HIGH Published 2026-05-01

net/xilinx BQL Accounting

CVE-2026-43031

CVSS 7.5 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

KernelScan AI4.7MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: net: xilinx: axienet: Fix BQL accounting for multi-BD TX packets When a TX packet spans multiple buffer descriptors (scatter-gather), axienet_free_tx_chain sums the per-BD actual length from descriptor status into a caller-provided accumulator. That sum is reset on each NAPI poll. If the BDs for a single packet complete across different polls, the earlier bytes are lost and never credited to BQL. This causes BQL to think bytes are permanently in-flight, eventually stalling the TX queue. The SKB pointer is stored only on the last BD of a packet. When that BD completes, use skb->len for the byte count instead of summing per-BD status lengths. This matches netdev_sent_queue(), which debits skb->len, and naturally survives across polls because no partial packet contributes to the accumulator.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Systems using Xilinx AXI Ethernet hardware may experience network TX queue stalls due to incorrect byte queue limit accounting. The bug causes the driver to lose track of transmitted bytes when scatter-gather packets complete across multiple NAPI polls, eventually stalling the transmit queue and causing network unavailability.

Affecteddrivers/net/ethernet/xilinx/xilinx_axienet_main.c (Xilinx AXI Ethernet)

Vulnerability analysis

The vulnerability stems from incorrect BQL accounting in the axienet_free_tx_chain function. When TX packets span multiple buffer descriptors, the original code summed per-BD lengths into an accumulator that was reset on each NAPI poll. If BDs for a single packet completed across different polls, earlier bytes were never credited back to BQL, causing it to think bytes were permanently in-flight. The fix changes the accounting to use skb->len when the last BD completes, ensuring atomic crediting that matches the original netdev_sent_queue() debit. This requires local access to trigger network traffic through the specific Xilinx hardware interface.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.22	`2a0323a91310`
6.19	6.19.12	`3c3a6b9020c0`
mainline	7.0	`d1978d03e867`