CVE-2024-26807: spi: cadence-qspi: fix pointer reference in runtime PM hooks
In the Linux kernel, the following vulnerability has been resolved:
Both cadence-quadspi ->runtime_suspend() and ->runtime_resume()
implementations start with:
struct cqspi_st *cqspi = dev_get_drvdata(dev);
struct spi_controller *host = dev_get_drvdata(dev);
This obviously cannot be correct, unless "struct cqspi_st" is the
first member of " struct spi_controller", or the other way around, but
it is not the case. "struct spi_controller" is allocated by
devm_spi_alloc_host(), which allocates an extra amount of memory for
private data, used to store "struct cqspi_st".
The ->probe() function of the cadence-quadspi driver then sets the
device drvdata to store the address of the "struct cqspi_st"
structure. Therefore:
struct cqspi_st *cqspi = dev_get_drvdata(dev);
is correct, but:
struct spi_controller *host = dev_get_drvdata(dev);
is not, as it makes "host" point not to a "struct spi_controller" but
to the same "struct cqspi_st" structure as above.
This obviously leads to bad things (memory corruption, kernel crashes)
directly during ->probe(), as ->probe() enables the device using PM
runtime, leading the ->runtime_resume() hook being called, which in
turns calls spi_controller_resume() with the wrong pointer.
This has at least been reported [0] to cause a kernel crash, but the
exact behavior will depend on the memory contents.
[0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/
This issue potentially affects all platforms that are currently using
the cadence-quadspi driver.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel bug in the Cadence QuadSPI flash driver. On systems using that driver, power-management startup can pass the wrong internal pointer, causing memory corruption or a kernel crash during device probing. Evidence points to stability impact on affected platforms with this hardware path, not a broadly internet-facing flaw.
Executive priority
Handle through normal kernel patch governance, with higher priority for products or appliances relying on Cadence QuadSPI storage. There is no cited active exploitation, but crashes during hardware initialization can affect service availability and device reliability.
Technical view
The cadence-quadspi runtime PM hooks incorrectly treat device drvdata as both struct cqspi_st and struct spi_controller. Probe stores cqspi_st, so spi_controller_resume() receives the wrong pointer during runtime resume. The source reports memory corruption and at least one kernel crash, with behavior dependent on memory contents.
Likely exposure
Exposure is likely limited to Linux systems using the cadence-quadspi driver, commonly embedded or SoC platforms with Cadence QuadSPI flash controllers. Systems not building or loading this driver are unlikely to be exposed based on the provided sources.
Exploitation context
The source bundle does not show KEV listing, public exploitation, or a remote attack path. The reported impact occurs during device probing and runtime power-management handling. Treat this as a platform stability and kernel integrity issue unless vendor evidence says otherwise.
Researcher notes
The key condition is drvdata type confusion in runtime PM callbacks, not a generic SPI issue. The CVE text says all platforms using cadence-quadspi may be affected, but exact behavior depends on memory layout and contents. No CVSS, CWE, or exploitability detail is provided.
Mitigation direction
Update to a Linux kernel containing the referenced stable fixes.
Check distribution advisories, including Debian LTS, for patched kernel packages.
Prioritize affected hardware platforms that load cadence-quadspi.
If updates are unavailable, seek vendor guidance for safe operational workarounds.
Validation and detection
Inventory kernels and confirm whether cadence-quadspi is built or loaded.
Compare deployed kernel versions against vendor fixed releases and stable commits.
Review boot logs for cadence-quadspi probe failures or kernel crashes.
Confirm patched systems boot and exercise QuadSPI flash access normally.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-26807 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.