CVE-2026-23207

Summary

In the Linux kernel, the following vulnerability has been resolved:

spi: tegra210-quad: Protect curr_xfer check in IRQ handler

Now that all other accesses to curr_xfer are done under the lock, protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the spinlock. Without this protection, the following race can occur:

CPU0 (ISR thread) CPU1 (timeout path)


if (!tqspi->curr_xfer) // sees non-NULL spin_lock() tqspi->curr_xfer = NULL spin_unlock() handle_*_xfer() spin_lock() t = tqspi->curr_xfer // NULL! … t->len … // NULL dereference!

With this patch, all curr_xfer accesses are now properly synchronized.

Although all accesses to curr_xfer are done under the lock, in tegra_qspi_isr_thread() it checks for NULL, releases the lock and reacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer(). There is a potential for an update in between, which could cause a NULL pointer dereference.

To handle this, add a NULL check inside the handlers after acquiring the lock. This ensures that if the timeout path has already cleared curr_xfer, the handler will safely return without dereferencing the NULL pointer.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux551060efb156c50fe33799038ba8145418cfdeef < 84e926c1c272a35ddb9b86842d32fa833a60dfc7affected
LinuxLinux01bbf25c767219b14c3235bfa85906b8d2cb8fbc < 2ac3a105e51496147c0e44e49466eecfcc532d57affected
LinuxLinuxb4e002d8a7cee3b1d70efad0e222567f92a73000 < edf9088b6e1d6d88982db7eb5e736a0e4fbcc09eaffected
LinuxLinux88db8bb7ed1bb474618acdf05ebd4f0758d244e2affected
LinuxLinux83309dd551cfd60a5a1a98d9cab19f435b44d46daffected
LinuxLinuxc934e40246da2c5726d14e94719c514e30840df8affected
LinuxLinuxbb0c58be84f907285af45657c1d4847b960a12bfaffected
LinuxLinux5.15.198 < 5.16affected
LinuxLinux6.1.160 < 6.2affected
LinuxLinux6.6.120 < 6.7affected
LinuxLinux6.17.13 < 6.18affected
LinuxLinux6.12.63 < 6.12.80affected
LinuxLinux6.18.2 < 6.18.10affected

Weaknesses

References