CVE-2025-38682

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i2c: core: Fix double-free of fwnode in i2c_unregister_device()<br /> <br /> Before commit df6d7277e552 ("i2c: core: Do not dereference fwnode in struct<br /> device"), i2c_unregister_device() only called fwnode_handle_put() on<br /> of_node-s in the form of calling of_node_put(client-&gt;dev.of_node).<br /> <br /> But after this commit the i2c_client&amp;#39;s fwnode now unconditionally gets<br /> fwnode_handle_put() on it.<br /> <br /> When the i2c_client has no primary (ACPI / OF) fwnode but it does have<br /> a software fwnode, the software-node will be the primary node and<br /> fwnode_handle_put() will put() it.<br /> <br /> But for the software fwnode device_remove_software_node() will also put()<br /> it leading to a double free:<br /> <br /> [ 82.665598] ------------[ cut here ]------------<br /> [ 82.665609] refcount_t: underflow; use-after-free.<br /> [ 82.665808] WARNING: CPU: 3 PID: 1502 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x11<br /> ...<br /> [ 82.666830] RIP: 0010:refcount_warn_saturate+0xba/0x110<br /> ...<br /> [ 82.666962] <br /> [ 82.666971] i2c_unregister_device+0x60/0x90<br /> <br /> Fix this by not calling fwnode_handle_put() when the primary fwnode is<br /> a software-node.