CVE-2026-23207

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: tegra210-quad: Protect curr_xfer check in IRQ handler<br /> <br /> Now that all other accesses to curr_xfer are done under the lock,<br /> protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the<br /> spinlock. Without this protection, the following race can occur:<br /> <br /> CPU0 (ISR thread) CPU1 (timeout path)<br /> ---------------- -------------------<br /> if (!tqspi-&gt;curr_xfer)<br /> // sees non-NULL<br /> spin_lock()<br /> tqspi-&gt;curr_xfer = NULL<br /> spin_unlock()<br /> handle_*_xfer()<br /> spin_lock()<br /> t = tqspi-&gt;curr_xfer // NULL!<br /> ... t-&gt;len ... // NULL dereference!<br /> <br /> With this patch, all curr_xfer accesses are now properly synchronized.<br /> <br /> Although all accesses to curr_xfer are done under the lock, in<br /> tegra_qspi_isr_thread() it checks for NULL, releases the lock and<br /> reacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer().<br /> There is a potential for an update in between, which could cause a NULL<br /> pointer dereference.<br /> <br /> To handle this, add a NULL check inside the handlers after acquiring<br /> the lock. This ensures that if the timeout path has already cleared<br /> curr_xfer, the handler will safely return without dereferencing the<br /> NULL pointer.