CVE-2023-53758

Description

The atmel-quadspi SPI controller driver in the Linux kernel had a resource management flaw in its .remove() callback (atmel_qspi_remove()). If pm_runtime_resume() failed early in the removal path, the function would return an error without proceeding to unregister the SPI controller. However, the device unbind still completes, leaving a dangling SPI controller whose parent device and register mapping (released by devm_ioremap_resource()) have been torn down. This creates a use-after-free condition: any subsequent operation on the controller would access unmapped register space and likely cause a kernel oops [1][2].

Exploitation

Exploitation requires a scenario where runtime resume fails during device removal. This could be triggered by a malicious or faulty driver that forces a resume failure, or by hardware issues that prevent the device from waking. No special privileges are required for a local user to induce device removal if they have access to the device file or can trigger a driver unbind via sysfs. The attack surface is local; the vulnerability does not require network access.

Impact

An attacker who can cause the device to be removed while runtime resume fails could trigger a kernel oops (denial of service) or potentially exploit the use-after-free of the register mapping to achieve arbitrary memory read/write. The kernel privilege level required is local access (no special capabilities needed beyond the ability to unbind the device).

Mitigation

The fix, already applied to the Linux kernel stable tree, modifies atmel_qspi_remove() to unregister the SPI controller unconditionally, skipping hardware access and clock disabling if runtime resume fails. A warning is logged, and the removal function returns zero to suppress a misleading error from the SPI core [1][2]. Users should update their kernel to include this commit or a later version that contains the fix.