Description
In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. When clearing curr_xfer in the combined sequence transfer loop, protect it with the spinlock to prevent a race with the interrupt handler. Protect the curr_xfer clearing at the exit path of tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race with the interrupt handler that reads this field. Without this protection, the IRQ handler could read a partially updated curr_xfer value, leading to NULL pointer dereference or use-after-free.
Product status
88db8bb7ed1bb474618acdf05ebd4f0758d244e2 (git) before 9fa4262a80f751d14a6a39d2c03f57db68da2618
83309dd551cfd60a5a1a98d9cab19f435b44d46d (git) before 762e2ce71c8f0238e9eaf05d14da803d9a24422f
c934e40246da2c5726d14e94719c514e30840df8 (git) before 712cde8d916889e282727cdf304a43683adf899e
551060efb156c50fe33799038ba8145418cfdeef (git) before 6fd446178a610a48e80e5c5b487b0707cd01daac
01bbf25c767219b14c3235bfa85906b8d2cb8fbc (git) before 3bc293d5b56502068481478842f57b3d96e432c7
b4e002d8a7cee3b1d70efad0e222567f92a73000 (git) before bf4528ab28e2bf112c3a2cdef44fd13f007781cd
bb0c58be84f907285af45657c1d4847b960a12bf (git)
5.15.198 (semver) before 5.15.200
6.1.160 (semver) before 6.1.163
6.6.120 (semver) before 6.6.124
6.12.63 (semver) before 6.12.70
6.18.2 (semver) before 6.18.10
References
git.kernel.org/...c/9fa4262a80f751d14a6a39d2c03f57db68da2618
git.kernel.org/...c/762e2ce71c8f0238e9eaf05d14da803d9a24422f
git.kernel.org/...c/712cde8d916889e282727cdf304a43683adf899e
git.kernel.org/...c/6fd446178a610a48e80e5c5b487b0707cd01daac
git.kernel.org/...c/3bc293d5b56502068481478842f57b3d96e432c7
git.kernel.org/...c/bf4528ab28e2bf112c3a2cdef44fd13f007781cd