CVE-2026-46203
Description
In the Linux kernel, the following vulnerability has been resolved:
spi: cadence-quadspi: fix unclocked access on unbind
Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.
This issue was flagged by Sashiko when reviewing a controller deregistration fix.
Affected products
3Patches
4d67a5311818bspi: cadence-quadspi: fix unclocked access on unbind
1 file changed · +3 −5
drivers/spi/spi-cadence-quadspi.c+3 −5 modifieddiff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c index e5e02457d44c4d..1b0d6186c7efa9 100644 --- a/drivers/spi/spi-cadence-quadspi.c +++ b/drivers/spi/spi-cadence-quadspi.c @@ -2029,14 +2029,13 @@ static void cqspi_remove(struct platform_device *pdev) if (cqspi->rx_chan) dma_release_channel(cqspi->rx_chan); - cqspi_controller_enable(cqspi, 0); - - if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM))) ret = pm_runtime_get_sync(&pdev->dev); - if (ret >= 0) + if (ret >= 0) { + cqspi_controller_enable(cqspi, 0); clk_bulk_disable_unprepare(CLK_QSPI_NUM, cqspi->clks); + } if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM))) { pm_runtime_disable(&pdev->dev); -- cgit 1.3-korg
233db2cb14dbspi: cadence-quadspi: fix unclocked access on unbind
1 file changed · +3 −5
drivers/spi/spi-cadence-quadspi.c+3 −5 modifieddiff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c index 87e2bb66ad6cf7..9ccfdc8c36fe83 100644 --- a/drivers/spi/spi-cadence-quadspi.c +++ b/drivers/spi/spi-cadence-quadspi.c @@ -2024,14 +2024,13 @@ static void cqspi_remove(struct platform_device *pdev) if (cqspi->rx_chan) dma_release_channel(cqspi->rx_chan); - cqspi_controller_enable(cqspi, 0); - - if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM))) ret = pm_runtime_get_sync(&pdev->dev); - if (ret >= 0) + if (ret >= 0) { + cqspi_controller_enable(cqspi, 0); clk_bulk_disable_unprepare(CLK_QSPI_NUM, cqspi->clks); + } if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM))) { pm_runtime_put_sync(&pdev->dev); -- cgit 1.3-korg
d67a5311818bspi: cadence-quadspi: fix unclocked access on unbind
1 file changed · +3 −5
drivers/spi/spi-cadence-quadspi.c+3 −5 modifieddiff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c index e5e02457d44c4d..1b0d6186c7efa9 100644 --- a/drivers/spi/spi-cadence-quadspi.c +++ b/drivers/spi/spi-cadence-quadspi.c @@ -2029,14 +2029,13 @@ static void cqspi_remove(struct platform_device *pdev) if (cqspi->rx_chan) dma_release_channel(cqspi->rx_chan); - cqspi_controller_enable(cqspi, 0); - - if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM))) ret = pm_runtime_get_sync(&pdev->dev); - if (ret >= 0) + if (ret >= 0) { + cqspi_controller_enable(cqspi, 0); clk_bulk_disable_unprepare(CLK_QSPI_NUM, cqspi->clks); + } if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM))) { pm_runtime_disable(&pdev->dev); -- cgit 1.3-korg
233db2cb14dbspi: cadence-quadspi: fix unclocked access on unbind
1 file changed · +3 −5
drivers/spi/spi-cadence-quadspi.c+3 −5 modifieddiff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c index 87e2bb66ad6cf7..9ccfdc8c36fe83 100644 --- a/drivers/spi/spi-cadence-quadspi.c +++ b/drivers/spi/spi-cadence-quadspi.c @@ -2024,14 +2024,13 @@ static void cqspi_remove(struct platform_device *pdev) if (cqspi->rx_chan) dma_release_channel(cqspi->rx_chan); - cqspi_controller_enable(cqspi, 0); - - if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM))) ret = pm_runtime_get_sync(&pdev->dev); - if (ret >= 0) + if (ret >= 0) { + cqspi_controller_enable(cqspi, 0); clk_bulk_disable_unprepare(CLK_QSPI_NUM, cqspi->clks); + } if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM))) { pm_runtime_put_sync(&pdev->dev); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing runtime PM get-sync before register access in driver unbind path allows unclocked register access."
Attack vector
An attacker who can trigger a driver unbind (e.g., via device removal, module unloading, or a controlled system call that removes the platform device) on a system where the Cadence QSPI controller is runtime-suspended can cause an unclocked register access. The `cqspi_controller_enable(cqspi, 0)` call was executed before `pm_runtime_get_sync()` ensured the clocks were enabled, leading to a read/write to controller registers while the clock is gated [patch_id=2897792].
Affected code
The `cqspi_remove()` function in `drivers/spi/spi-cadence-quadspi.c` is at fault. Before the patch, `cqspi_controller_enable(cqspi, 0)` was called unconditionally at the top of the function, before the runtime PM get-sync, meaning the controller registers could be accessed while the clocks were still disabled [patch_id=2897792].
What the fix does
The patch moves `cqspi_controller_enable(cqspi, 0)` inside the `if (ret >= 0)` block, after `pm_runtime_get_sync()` has successfully resumed the controller and enabled its clocks [patch_id=2897792]. This ensures the register access in `cqspi_controller_enable` only occurs when the hardware is clocked. The unconditional call was also removed from before the runtime PM get-sync, closing the unclocked access window.
Preconditions
- configThe Cadence QSPI controller must be runtime-suspended at the time of driver unbind.
- inputAn attacker must be able to trigger driver unbind (e.g., device removal, module unload, or platform device deregistration).
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.