Description
In the Linux kernel, the following vulnerability has been resolved:

spi: cadence-quadspi: Parse DT for flashes with the rest of the DT parsing

The recent refactoring of where runtime PM is enabled done in commit
f1eb4e792bb1 ("spi: spi-cadence-quadspi: Enable pm runtime earlier to
avoid imbalance") made the fact that when we do a pm_runtime_disable()
in the error paths of probe() we can trigger a runtime disable which in
turn results in duplicate clock disables. This is particularly likely
to happen when there is missing or broken DT description for the flashes
attached to the controller.

Early on in the probe function we do a pm_runtime_get_noresume() since
the probe function leaves the device in a powered up state but in the
error path we can't assume that PM is enabled so we also manually
disable everything, including clocks. This means that when runtime PM is
active both it and the probe function release the same reference to the
main clock for the IP, triggering warnings from the clock subsystem:

[ 8.693719] clk:75:7 already disabled
[ 8.693791] WARNING: CPU: 1 PID: 185 at /usr/src/kernel/drivers/clk/clk.c:1188 clk_core_disable+0xa0/0xb
...
[ 8.694261] clk_core_disable+0xa0/0xb4 (P)
[ 8.694272] clk_disable+0x38/0x60
[ 8.694283] cqspi_probe+0x7c8/0xc5c [spi_cadence_quadspi]
[ 8.694309] platform_probe+0x5c/0xa4

Dealing with this issue properly is complicated by the fact that we
don't know if runtime PM is active so can't tell if it will disable the
clocks or not. We can, however, sidestep the issue for the flash
descriptions by moving their parsing to when we parse the controller
properties which also save us doing a bunch of setup which can never be
used so let's do that.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, a refactor that moved runtime PM enable earlier caused pm_runtime_disable() called in probe error paths to trigger duplicate clock disables. This occurs when a device’s device tree description for attached flashes is missing or broken, leading to warning messages and possible kernel instability. The vulnerability does not directly give an attacker a new capability, but it can cause unpredictable behavior in the driver stack. It represents an improper handling of reference counting flaw, classified as CWE-1341.

Affected Systems

All Linux kernel builds that include the cadence-quadspi driver on a kernel without the fix in commit f1eb4e792bb1 are affected. The issue arises for devices with broken or missing DT entries for the flashes used with the Cadence QuadSPI controller, regardless of distribution. Any Linux system running such a kernel and that uses that controller is potentially impacted.

Risk and Exploitability

The CVSS score is 5.5, indicating a moderate severity. The EPSS score is < 1%, so the likelihood of exploitation remains uncertain. The bug is not listed in CISA KEV catalog, suggesting no known public exploits. Exploitation would require privileged access to load a driver with a flawed device tree description, which can lead to kernel warnings and possible instability, but does not directly enable remote code execution. Based on the description, it is inferred that the likely attack vector is a kernel driver load in a system with improper DT configuration.

Generated by OpenCVE AI on May 14, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release containing the commit that fixes the duplicate clock disable issue (f1eb4e792bb1).
  • Reconfigure the device tree to provide correct flash descriptions, ensuring the probe function can complete without failure.
  • If a kernel upgrade is not yet possible, a temporary workaround is to disable runtime PM for the affected device in its device tree entry (e.g., set `runtime_pm=disabled` or remove `power/` controls) to prevent the duplicate disable from occurring.

Generated by OpenCVE AI on May 14, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*

Sat, 09 May 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-663

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1341
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 08 May 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-663

Fri, 08 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: spi: cadence-quadspi: Parse DT for flashes with the rest of the DT parsing The recent refactoring of where runtime PM is enabled done in commit f1eb4e792bb1 ("spi: spi-cadence-quadspi: Enable pm runtime earlier to avoid imbalance") made the fact that when we do a pm_runtime_disable() in the error paths of probe() we can trigger a runtime disable which in turn results in duplicate clock disables. This is particularly likely to happen when there is missing or broken DT description for the flashes attached to the controller. Early on in the probe function we do a pm_runtime_get_noresume() since the probe function leaves the device in a powered up state but in the error path we can't assume that PM is enabled so we also manually disable everything, including clocks. This means that when runtime PM is active both it and the probe function release the same reference to the main clock for the IP, triggering warnings from the clock subsystem: [ 8.693719] clk:75:7 already disabled [ 8.693791] WARNING: CPU: 1 PID: 185 at /usr/src/kernel/drivers/clk/clk.c:1188 clk_core_disable+0xa0/0xb ... [ 8.694261] clk_core_disable+0xa0/0xb4 (P) [ 8.694272] clk_disable+0x38/0x60 [ 8.694283] cqspi_probe+0x7c8/0xc5c [spi_cadence_quadspi] [ 8.694309] platform_probe+0x5c/0xa4 Dealing with this issue properly is complicated by the fact that we don't know if runtime PM is active so can't tell if it will disable the clocks or not. We can, however, sidestep the issue for the flash descriptions by moving their parsing to when we parse the controller properties which also save us doing a bunch of setup which can never be used so let's do that.
Title spi: cadence-quadspi: Parse DT for flashes with the rest of the DT parsing
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:03:36.757Z

Reserved: 2026-05-06T11:31:45.510Z

Link: CVE-2025-71299

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:31.267

Modified: 2026-05-14T19:11:57.097

Link: CVE-2025-71299

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2025-71299 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T21:15:16Z

Weaknesses