CVE-2025-68238

Root

Cause In the Cadence raw NAND controller driver (drivers/mtd/nand/raw/cadence-nand-controller.c), the DMA device pointer dma_dev was being dereferenced before verifying that the DMA channel (cdns_ctrl->dmac) had been successfully acquired. This ordering flaw leads to a NULL pointer dereference when the DMA channel acquisition fails or is not yet complete.

Exploitation

An attacker would need local access to the system and the ability to trigger the NAND controller initialization path, typically through mounting a filesystem on a NAND device or performing NAND operations. No special privileges are required beyond the ability to interact with the MTD subsystem. The vulnerability manifests during the probe or DMA setup phase.

Impact

A successful exploit results in a kernel NULL pointer dereference, causing a system crash (denial of service). In some configurations, this could potentially be leveraged for privilege escalation if the attacker can control the dereferenced pointer, though the primary impact is system instability.

Mitigation

The fix moves the assignment of dma_dev to after the DMA channel is successfully acquired, ensuring the pointer is valid before use. This patch has been backported to stable kernel trees as commits [1][2][3]. Users should update to the latest stable kernel version containing the fix.