CVE-2025-71299 Overview
CVE-2025-71299 affects the Linux kernel's spi-cadence-quadspi driver. The vulnerability stems from a runtime power management (PM) imbalance introduced by an earlier refactor in commit f1eb4e792bb1. When the driver encounters errors during probe, it issues pm_runtime_disable() alongside manual clock disables, causing duplicate clock disable operations. The condition is most commonly triggered by missing or malformed device tree (DT) descriptions for flashes attached to the controller. The result is a kernel warning from the clock subsystem and potential system instability on affected platforms running Linux kernel 6.18.
Critical Impact
A local condition in the Cadence Quadspi SPI driver can trigger clock subsystem warnings and availability impact on systems with broken or missing DT flash descriptions.
Affected Products
- Linux kernel 6.18
- Linux kernel stable branches referenced in upstream commits 08dca4c8099a, 9f0736a4e136, and dcaa104ad9c8
- Embedded platforms using the spi-cadence-quadspi driver
Discovery Timeline
- 2026-05-08 - CVE-2025-71299 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2025-71299
Vulnerability Analysis
The defect lives in the cqspi_probe() function of the spi-cadence-quadspi driver. Early in probe the driver calls pm_runtime_get_noresume() because the device is left powered up. If probe fails, the error path manually disables clocks and calls pm_runtime_disable(). Once runtime PM is active, both the PM core and the manual error path release the same reference to the controller's main clock. This produces a duplicate disable, which the common clock framework rejects with a clk:75:7 already disabled warning and a WARNING at drivers/clk/clk.c:1188 in clk_core_disable+0xa0/0xb4. The condition becomes reachable when DT parsing fails for downstream flash nodes, since that failure occurs after PM has already been enabled.
Root Cause
The root cause is a state-tracking gap between manual clock management in the probe error path and reference counting performed by the runtime PM subsystem. The driver cannot reliably determine whether runtime PM has already released the clock, so the cleanup path double-disables it. This is a kernel resource management defect rather than a memory corruption issue, and NVD classifies it under NVD-CWE-noinfo.
Attack Vector
The vulnerability requires local access with low privileges and no user interaction. Exploitation is not the typical model; the issue is triggered through legitimate boot paths when DT data for SPI flashes is missing or malformed. A local user with the ability to load module parameters, alter device tree overlays, or hot-plug controllers on supported platforms can repeatedly trigger the faulty error path, producing kernel warnings and availability impact on the SPI subsystem.
No verified exploitation code is available. The defect is documented through upstream kernel commit logs only.
Detection Methods for CVE-2025-71299
Indicators of Compromise
- Kernel log entries containing clk:75:7 already disabled shortly after boot or module load
- WARNING: CPU: ... at drivers/clk/clk.c:1188 clk_core_disable+0xa0/0xb4 stack traces referencing cqspi_probe
- Repeated spi_cadence_quadspi probe failures correlated with DT parsing errors
Detection Strategies
- Monitor dmesg and persistent kernel logs for clk_core_disable warnings tied to cqspi_probe+0x7c8/0xc5c
- Audit running kernel versions against the patched stable commits 08dca4c8099a, 9f0736a4e136, and dcaa104ad9c8
- Validate device tree blobs at build time to ensure flash child nodes under the Cadence Quadspi controller are well-formed
Monitoring Recommendations
- Forward kernel ring buffer events to centralized logging and alert on WARNING traces originating in drivers/clk/clk.c
- Track SPI subsystem probe failures on embedded fleets and correlate with firmware or DT overlay updates
- Baseline expected SPI flash enumeration per device model to detect missing flashes that point to broken DT data
How to Mitigate CVE-2025-71299
Immediate Actions Required
- Upgrade affected systems to a Linux kernel build that includes commits 08dca4c8099a41a9fa3be128a793387603f73a17, 9f0736a4e136a6eb61e0cf530ddc18ab6d816ba3, or dcaa104ad9c860a6dbd5797919e0ec0b1cd5a57a
- Validate device tree sources for the Cadence Quadspi controller to ensure all flash child nodes parse cleanly
- Restrict local access on systems that cannot be patched immediately to limit who can reload affected modules
Patch Information
The upstream fix moves flash DT parsing into the controller property parsing stage, eliminating the late failure path that produced the duplicate clock disable. Patches are available in the kernel.org stable tree via Kernel Git Commit 08dca4c, Kernel Git Commit 9f0736a, and Kernel Git Commit dcaa104. Apply the patch level appropriate to your stable branch and rebuild the kernel image.
Workarounds
- Correct or remove malformed flash subnodes from the device tree so probe does not hit the error path
- Blacklist the spi-cadence-quadspi module on systems that do not require the controller until a patched kernel is deployed
- Limit DT overlay loading privileges to trusted administrators on affected embedded platforms
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
