Fei Shao

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a NULL pointer access in the interrupt handler of the spi-mt65xx driver. The TX buffer in spi transfer can be a NULL pointer, which may cause the interrupt handler to write to invalid memory and result in crashes. There is no information about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free (UAF) issue has been resolved in the Linux kernel. The pmif driver data, which contains clocks, is allocated along with `spmi controller`. When a device is removed, `spmi controller` is freed first, followed by the cleanup of `devres`, including the clocks. This leads to a UAF because the clocks are accessed after `spmi controller` has been freed. The issue can be reproduced by enabling `DEBUG TEST DRIVER REMOVE` and building the kernel with KASAN. The fix involves using unmanaged `clk bulk get()` and putting the clocks before freeing `spmi controller`. **Recommendations** To resolve the issue, use unmanaged `clk bulk get()` and put the clocks before freeing `spmi controller`. As a temporary workaround, consider disabling the `spmi: mediatek` driver until a patch is available. Restrict access to the vulnerable `spmi controller` to minimize the risk of exploitation. Avoid using the `devres` cleanup function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.