Théo Lebrun

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the `->runtime suspend()` and `->runtime resume()` callbacks in the cadence-qspi driver. These callbacks are not expected to call `spi controller suspend()` and `spi controller resume()`. The problem arises because `->runtime resume()` is called in a context where the lock is already taken, leading to a deadlock. This occurs in the `->exec op()` callback, where the usage count is incremented. As a result, all operations would be disallowed once the device is auto-suspended. The vulnerability is associated with a mutex deadlock, which can be highlighted by a call tree involving `spi mem exec op()`, `spi mem access start()`, `cqspi exec mem op()`, `pm runtime resume and get()`, `cqspi resume()`, and `spi controller resume()`. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the cadence-quadspi driver in the Linux kernel. The `->runtime suspend()` and `->runtime resume()` implementations start with incorrect assignments, leading to memory corruption and kernel crashes. The `struct spi controller *host = dev get drvdata(dev);` line is incorrect, as it makes the `host` point to the same `struct cqspi st` structure as `cqspi`, instead of a `struct spi controller`. This leads to bad things, such as memory corruption and kernel crashes, directly during the `->probe()` function, as it enables the device using PM runtime, leading to the `->runtime resume()` hook being called, which in turn calls `spi controller resume()` with the wrong pointer. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.