CVE-2024-26807

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Both cadence-quadspi -&gt;runtime_suspend() and -&gt;runtime_resume()<br /> implementations start with:<br /> <br /> struct cqspi_st *cqspi = dev_get_drvdata(dev);<br /> struct spi_controller *host = dev_get_drvdata(dev);<br /> <br /> This obviously cannot be correct, unless "struct cqspi_st" is the<br /> first member of " struct spi_controller", or the other way around, but<br /> it is not the case. "struct spi_controller" is allocated by<br /> devm_spi_alloc_host(), which allocates an extra amount of memory for<br /> private data, used to store "struct cqspi_st".<br /> <br /> The -&gt;probe() function of the cadence-quadspi driver then sets the<br /> device drvdata to store the address of the "struct cqspi_st"<br /> structure. Therefore:<br /> <br /> struct cqspi_st *cqspi = dev_get_drvdata(dev);<br /> <br /> is correct, but:<br /> <br /> struct spi_controller *host = dev_get_drvdata(dev);<br /> <br /> is not, as it makes "host" point not to a "struct spi_controller" but<br /> to the same "struct cqspi_st" structure as above.<br /> <br /> This obviously leads to bad things (memory corruption, kernel crashes)<br /> directly during -&gt;probe(), as -&gt;probe() enables the device using PM<br /> runtime, leading the -&gt;runtime_resume() hook being called, which in<br /> turns calls spi_controller_resume() with the wrong pointer.<br /> <br /> This has at least been reported [0] to cause a kernel crash, but the<br /> exact behavior will depend on the memory contents.<br /> <br /> [0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/<br /> <br /> This issue potentially affects all platforms that are currently using<br /> the cadence-quadspi driver.