CVE-2024-26806: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: spi: cadence-qspi: remove system-wide suspend helper calls from runtime PM hooks The ->runtime_suspend() and ->runtime_resume() callbacks are not expected to call spi_controller_suspend() and spi_controller_resume(). Remove calls to those in the cadence-qspi driver. Those helpers have two roles currently: - They stop/start the queue, including dealing with the kworker. - They toggle the SPI controller SPI_CONTROLLER_SUSPENDED flag. It requires acquiring ctlr->bus_lock_mutex. Step one is irrelevant because cadence-qspi is not queued. Step two however has two implications: - A deadlock occurs, because ->runtime_resume() is called in a context where the lock is already taken (in the ->exec_op() callback, where the usage count is incremented). - It would disallow all operations once the device is auto-suspended. Here is a brief call tree highlighting the mutex deadlock: spi_mem_exec_op() ... spi_mem_access_start() mutex_lock(&ctlr->bus_lock_mutex) cqspi_exec_mem_op() pm_runtime_resume_and_get() cqspi_resume() spi_controller_resume() mutex_lock(&ctlr->bus_lock_mutex) ... spi_mem_access_end() mutex_unlock(&ctlr->bus_lock_mutex) ...
AI Analysis
Technical Summary
CVE-2024-26806 is a vulnerability identified in the Linux kernel specifically affecting the cadence-qspi SPI controller driver. The issue arises from improper handling of runtime power management (PM) callbacks within the driver. The cadence-qspi driver incorrectly invokes system-wide suspend helper functions spi_controller_suspend() and spi_controller_resume() inside its runtime_suspend() and runtime_resume() callbacks. These helper functions manage the stopping and starting of the SPI queue and toggle the SPI_CONTROLLER_SUSPENDED flag, operations that require acquiring the ctlr->bus_lock_mutex mutex. However, cadence-qspi is a non-queued SPI controller, making the queue stop/start logic irrelevant. More critically, the invocation of spi_controller_resume() during runtime_resume() leads to a deadlock because the bus_lock_mutex is already held in the context of the exec_op() callback, which increments the usage count and calls pm_runtime_resume_and_get(). This mutex deadlock prevents the SPI controller from resuming properly after auto-suspend, effectively blocking all SPI operations on the device once it enters auto-suspend mode. The deadlock occurs because spi_controller_resume() attempts to acquire a mutex that is already locked higher up in the call stack, causing the kernel thread to hang indefinitely. This flaw can cause system instability or denial of service (DoS) conditions on affected systems using the cadence-qspi driver. The vulnerability has been addressed by removing the inappropriate calls to spi_controller_suspend() and spi_controller_resume() from the cadence-qspi driver's runtime PM hooks, thereby preventing the deadlock scenario. No known exploits are currently reported in the wild, and the vulnerability affects specific Linux kernel versions containing the faulty cadence-qspi driver implementation.
Potential Impact
For European organizations, the impact of CVE-2024-26806 primarily involves potential system instability or denial of service on devices running affected Linux kernel versions with the cadence-qspi SPI controller driver. This is particularly relevant for embedded systems, industrial control systems, or IoT devices that rely on this specific SPI controller for communication with peripherals. A deadlock in the SPI controller driver can halt critical device operations, leading to service interruptions or failures in operational technology environments. Organizations using Linux-based infrastructure in sectors such as manufacturing, telecommunications, or transportation may experience disruptions if their hardware platforms incorporate the cadence-qspi controller. Although this vulnerability does not appear to allow privilege escalation or remote code execution, the resulting DoS could impact availability of critical systems. Since no exploits are known in the wild, the immediate risk is moderate, but unpatched systems remain vulnerable to potential future exploitation or accidental triggering of the deadlock. The impact is more pronounced in environments where uptime and reliability are critical and where devices cannot be easily rebooted or maintained frequently.
Mitigation Recommendations
To mitigate CVE-2024-26806, organizations should: 1) Apply the latest Linux kernel patches that remove the improper calls to spi_controller_suspend() and spi_controller_resume() in the cadence-qspi driver. This is the definitive fix to prevent the deadlock condition. 2) Identify and inventory devices and systems using the cadence-qspi SPI controller, focusing on embedded and IoT devices running affected Linux kernel versions. 3) For devices where immediate patching is not feasible, consider implementing monitoring to detect symptoms of the deadlock, such as hung kernel threads or unresponsive SPI peripherals, and plan for controlled reboots or failover to maintain availability. 4) Coordinate with hardware vendors and Linux distribution maintainers to ensure timely updates are available and deployed. 5) Review runtime power management configurations and consider disabling auto-suspend on affected devices as a temporary workaround, understanding this may impact power efficiency. 6) Incorporate this vulnerability into vulnerability management and incident response processes to ensure rapid detection and remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Finland
CVE-2024-26806: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: spi: cadence-qspi: remove system-wide suspend helper calls from runtime PM hooks The ->runtime_suspend() and ->runtime_resume() callbacks are not expected to call spi_controller_suspend() and spi_controller_resume(). Remove calls to those in the cadence-qspi driver. Those helpers have two roles currently: - They stop/start the queue, including dealing with the kworker. - They toggle the SPI controller SPI_CONTROLLER_SUSPENDED flag. It requires acquiring ctlr->bus_lock_mutex. Step one is irrelevant because cadence-qspi is not queued. Step two however has two implications: - A deadlock occurs, because ->runtime_resume() is called in a context where the lock is already taken (in the ->exec_op() callback, where the usage count is incremented). - It would disallow all operations once the device is auto-suspended. Here is a brief call tree highlighting the mutex deadlock: spi_mem_exec_op() ... spi_mem_access_start() mutex_lock(&ctlr->bus_lock_mutex) cqspi_exec_mem_op() pm_runtime_resume_and_get() cqspi_resume() spi_controller_resume() mutex_lock(&ctlr->bus_lock_mutex) ... spi_mem_access_end() mutex_unlock(&ctlr->bus_lock_mutex) ...
AI-Powered Analysis
Technical Analysis
CVE-2024-26806 is a vulnerability identified in the Linux kernel specifically affecting the cadence-qspi SPI controller driver. The issue arises from improper handling of runtime power management (PM) callbacks within the driver. The cadence-qspi driver incorrectly invokes system-wide suspend helper functions spi_controller_suspend() and spi_controller_resume() inside its runtime_suspend() and runtime_resume() callbacks. These helper functions manage the stopping and starting of the SPI queue and toggle the SPI_CONTROLLER_SUSPENDED flag, operations that require acquiring the ctlr->bus_lock_mutex mutex. However, cadence-qspi is a non-queued SPI controller, making the queue stop/start logic irrelevant. More critically, the invocation of spi_controller_resume() during runtime_resume() leads to a deadlock because the bus_lock_mutex is already held in the context of the exec_op() callback, which increments the usage count and calls pm_runtime_resume_and_get(). This mutex deadlock prevents the SPI controller from resuming properly after auto-suspend, effectively blocking all SPI operations on the device once it enters auto-suspend mode. The deadlock occurs because spi_controller_resume() attempts to acquire a mutex that is already locked higher up in the call stack, causing the kernel thread to hang indefinitely. This flaw can cause system instability or denial of service (DoS) conditions on affected systems using the cadence-qspi driver. The vulnerability has been addressed by removing the inappropriate calls to spi_controller_suspend() and spi_controller_resume() from the cadence-qspi driver's runtime PM hooks, thereby preventing the deadlock scenario. No known exploits are currently reported in the wild, and the vulnerability affects specific Linux kernel versions containing the faulty cadence-qspi driver implementation.
Potential Impact
For European organizations, the impact of CVE-2024-26806 primarily involves potential system instability or denial of service on devices running affected Linux kernel versions with the cadence-qspi SPI controller driver. This is particularly relevant for embedded systems, industrial control systems, or IoT devices that rely on this specific SPI controller for communication with peripherals. A deadlock in the SPI controller driver can halt critical device operations, leading to service interruptions or failures in operational technology environments. Organizations using Linux-based infrastructure in sectors such as manufacturing, telecommunications, or transportation may experience disruptions if their hardware platforms incorporate the cadence-qspi controller. Although this vulnerability does not appear to allow privilege escalation or remote code execution, the resulting DoS could impact availability of critical systems. Since no exploits are known in the wild, the immediate risk is moderate, but unpatched systems remain vulnerable to potential future exploitation or accidental triggering of the deadlock. The impact is more pronounced in environments where uptime and reliability are critical and where devices cannot be easily rebooted or maintained frequently.
Mitigation Recommendations
To mitigate CVE-2024-26806, organizations should: 1) Apply the latest Linux kernel patches that remove the improper calls to spi_controller_suspend() and spi_controller_resume() in the cadence-qspi driver. This is the definitive fix to prevent the deadlock condition. 2) Identify and inventory devices and systems using the cadence-qspi SPI controller, focusing on embedded and IoT devices running affected Linux kernel versions. 3) For devices where immediate patching is not feasible, consider implementing monitoring to detect symptoms of the deadlock, such as hung kernel threads or unresponsive SPI peripherals, and plan for controlled reboots or failover to maintain availability. 4) Coordinate with hardware vendors and Linux distribution maintainers to ensure timely updates are available and deployed. 5) Review runtime power management configurations and consider disabling auto-suspend on affected devices as a temporary workaround, understanding this may impact power efficiency. 6) Incorporate this vulnerability into vulnerability management and incident response processes to ensure rapid detection and remediation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.179Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe3c48
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 6:55:14 PM
Last updated: 7/30/2025, 10:29:50 PM
Views: 12
Related Threats
CVE-2025-8293: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Theerawat Patthawee Intl DateTime Calendar
MediumCVE-2025-7686: CWE-352 Cross-Site Request Forgery (CSRF) in lmyoaoa weichuncai(WP伪春菜)
MediumCVE-2025-7684: CWE-352 Cross-Site Request Forgery (CSRF) in remysharp Last.fm Recent Album Artwork
MediumCVE-2025-7683: CWE-352 Cross-Site Request Forgery (CSRF) in janyksteenbeek LatestCheckins
MediumCVE-2025-7668: CWE-352 Cross-Site Request Forgery (CSRF) in timothyja Linux Promotional Plugin
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.