CVE-2023-54220
Description
In the Linux kernel, the following vulnerability has been resolved:
serial: 8250: Fix oops for port->pm on uart_change_pm()
Unloading a hardware specific 8250 driver can produce error "Unable to handle kernel paging request at virtual address" about ten seconds after unloading the driver. This happens on uart_hangup() calling uart_change_pm().
Turns out commit 04e82793f068 ("serial: 8250: Reinit port->pm on port specific driver unbind") was only a partial fix. If the hardware specific driver has initialized port->pm function, we need to clear port->pm too. Just reinitializing port->ops does not do this. Otherwise serial8250_pm() will call port->pm() instead of serial8250_do_pm().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unloading a hardware-specific 8250 serial driver unbind can cause a kernel oops due to a dangling port->pm pointer, fixed by clearing port->pm on driver unbind.
Root
Cause
When a hardware-specific 8250 serial driver is unloaded, the port->pm function pointer is not cleared, leaving a dangling reference. After the driver is removed, a subsequent call to uart_change_pm() (e.g., during uart_hangup()) invokes port->pm is still set to the now-unloaded driver's callback. This causes the kernel to jump to an invalid address, resulting in an oops. A prior fix (commit 04e82793f068) only reinitialized port->ops, but did not address port->pm [1][2][3][4].
Exploitation
An attacker would need the ability to unload a) load and unload a hardware-specific 8250 driver, and b) trigger a hangup on the corresponding serial port. This requires local access and the ability to manipulate kernel modules. No special privileges beyond the ability to unload the driver are needed; the oops occurs automatically during normal port teardown.
Impact
A successful trigger results in a kernel oops (NULL pointer dereference or invalid page access), causing a denial of service (system crash or hang). There is no evidence of code execution or privilege escalation from this bug.
Mitigation
The fix is to clear port->pm (set it to NULL) when a hardware-specific 8250 driver is unbound, ensuring that serial8250_pm() falls back to serial8250_do_pm() instead of calling the stale pointer. The patch has been applied to the stable kernel trees [1][2][3][4]. Users should update to a kernel containing the fix.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
866f3e5596069720a297b334eb653289ca646bd70d0b2801018e27df4f2b40c05493341d6375806616f8cdfe2aeb226fdVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/0c05493341d6f2097f75f0a5dbb7b53a9e8c5f6cnvd
- git.kernel.org/stable/c/18e27df4f2b4e257c317ba8076f31a888f6cc64bnvd
- git.kernel.org/stable/c/375806616f8c772c33d40e112530887b37c1a816nvd
- git.kernel.org/stable/c/66f3e55960698c874b0598277913b478ecd29573nvd
- git.kernel.org/stable/c/720a297b334e85d34099e83d1f375b92c3efedd6nvd
- git.kernel.org/stable/c/b653289ca6460a6552c8590b75dfa84a0140a46bnvd
- git.kernel.org/stable/c/bd70d0b28010d560a8be96b44fea86fe2ba016aenvd
- git.kernel.org/stable/c/dfe2aeb226fd5e19b0ee795f4f6ed8bc494c1534nvd
News mentions
0No linked articles in our index yet.