Linux Kernel Cadence QSPI Driver Unbind Handling Vulnerability Causes Kernel Crash

A vulnerability in the Linux kernel's Cadence QSPI driver can lead to a kernel crash when the driver is unbound during active indirect read or write operations. This issue arises because the driver does not properly manage the removal of devices while busy, especially when forced removal is initiated by a root superuser. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability can cause a kernel crash, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, load the Cadence QSPI driver and initiate indirect read or write operations. While these operations are in progress, force the driver to unbind, which will result in a kernel crash. This can be done by removing the device from the bus using a command that forces device removal, available to the root superuser.

Remediation

The vulnerability has been addressed by implementing a reference counting mechanism in the Cadence QSPI driver. This change allows the driver to manage device removal more gracefully, ensuring that all ongoing operations are completed before the device is unbound. Users should update to the latest version of the Linux kernel where this fix has been applied.