HIGH Published 2026-05-08

net/ipa EventRing Hang

CVE-2026-43345

CVSS 7.5 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

KernelScan AI5.5MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: net: ipa: fix event ring index not programmed for IPA v5.0+ For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to CH_C_CNTXT_1. The v5.0 register definition intended to define this field in the CH_C_CNTXT_1 fmask array but used the old identifier of ERINDEX instead of CH_ERINDEX. Without a valid event ring, GSI channels could never signal transfer completions. This caused gsi_channel_trans_quiesce() to block forever in wait_for_completion(). At least for IPA v5.2 this resolves an issue seen where runtime suspend, system suspend, and remoteproc stop all hanged forever. It also meant the IPA data path was completely non functional.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Systems with Qualcomm IPA v5.0+ hardware (such as SDX65 SoC) experience complete network data path failure and indefinite hangs during runtime suspend, system suspend, and remoteproc stop. The bug causes gsi_channel_trans_quiesce() to block forever in wait_for_completion() because transfer completions are never signaled due to a misprogrammed event ring index in the GSI register definition.

Affecteddrivers/net/ipa/reg/gsi_reg-v5.0.c (IPA GSI)

Vulnerability analysis

The root cause is a typo in the IPA v5.0 GSI register field definition where ERINDEX was used instead of CH_ERINDEX in the CH_C_CNTXT_1 fmask array. Because the wrong identifier is used, the event ring index field is never defined in the register mask, so the hardware event ring is never properly configured. Without a valid event ring, GSI channels cannot signal transfer completions, causing any channel quiesce operation to wait forever. The fix replaces ERINDEX with CH_ERINDEX so the event ring index is correctly programmed. This is a local denial-of-service condition: the hang occurs during driver teardown paths (suspend/resume, remoteproc stop) and renders the IPA data path completely non-functional.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.83	`2bf18b643c46`
6.18	6.18.24	`2d2dc166d551`
6.19	6.19.14	`34c988bb04cb`
6.6	6.6.136	`ae8343a19ccb`
mainline	7.0	`56007972c0b1`