Linux Kernel QSPI Timeout Handling Vulnerability in Tegra210-Quad SPI Driver

A vulnerability in the Linux kernel's SPI driver for the Tegra210 QSPI controller has been addressed. This issue arose because the interrupt handler could be delayed on a busy CPU, causing the transfer timeout to be reached prematurely. When timeouts were processed, any ongoing transfers were canceled, and the associated message was marked as failed. This left the 'curr_xfer' field referencing outdated memory. The vulnerability has been fixed by ensuring 'curr_xfer' is set to NULL when a timeout occurs and by clearing interrupts on failure, allowing new interrupts to be processed. The updated handling prevents the IRQ thread from running unnecessarily after a timeout, avoiding potential errors.

Impact

The vulnerability could lead to improper management of SPI transfers, causing data corruption or loss by allowing the 'curr_xfer' field to point to stale memory, which could disrupt ongoing SPI communication.

Reproduction

The vulnerability can be reproduced by initiating a QSPI transfer on a Tegra210 device while the CPU is under heavy load. This condition can cause the IRQ thread to delay, allowing the transfer timeout to expire before the transfer is completed. Once the timeout occurs, the transfer is canceled, and the 'curr_xfer' field is left pointing to outdated memory, creating the potential for data corruption.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability. The specific commit containing the fix can be downloaded from the Linux kernel Git repository.