CVE-2026-46255 Overview
CVE-2026-46255 affects the Linux kernel fsl-edma DMA engine driver. The vulnerability results from redundant clock disable operations during driver removal. Clocks managed by fsl_edma_engine::muxclk are allocated using devm_clk_get_enabled(), which provides automatic cleanup through the device-managed resource framework. The fsl_edma_remove() function then disables these same clocks a second time, producing kernel warnings such as edma_module already disabled and edma_module already unprepared. Maintainers resolved the issue by removing the explicit fsl_disable_clocks() call from the remove path.
Critical Impact
The flaw triggers kernel warnings and stack traces during fsl-edma module unload on Freescale enhanced DMA controllers, affecting driver lifecycle integrity on embedded NXP/Freescale platforms.
Affected Products
- Linux kernel containing the fsl-edma dmaengine driver
- Platforms using Freescale/NXP enhanced DMA (eDMA) controllers
- Stable kernel branches receiving the referenced backport commits
Discovery Timeline
- 2026-06-03 - CVE-2026-46255 published to the National Vulnerability Database
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46255
Vulnerability Analysis
The defect lives in the Freescale enhanced DMA (fsl-edma) driver under drivers/dma/. The driver registers its mux clocks through devm_clk_get_enabled(), a device-managed helper that prepares and enables a clock and automatically unprepares and disables it when the device is torn down. The driver also calls fsl_disable_clocks() from fsl_edma_remove(), performing a manual disable on the same clock references.
When the driver unloads, the manual disable executes first and decrements the enable count to zero. The devres cleanup subsequently attempts a second disable on an already-disabled clock, triggering WARN() macros at drivers/clk/clk.c:1200 (clk_core_disable) and drivers/clk/clk.c:1059 (clk_core_unprepare). The kernel emits a stack trace through clk_disable, clk_unprepare, and fsl_edma_remove.
Root Cause
The root cause is duplicate resource release. Mixing device-managed clock acquisition with manual teardown produces an imbalanced enable/disable count. The driver assumed responsibility for clock teardown that the devres subsystem already owned.
Attack Vector
No remote or unprivileged attack vector is associated with this defect. The condition surfaces during legitimate driver removal, such as rmmod fsl_edma or device unbind operations performed by privileged users. The impact is limited to kernel log noise and warning backtraces rather than memory corruption or privilege escalation.
The vulnerability is described in prose because no exploit code is applicable. Refer to the upstream commits for the source-level fix, including Kernel Git Commit 533d495 and Kernel Git Commit bda2448.
Detection Methods for CVE-2026-46255
Indicators of Compromise
- Kernel log entries containing edma_module already disabled produced during fsl-edma removal.
- Kernel log entries containing edma_module already unprepared following module unload.
- WARNING backtraces referencing clk_core_disable+0x198/0x1c8 or clk_core_unprepare+0x1f8/0x220 originating from fsl_edma_remove.
Detection Strategies
- Parse dmesg and /var/log/kern.log for the warning strings emitted from drivers/clk/clk.c lines 1059 and 1200.
- Inventory running kernels on NXP/Freescale-based embedded systems and compare build commit hashes against the fixed stable backports.
- Track module unload and device unbind events on systems that load fsl_edma to correlate with warning bursts.
Monitoring Recommendations
- Forward kernel ring buffer messages to a centralized log platform for searchable retention.
- Alert on new WARNING: CPU: entries that include fsl_edma_remove in the call trace.
- Track kernel package versions across embedded fleets to confirm patch adoption.
How to Mitigate CVE-2026-46255
Immediate Actions Required
- Update affected kernels to a stable release that incorporates the upstream fsl-edma clock cleanup fix.
- Audit downstream and vendor BSP kernels that include fsl-edma for the redundant fsl_disable_clocks() invocation in fsl_edma_remove().
- Rebuild and redeploy custom kernels for NXP/Freescale platforms after applying the patch.
Patch Information
The fix removes the explicit fsl_disable_clocks() call from fsl_edma_remove(), allowing devm_clk_get_enabled() cleanup to disable and unprepare the clocks exactly once. The change is distributed across the following commits: Kernel Git Commit 533d495, Kernel Git Commit 666c53e, Kernel Git Commit 68feac2, Kernel Git Commit b84dba6, and Kernel Git Commit bda2448.
Workarounds
- Avoid unloading or unbinding the fsl_edma driver on production systems running unpatched kernels.
- Suppress noisy warnings only with dmesg -n log-level tuning if patching is temporarily blocked; this hides symptoms without fixing the imbalance.
# Verify kernel version and check for the fsl_edma module
uname -r
lsmod | grep fsl_edma
# Inspect kernel ring buffer for the warning signatures
dmesg | grep -E 'edma_module already (disabled|unprepared)'
dmesg | grep -E 'fsl_edma_remove'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
