(ms->gpio_cs);
-	spi_unregister_controller(host);
 	iounmap(ms->regs);
 	spi_controller_put(host);
 }
-- 
cgit 1.3-korg
7fea80d93bfd

spi: mpc52xx: fix controller deregistration

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJohan HovoldApr 14, 2026via nvd-ref
commit
1 file changed · +2 2
  • drivers/spi/spi-mpc52xx.c+2 2 modified
    diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index afef72896e65e7..157228562d65d8 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -520,6 +520,8 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 	struct mpc52xx_spi *ms = spi_controller_get_devdata(host);
 	int i;
 
+	spi_unregister_controller(host);
+
 	cancel_work_sync(&ms->work);
 	free_irq(ms->irq0, ms);
 	free_irq(ms->irq1, ms);
@@ -528,7 +530,6 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 		gpiod_put(ms->gpio_cs[i]);
 
 	kfree(ms->gpio_cs);
-	spi_unregister_controller(host);
 	iounmap(ms->regs);
 	spi_controller_put(host);
 }
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Incorrect teardown ordering in mpc52xx_spi_remove(): the SPI controller is unregistered after interrupts and GPIOs are released, allowing use-after-free of freed resources."

Attack vector

An attacker with the ability to trigger driver unbind (e.g., via device removal, hot-unplug, or sysfs bind/unbind) on a system using the mpc52xx-spi driver can exploit the incorrect teardown ordering. During unbind, the original code freed interrupts and GPIO chip-select lines before calling spi_unregister_controller(), leaving the SPI framework to potentially access those freed resources. No special network path or payload is required; the precondition is local access to trigger driver removal on the affected platform.

Affected code

The vulnerability is in the mpc52xx_spi_remove() function in drivers/spi/spi-mpc52xx.c. The original code called spi_unregister_controller() at the end of the function, after freeing IRQs, canceling work, and releasing GPIO chip-select lines [patch_id=2897815].

What the fix does

The patch moves the spi_unregister_controller() call to the very beginning of the mpc52xx_spi_remove() function, before any resource teardown (cancel_work_sync, free_irq, gpiod_put, iounmap). This ensures the SPI controller is fully deregistered from the framework while all underlying resources are still valid, preventing any use-after-free or access to freed interrupts/GPIOs. The old call at the end of the function is removed [patch_id=2897815].

Preconditions

  • authLocal access to trigger driver unbind (e.g., device removal, hot-unplug, or sysfs bind/unbind)
  • configSystem must use the mpc52xx-spi driver (PowerPC 5200 platform)

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.