Linux Kernel QRTR Driver MHI Auto-Queue Feature Removal Vulnerability

A vulnerability has been identified in the Linux kernel's QRTR (Qualcomm Remote Procedure Call Transport) driver, specifically related to the MHI (Mobile Host Interface) auto-queue feature for IPCR (Inter-Processor Communication Router) downlink channels. This feature, while simplifying driver design, creates a race condition where the 'dl_callback' may be invoked before the client driver is fully initialized, leading to a null pointer dereference. This issue has been reported on Qualcomm X1E80100 CRD machines during boot. The vulnerability arises because client drivers might call MHI queue APIs before their internal structures are ready, causing similar null pointer dereferences. To address this, the MHI auto-queue feature has been disabled, allowing the QRTR driver to manage received buffers manually. The fix involves removing the auto-queue flag from affected controller drivers and has been applied in the Linux kernel stable tree.

Impact

The removal of the MHI auto-queue feature for IPCR downlink channels prevents potential null pointer dereferences that could disrupt driver operation, particularly during the boot process on affected Qualcomm devices.

Reproduction

The vulnerability can be reproduced by using a client driver that relies on the MHI auto-queue feature for IPCR downlink channels, such as the QRTR driver, on a Qualcomm X1E80100 CRD machine. The issue will manifest as a null pointer dereference when the 'dl_callback' is called before the client driver is fully initialized.

Remediation

The vulnerability has been addressed by removing the MHI auto-queue feature for IPCR downlink channels, allowing the QRTR driver to manage received buffers manually. This fix is available in the latest version of the Linux kernel.