Unrated severityNVD Advisory· Published Jun 8, 2026

CVE-2026-46296

Description

Linux kernel SPI driver has a NULL-dereference vulnerability during driver unbind, fixed by removing incorrect DMA channel deallocation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel SPI driver has a NULL-dereference vulnerability during driver unbind, fixed by removing incorrect DMA channel deallocation.

Vulnerability

A NULL-pointer dereference vulnerability exists in the Linux kernel's s3c64xx SPI driver. This occurs because a change that moved DMA channel allocation from probe() to s3c64xx_spi_prepare_transfer() failed to remove the corresponding deallocation from the remove() function. This affects versions of the kernel where this incorrect deallocation logic is present.

Exploitation

An attacker would need to trigger the driver unbind process. This typically occurs when the device is being removed or the system is shutting down. The vulnerability is triggered by the incorrect DMA channel deallocation logic within the remove() function, leading to a NULL-pointer dereference.

Impact

Triggering the NULL-pointer dereference during driver unbind can lead to a kernel crash. This crash results in a denial of service, making the system unstable or inaccessible.

Mitigation

The vulnerability has been resolved by removing the incorrect DMA channel release from the remove() function. The fix can be found in the Linux kernel at commit 45daacbead8a009844bd5dba6cfa731332184d17 [1]. Users should update to a kernel version containing this fix. No workarounds are available, and the issue is not listed as part of the Known Exploited Vulnerabilities (KEV) catalog.

References

Making sure you're not a bot!

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Linux/Kernelllm-fuzzy

Patches

22788b1a8611

spi: s3c64xx: fix NULL-deref on driver unbind

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJohan HovoldApr 10, 2026Fixed in 7.0.7via kernel-cna

commit

1 file changed · +0 −6

drivers/spi/spi-s3c64xx.c+0 −6 modified

diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
index ba85243d6d89c..96f39b5ae9dff 100644
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -1401,11 +1401,6 @@ static void s3c64xx_spi_remove(struct platform_device *pdev)
 
 	writel(0, sdd->regs + S3C64XX_SPI_INT_EN);
 
-	if (!is_polling(sdd)) {
-		dma_release_channel(sdd->rx_dma.ch);
-		dma_release_channel(sdd->tx_dma.ch);
-	}
-
 	pm_runtime_put_noidle(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 	pm_runtime_set_suspended(&pdev->dev);
-- 
cgit 1.3-korg

45daacbead8a

spi: s3c64xx: fix NULL-deref on driver unbind

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJohan HovoldApr 10, 2026Fixed in 7.1-rc1via kernel-cna

commit

1 file changed · +0 −6

drivers/spi/spi-s3c64xx.c+0 −6 modified

diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
index 95b61264b6799..37176e557099d 100644
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -1403,11 +1403,6 @@ static void s3c64xx_spi_remove(struct platform_device *pdev)
 
 	writel(0, sdd->regs + S3C64XX_SPI_INT_EN);
 
-	if (!is_polling(sdd)) {
-		dma_release_channel(sdd->rx_dma.ch);
-		dma_release_channel(sdd->tx_dma.ch);
-	}
-
 	pm_runtime_put_noidle(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 	pm_runtime_set_suspended(&pdev->dev);
-- 
cgit 1.3-korg

1108b8722b9f

spi: s3c64xx: fix NULL-deref on driver unbind

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJohan HovoldApr 10, 2026Fixed in 6.6.140via kernel-cna

commit

1 file changed · +0 −6

drivers/spi/spi-s3c64xx.c+0 −6 modified

diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
index f699ce1b40253..07b9e02db1221 100644
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -1338,11 +1338,6 @@ static void s3c64xx_spi_remove(struct platform_device *pdev)
 
 	writel(0, sdd->regs + S3C64XX_SPI_INT_EN);
 
-	if (!is_polling(sdd)) {
-		dma_release_channel(sdd->rx_dma.ch);
-		dma_release_channel(sdd->tx_dma.ch);
-	}
-
 	pm_runtime_put_noidle(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 	pm_runtime_set_suspended(&pdev->dev);
-- 
cgit 1.3-korg

323a258f4b19

spi: s3c64xx: fix NULL-deref on driver unbind

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJohan HovoldApr 10, 2026Fixed in 6.12.88via kernel-cna

commit

1 file changed · +0 −6

drivers/spi/spi-s3c64xx.c+0 −6 modified

diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
index 8c9e5e97041f9..7bc58010ce98f 100644
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -1404,11 +1404,6 @@ static void s3c64xx_spi_remove(struct platform_device *pdev)
 
 	writel(0, sdd->regs + S3C64XX_SPI_INT_EN);
 
-	if (!is_polling(sdd)) {
-		dma_release_channel(sdd->rx_dma.ch);
-		dma_release_channel(sdd->tx_dma.ch);
-	}
-
 	pm_runtime_put_noidle(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 	pm_runtime_set_suspended(&pdev->dev);
-- 
cgit 1.3-korg

1b66f16a571a

spi: s3c64xx: fix NULL-deref on driver unbind

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJohan HovoldApr 10, 2026Fixed in 6.18.30via kernel-cna

commit

1 file changed · +0 −6

drivers/spi/spi-s3c64xx.c+0 −6 modified

diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
index aab36c779c06a..33c80daec5f6b 100644
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -1402,11 +1402,6 @@ static void s3c64xx_spi_remove(struct platform_device *pdev)
 
 	writel(0, sdd->regs + S3C64XX_SPI_INT_EN);
 
-	if (!is_polling(sdd)) {
-		dma_release_channel(sdd->rx_dma.ch);
-		dma_release_channel(sdd->tx_dma.ch);
-	}
-
 	pm_runtime_put_noidle(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 	pm_runtime_set_suspended(&pdev->dev);
-- 
cgit 1.3-korg

45daacbead8a

spi: s3c64xx: fix NULL-deref on driver unbind

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJohan HovoldApr 10, 2026via nvd-ref

commit

1 file changed · +0 −6

drivers/spi/spi-s3c64xx.c+0 −6 modified

diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
index 95b61264b6799..37176e557099d 100644
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -1403,11 +1403,6 @@ static void s3c64xx_spi_remove(struct platform_device *pdev)
 
 	writel(0, sdd->regs + S3C64XX_SPI_INT_EN);
 
-	if (!is_polling(sdd)) {
-		dma_release_channel(sdd->rx_dma.ch);
-		dma_release_channel(sdd->tx_dma.ch);
-	}
-
 	pm_runtime_put_noidle(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 	pm_runtime_set_suspended(&pdev->dev);
-- 
cgit 1.3-korg

1108b8722b9f

spi: s3c64xx: fix NULL-deref on driver unbind

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJohan HovoldApr 10, 2026via nvd-ref

commit

1 file changed · +0 −6

drivers/spi/spi-s3c64xx.c+0 −6 modified

diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
index f699ce1b40253..07b9e02db1221 100644
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -1338,11 +1338,6 @@ static void s3c64xx_spi_remove(struct platform_device *pdev)
 
 	writel(0, sdd->regs + S3C64XX_SPI_INT_EN);
 
-	if (!is_polling(sdd)) {
-		dma_release_channel(sdd->rx_dma.ch);
-		dma_release_channel(sdd->tx_dma.ch);
-	}
-
 	pm_runtime_put_noidle(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 	pm_runtime_set_suspended(&pdev->dev);
-- 
cgit 1.3-korg

323a258f4b19

spi: s3c64xx: fix NULL-deref on driver unbind

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJohan HovoldApr 10, 2026via nvd-ref

commit

1 file changed · +0 −6

drivers/spi/spi-s3c64xx.c+0 −6 modified

diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
index 8c9e5e97041f9..7bc58010ce98f 100644
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -1404,11 +1404,6 @@ static void s3c64xx_spi_remove(struct platform_device *pdev)
 
 	writel(0, sdd->regs + S3C64XX_SPI_INT_EN);
 
-	if (!is_polling(sdd)) {
-		dma_release_channel(sdd->rx_dma.ch);
-		dma_release_channel(sdd->tx_dma.ch);
-	}
-
 	pm_runtime_put_noidle(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 	pm_runtime_set_suspended(&pdev->dev);
-- 
cgit 1.3-korg

1b66f16a571a

spi: s3c64xx: fix NULL-deref on driver unbind

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJohan HovoldApr 10, 2026via nvd-ref

commit

1 file changed · +0 −6

drivers/spi/spi-s3c64xx.c+0 −6 modified

diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
index aab36c779c06a..33c80daec5f6b 100644
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -1402,11 +1402,6 @@ static void s3c64xx_spi_remove(struct platform_device *pdev)
 
 	writel(0, sdd->regs + S3C64XX_SPI_INT_EN);
 
-	if (!is_polling(sdd)) {
-		dma_release_channel(sdd->rx_dma.ch);
-		dma_release_channel(sdd->tx_dma.ch);
-	}
-
 	pm_runtime_put_noidle(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 	pm_runtime_set_suspended(&pdev->dev);
-- 
cgit 1.3-korg

22788b1a8611

spi: s3c64xx: fix NULL-deref on driver unbind

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJohan HovoldApr 10, 2026via nvd-ref

commit

1 file changed · +0 −6

drivers/spi/spi-s3c64xx.c+0 −6 modified

diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
index ba85243d6d89c..96f39b5ae9dff 100644
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -1401,11 +1401,6 @@ static void s3c64xx_spi_remove(struct platform_device *pdev)
 
 	writel(0, sdd->regs + S3C64XX_SPI_INT_EN);
 
-	if (!is_polling(sdd)) {
-		dma_release_channel(sdd->rx_dma.ch);
-		dma_release_channel(sdd->tx_dma.ch);
-	}
-
 	pm_runtime_put_noidle(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 	pm_runtime_set_suspended(&pdev->dev);
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"The driver incorrectly attempts to release DMA channels during the remove() function, even when those channels were not allocated."

Attack vector

An attacker can trigger this vulnerability by causing the driver to unbind from the device. This typically occurs during device removal or system shutdown procedures. The vulnerability is triggered when the driver attempts to deallocate DMA channels that were never successfully allocated in the first place, leading to a NULL-pointer dereference [patch_id=5239568].

Affected code

The vulnerability exists in the `drivers/spi/spi-s3c64xx.c` file within the `s3c64xx_spi_remove` function. Specifically, the code block responsible for releasing DMA channels was incorrectly retained after DMA channel allocation was moved to `s3c64xx_spi_prepare_transfer` [patch_id=5239568].

What the fix does

The patch removes the conditional DMA channel release logic from the s3c64xx_spi_remove() function [patch_id=5239568]. Previously, the driver would attempt to release DMA channels using dma_release_channel() if the device was not in polling mode. This was incorrect because the DMA channels were moved to s3c64xx_spi_prepare_transfer() and might not have been allocated, leading to a NULL-dereference when remove() was called.

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 8, 2026
Vypr Intelligence · Jun 8, 2026

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000