Linux Kernel Event Ring Index Vulnerability in IPA v5.0+

A vulnerability in the Linux kernel's handling of the event ring index for the IPA v5.0+ version has been addressed. In this version, the event ring index field was supposed to move from CH_C_CNTXT_0 to CH_C_CNTXT_1. However, the register definition incorrectly used the old identifier ERINDEX instead of the correct CH_ERINDEX. This mistake meant that GSI channels could not signal transfer completions, causing the gsi_channel_trans_quiesce() function to block indefinitely. This issue led to hangs during runtime suspend, system suspend, and remote processing stops, rendering the IPA data path non-functional.

Impact

The vulnerability caused GSI channels to block indefinitely, disrupting normal data transfer operations. This blockage led to hangs during system and runtime suspensions, as well as remote processing stops, causing the IPA data path to become completely non-functional.

Reproduction

The vulnerability can be reproduced by using a device or system that operates on the Linux kernel with IPA version 5.0 or later. The issue arises because the event ring index is not correctly programmed, leading to GSI channels being unable to signal transfer completions. This can be observed by attempting to use GSI channels for data transfers, which will result in a blockage as the system waits for a completion signal that never arrives.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.