CVE-2023-54058
Description
In the Linux kernel, the following vulnerability has been resolved:
firmware: arm_ffa: Check if ffa_driver remove is present before executing
Currently ffa_drv->remove() is called unconditionally from ffa_device_remove(). Since the driver registration doesn't check for it and allows it to be registered without .remove callback, we need to check for the presence of it before executing it from ffa_device_remove() to above a NULL pointer dereference like the one below:
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000086000004 | EC = 0x21: IABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881cc8000 | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP | CPU: 3 PID: 130 Comm: rmmod Not tainted 6.3.0-rc7 #6 | Hardware name: FVP Base RevC (DT) | pstate: 63402809 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=-c) | pc : 0x0 | lr : ffa_device_remove+0x20/0x2c | Call trace: | 0x0 | device_release_driver_internal+0x16c/0x260 | driver_detach+0x90/0xd0 | bus_remove_driver+0xdc/0x11c | driver_unregister+0x30/0x54 | ffa_driver_unregister+0x14/0x20 | cleanup_module+0x18/0xeec | __arm64_sys_delete_module+0x234/0x378 | invoke_syscall+0x40/0x108 | el0_svc_common+0xb4/0xf0 | do_el0_svc+0x30/0xa4 | el0_svc+0x2c/0x7c | el0t_64_sync_handler+0x84/0xf0 | el0t_64_sync+0x190/0x194
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Linux kernel's Arm FF-A driver calls ffa_drv->remove() unconditionally, causing a NULL pointer dereference when a driver with no remove callback is unloaded.
Vulnerability
The Arm Firmware Framework for A-profile (FF-A) driver in the Linux kernel invokes ffa_drv->remove() unconditionally within ffa_device_remove(). The driver registration does not mandate a .remove callback, so a driver can be registered without one. When such a driver is removed (e.g., via rmmod), the kernel attempts to call a NULL function pointer, leading to a kernel NULL pointer dereference [1].
Exploitation
An attacker with the ability to load and unload a malicious or buggy FF-A driver that lacks a .remove callback can trigger this crash. The prerequisite is local access sufficient to insert and remove kernel modules, typically requiring root privileges. No special network position is required; the attack is purely local. The vulnerability manifests during driver detachment, as shown in the call trace in the CVE description [1].
Impact
A successful trigger results in a kernel panic (NULL pointer dereference), causing a denial of service on the system. The crash halts all operations and may require a reboot to recover. No code execution or privilege escalation is indicated in the available sources [1].
Mitigation
The fix, introduced in the upstream Linux kernel, adds a NULL check before calling ffa_drv->remove(). The patches are contained in commits referenced as stable kernel updates [1][2]. System administrators should apply the latest stable kernel updates that include these commits. No specific workaround is documented; the vulnerability is mitigated by ensuring all FF-A drivers provide a .remove callback or by updating to a patched kernel.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
46a26c62625c5ad73dc7263ea48399c297c46b71b55248a58Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.