CVE-2024-26806

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified)

Description: The issue is related to the ->runtime suspend() and ->runtime resume() callbacks in the cadence-qspi driver. These callbacks are not expected to call spi controller suspend() and spi controller resume(). The problem arises because ->runtime resume() is called in a context where the lock is already taken, leading to a deadlock. This occurs in the ->exec op() callback, where the usage count is incremented. As a result, all operations would be disallowed once the device is auto-suspended. The vulnerability is associated with a mutex deadlock, which can be highlighted by a call tree involving spi mem exec op(), spi mem access start(), cqspi exec mem op(), pm runtime resume and get(), cqspi resume(), and spi controller resume().

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.