CVE-2023-54044

Root

Cause The vulnerability is in the Linux kernel's SPMI (System Power Management Interface) bus driver. When the kernel removes an SPMI driver, it unconditionally calls the driver's remove callback. However, some drivers, especially those that rely entirely on devm_ (managed device resource) APIs for allocation and do not require explicit teardown, may not define a remove callback, leaving the function pointer NULL [1][3]. The code in spmi_drv_remove does not check for this case before invoking the callback, leading to a NULL pointer dereference [1].

Exploitation

Context The bug is triggered during normal driver unloading, for example when the qcom_spmi_pmic module is removed. The call trace shows a crash in spmi_drv_remove that propagates through the driver core and module deletion syscall [1]. No special privileges or network access are required — any user or process capable of unloading an SPMI driver (typically root) can trigger the panic. The issue is local and requires the ability to issue a delete_module operation on a vulnerable driver.

Impact

A successful trigger results in a kernel panic, causing a denial of service (DoS) on the system. The crash is completely reproducible on kernels without the fix when an SPMI driver lacking a remove callback is unloaded [1]. The impact is limited to availability; integrity and confidentiality are not directly affected.

Mitigation

The fix adds a simple NULL check before calling the remove callback in spmi_drv_remove [1][3]. Kernel stable branches have backported the patch (commits b56eef3e16d8, 699949219e35, and b95a69214dae) [1][2][3]. Administrators should update to a kernel version containing the fix. No workarounds are available other than avoiding unloading affected SPMI drivers.