In the Linux kernel, the following vulnerability has been resolved:
net: qrtr: start MHI channel after endpoit creation
MHI channel may generates event/interrupt right after enabling. It may leads to 2 race conditions issues.
1) Such event may be dropped by qcommhiqrtrdlcallback() at check:
if (!qdev || mhi_res->transaction_status)
return;
Because devsetdrvdata(&mhi_dev->dev, qdev) may be not performed at this moment. In this situation qrtr-ns will be unable to enumerate
2) Such event may come at the moment after devsetdrvdata() and before qrtrendpointregister(). In this case kernel will panic with accessing wrong pointer at qcommhiqrtrdlcallback():
rc = qrtr_endpoint_post(&qdev->ep, mhi_res->buf_addr,
mhi_res->bytes_xferd);
So move mhipreparefortransferautoqueue after endpoint creation to fix it.