Andre Przywara

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.7.0-rc2-00124-g455ef3d016c9-dirty #793 Description: The issue is related to a double free in the SMC transport cleanup path in the Linux kernel. When the generic SCMI code tears down a channel, it calls the `chan free` callback function, which might clean up the same member multiple times within the given SCMI transport implementation, leading to a NULL pointer dereference. This can occur when multiple protocols share the same `transport info` member. The vulnerability can be exploited when a transport does not work properly, such as when there is no SMC service, causing the probe routines to attempt cleanup and trigger a crash. Recommendations: To resolve the issue, simply check for the struct pointer being NULL before trying to access its members, to avoid this situation. As a temporary workaround, consider disabling the `smc chan free` function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.