CVE-2025-68754 Overview
A double free vulnerability has been discovered in the Linux kernel's Amlogic A4 Real-Time Clock (RTC) driver. The issue arises from improper resource management where the clock obtained via devm_clk_get_enabled() is automatically managed by the device resource management (devres) framework and will be disabled and freed on driver detach. However, the driver was also manually calling clk_disable_unprepare() in the error path and remove function, causing a double free condition.
Critical Impact
Memory corruption via double free can lead to system instability, kernel crashes, or potentially exploitable conditions on systems using Amlogic A4 RTC hardware.
Affected Products
- Linux kernel with Amlogic A4 RTC driver (rtc-amlogic-a4)
- Devices using Amlogic A4 SoC with RTC functionality
- Linux distributions running affected kernel versions
Discovery Timeline
- 2026-01-05 - CVE CVE-2025-68754 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-68754
Vulnerability Analysis
This double free vulnerability occurs in the Amlogic A4 RTC driver due to a misunderstanding of the Linux kernel's device resource management (devm) framework. When a driver uses devm_clk_get_enabled() to obtain and enable a clock, the devm framework takes full responsibility for the clock's lifecycle—including disabling and freeing it when the driver is detached or when an error occurs during probe.
The vulnerable code path incorrectly added explicit calls to clk_disable_unprepare() in both the probe error path and the aml_rtc_remove() function. This results in the clock being freed twice: once by the manual call and again by the devm framework when it performs cleanup.
Double free vulnerabilities can corrupt memory allocator metadata, potentially leading to use-after-free conditions, kernel panics, or in certain scenarios, arbitrary code execution with kernel privileges.
Root Cause
The root cause is redundant resource cleanup code that conflicts with the devm-managed resource lifecycle. The devm_clk_get_enabled() function automatically registers cleanup callbacks with the devres framework. When the driver manually calls clk_disable_unprepare(), it prematurely releases the clock resource, and when devres later attempts its automatic cleanup, the already-freed memory is accessed again.
Attack Vector
The attack vector for this vulnerability is limited. Exploitation would require:
- Physical access to a system with Amlogic A4 RTC hardware, or
- The ability to trigger driver probe failures or module unloading on an affected system
While the vulnerability's direct exploitability is constrained by these requirements, double free conditions can potentially be chained with other vulnerabilities for privilege escalation. The fix removes the redundant clk_disable_unprepare() calls from the probe error path and aml_rtc_remove() function, allowing the devm framework to exclusively manage the clock lifecycle.
Detection Methods for CVE-2025-68754
Indicators of Compromise
- Kernel oops or panic messages referencing the rtc-amlogic-a4 driver
- Memory corruption errors in kernel logs related to RTC subsystem
- Unexpected system crashes or reboots on Amlogic A4-based devices
- Double free warnings in kernel memory debugging output (KASAN)
Detection Strategies
- Enable Kernel Address Sanitizer (KASAN) to detect double free conditions at runtime
- Monitor kernel logs (dmesg) for memory corruption errors in RTC driver context
- Audit loaded modules for rtc-amlogic-a4 and verify kernel version against patched releases
- Use kernel live patching detection tools to verify patch status
Monitoring Recommendations
- Deploy kernel crash reporting tools (kdump, crash) to capture diagnostic information
- Implement centralized kernel log monitoring for memory subsystem errors
- Monitor for unexpected RTC driver module load/unload activity
- Enable kernel debugging features on development and testing systems
How to Mitigate CVE-2025-68754
Immediate Actions Required
- Update the Linux kernel to a version containing the fix
- If kernel update is not immediately possible, consider disabling the rtc-amlogic-a4 module if not required
- Monitor affected systems for stability issues until patch is applied
- Review kernel version compatibility with your hardware platform
Patch Information
The fix removes the redundant clk_disable_unprepare() calls from the probe error path and aml_rtc_remove() function, allowing the devm framework to automatically manage the clock lifecycle as intended. Patches are available through the following kernel git commits:
Workarounds
- Blacklist the rtc-amlogic-a4 module if RTC functionality is not critical for your application
- Use an alternative timekeeping mechanism while awaiting kernel update
- Avoid triggering module unload/reload cycles on affected systems
- Consider using a userspace RTC daemon as a temporary alternative
# Blacklist the affected module if not required
echo "blacklist rtc-amlogic-a4" | sudo tee /etc/modprobe.d/blacklist-rtc-amlogic.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
