CVE-2024-26807

In the Linux kernel, the following vulnerability has been resolved: Both
cadence-quadspi ->runtime_suspend() and ->runtime_resume() implementations
start with: struct cqspi_st *cqspi = dev_get_drvdata(dev); struct
spi_controller *host = dev_get_drvdata(dev); This obviously cannot be
correct, unless “struct cqspi_st” is the first member of " struct
spi_controller", or the other way around, but it is not the case. “struct
spi_controller” is allocated by devm_spi_alloc_host(), which allocates an
extra amount of memory for private data, used to store “struct cqspi_st”.
The ->probe() function of the cadence-quadspi driver then sets the device
drvdata to store the address of the “struct cqspi_st” structure. Therefore:
struct cqspi_st *cqspi = dev_get_drvdata(dev); is correct, but: struct
spi_controller *host = dev_get_drvdata(dev); is not, as it makes “host”
point not to a “struct spi_controller” but to the same “struct cqspi_st”
structure as above. This obviously leads to bad things (memory corruption,
kernel crashes) directly during ->probe(), as ->probe() enables the device
using PM runtime, leading the ->runtime_resume() hook being called, which
in turns calls spi_controller_resume() with the wrong pointer. This has at
least been reported [0] to cause a kernel crash, but the exact behavior
will depend on the memory contents. [0]
https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/ This
issue potentially affects all platforms that are currently using the
cadence-quadspi driver.