net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels

Summary

CVE	CVE-2025-71285
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-06 12:16:27 UTC
Updated	2026-05-12 21:25:04 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels MHI stack offers the 'auto_queue' feature, which allows the MHI stack to auto queue the buffers for the RX path (DL channel). Though this feature simplifies the client driver design, it introduces race between the client drivers and the MHI stack. For instance, with auto_queue, the 'dl_callback' for the DL channel may get called before the client driver is fully probed. This means, by the time the dl_callback gets called, the client driver's structures might not be initialized, leading to NULL ptr dereference. Currently, the drivers have to workaround this issue by initializing the internal structures before calling mhi_prepare_for_transfer_autoqueue(). But even so, there is a chance that the client driver's internal code path may call the MHI queue APIs before mhi_prepare_for_transfer_autoqueue() is called, leading to similar NULL ptr dereference. This issue has been reported on the Qcom X1E80100 CRD machines affecting boot. So to properly fix all these races, drop the MHI 'auto_queue' feature altogether and let the client driver (QRTR) manage the RX buffers manually. In the QRTR driver, queue the RX buffers based on the ring length during probe and recycle the buffers in 'dl_callback' once they are consumed. This also warrants removing the setting of 'auto_queue' flag from controller drivers. Currently, this 'auto_queue' feature is only enabled for IPCR DL channel. So only the QRTR client driver requires the modification.

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: CWE-476

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 227fee5fc99eeb74d43bf68832f6d59d30ac07d8 7bdff9b9b0c65ac7105416fe3a40686832515e20 git	Not specified
CNA	Linux	Linux	affected 227fee5fc99eeb74d43bf68832f6d59d30ac07d8 8c464e00e0754e016816b1860fa9592dcad80eb2 git	Not specified
CNA	Linux	Linux	affected 227fee5fc99eeb74d43bf68832f6d59d30ac07d8 51731792a25cb312ca94cdccfa139eb46de1b2ef git	Not specified
CNA	Linux	Linux	affected c682fb70a7dfc25b848a4ff3a385b0471b470606 git	Not specified
CNA	Linux	Linux	affected 5.17	Not specified
CNA	Linux	Linux	unaffected 5.17 semver	Not specified
CNA	Linux	Linux	unaffected 6.18.17 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.6 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/51731792a25cb312ca94cdccfa139eb46de1b2ef	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/7bdff9b9b0c65ac7105416fe3a40686832515e20	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/8c464e00e0754e016816b1860fa9592dcad80eb2	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.