{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-22014", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.806Z", "datePublished": "2025-04-08T08:18:04.622Z", "dateUpdated": "2025-04-10T13:02:23.259Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-04-10T13:02:23.259Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pdr: Fix the potential deadlock\n\nWhen some client process A call pdr_add_lookup() to add the look up for\nthe service and does schedule locator work, later a process B got a new\nserver packet indicating locator is up and call pdr_locator_new_server()\nwhich eventually sets pdr->locator_init_complete to true which process A\nsees and takes list lock and queries domain list but it will timeout due\nto deadlock as the response will queued to the same qmi->wq and it is\nordered workqueue and process B is not able to complete new server\nrequest work due to deadlock on list lock.\n\nFix it by removing the unnecessary list iteration as the list iteration\nis already being done inside locator work, so avoid it here and just\ncall schedule_work() here.\n\n       Process A                        Process B\n\n                                     process_scheduled_works()\npdr_add_lookup()                      qmi_data_ready_work()\n process_scheduled_works()             pdr_locator_new_server()\n                                         pdr->locator_init_complete=true;\n   pdr_locator_work()\n    mutex_lock(&pdr->list_lock);\n\n     pdr_locate_service()                  mutex_lock(&pdr->list_lock);\n\n      pdr_get_domain_list()\n       pr_err(\"PDR: %s get domain list\n               txn wait failed: %d\\n\",\n               req->service_name,\n               ret);\n\nTimeout error log due to deadlock:\n\n\"\n PDR: tms/servreg get domain list txn wait failed: -110\n PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110\n\"\n\nThanks to Bjorn and Johan for letting me know that this commit also fixes\nan audio regression when using the in-kernel pd-mapper as that makes it\neasier to hit this race. [1]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/soc/qcom/pdr_interface.c"], "versions": [{"version": "fbe639b44a82755d639df1c5d147c93f02ac5a0f", "lessThan": "72a222b6af10c2a05a5fad0029246229ed8912c2", "status": "affected", "versionType": "git"}, {"version": "fbe639b44a82755d639df1c5d147c93f02ac5a0f", "lessThan": "daba84612236de3ab39083e62c9e326a654ebd20", "status": "affected", "versionType": "git"}, {"version": "fbe639b44a82755d639df1c5d147c93f02ac5a0f", "lessThan": "0a566a79aca9851fae140536e0fc5b0853c90a90", "status": "affected", "versionType": "git"}, {"version": "fbe639b44a82755d639df1c5d147c93f02ac5a0f", "lessThan": "f2bbfd50e95bc117360f0f59e629aa03d821ebd6", "status": "affected", "versionType": "git"}, {"version": "fbe639b44a82755d639df1c5d147c93f02ac5a0f", "lessThan": "f4489260f5713c94e1966e5f20445bff262876f4", "status": "affected", "versionType": "git"}, {"version": "fbe639b44a82755d639df1c5d147c93f02ac5a0f", "lessThan": "02612f1e4c34d94d6c8ee75bf7d254ed697e22d4", "status": "affected", "versionType": "git"}, {"version": "fbe639b44a82755d639df1c5d147c93f02ac5a0f", "lessThan": "2eeb03ad9f42dfece63051be2400af487ddb96d2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/soc/qcom/pdr_interface.c"], "versions": [{"version": "5.7", "status": "affected"}, {"version": "0", "lessThan": "5.7", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.236", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.180", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.132", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.85", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.21", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.9", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/72a222b6af10c2a05a5fad0029246229ed8912c2"}, {"url": "https://git.kernel.org/stable/c/daba84612236de3ab39083e62c9e326a654ebd20"}, {"url": "https://git.kernel.org/stable/c/0a566a79aca9851fae140536e0fc5b0853c90a90"}, {"url": "https://git.kernel.org/stable/c/f2bbfd50e95bc117360f0f59e629aa03d821ebd6"}, {"url": "https://git.kernel.org/stable/c/f4489260f5713c94e1966e5f20445bff262876f4"}, {"url": "https://git.kernel.org/stable/c/02612f1e4c34d94d6c8ee75bf7d254ed697e22d4"}, {"url": "https://git.kernel.org/stable/c/2eeb03ad9f42dfece63051be2400af487ddb96d2"}], "title": "soc: qcom: pdr: Fix the potential deadlock", "x_generator": {"engine": "bippy-7c5fe7eed585"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC2AC519-3D9D-405E-B3B7-FFFCE9691EEC", "versionEndExcluding": "6.1.132", "versionStartIncluding": "5.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BCB56F36-C998-496A-A2E4-D9E0BB3A5BFC", "versionEndExcluding": "6.6.85", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B63C450-D73B-4A53-9861-98E25C16E842", "versionEndExcluding": "6.12.21", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FAECBE4D-58CF-4836-BBAB-5E28B800A778", "versionEndExcluding": "6.13.9", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*", "matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*", "matchCriteriaId": "D3D6550E-6679-4560-902D-AF52DCFE905B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*", "matchCriteriaId": "45B90F6B-BEC7-4D4E-883A-9DBADE021750", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc6:*:*:*:*:*:*", "matchCriteriaId": "1759FFB7-531C-41B1-9AE1-FD3D80E0D920", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc7:*:*:*:*:*:*", "matchCriteriaId": "AD948719-8628-4421-A340-1066314BBD4A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pdr: Fix the potential deadlock\n\nWhen some client process A call pdr_add_lookup() to add the look up for\nthe service and does schedule locator work, later a process B got a new\nserver packet indicating locator is up and call pdr_locator_new_server()\nwhich eventually sets pdr->locator_init_complete to true which process A\nsees and takes list lock and queries domain list but it will timeout due\nto deadlock as the response will queued to the same qmi->wq and it is\nordered workqueue and process B is not able to complete new server\nrequest work due to deadlock on list lock.\n\nFix it by removing the unnecessary list iteration as the list iteration\nis already being done inside locator work, so avoid it here and just\ncall schedule_work() here.\n\n       Process A                        Process B\n\n                                     process_scheduled_works()\npdr_add_lookup()                      qmi_data_ready_work()\n process_scheduled_works()             pdr_locator_new_server()\n                                         pdr->locator_init_complete=true;\n   pdr_locator_work()\n    mutex_lock(&pdr->list_lock);\n\n     pdr_locate_service()                  mutex_lock(&pdr->list_lock);\n\n      pdr_get_domain_list()\n       pr_err(\"PDR: %s get domain list\n               txn wait failed: %d\\n\",\n               req->service_name,\n               ret);\n\nTimeout error log due to deadlock:\n\n\"\n PDR: tms/servreg get domain list txn wait failed: -110\n PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110\n\"\n\nThanks to Bjorn and Johan for letting me know that this commit also fixes\nan audio regression when using the in-kernel pd-mapper as that makes it\neasier to hit this race. [1]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: soc: qcom: pdr: Corrige el posible bloqueo cuando alg\u00fan proceso de cliente A llama a pdr_add_lookup() para agregar la b\u00fasqueda para el servicio y realiza el trabajo del localizador de programaci\u00f3n, m\u00e1s tarde un proceso B obtiene un nuevo paquete de servidor que indica que el localizador est\u00e1 activo y llama a pdr_locator_new_server() que finalmente establece pdr->locator_init_complete en verdadero, lo que hace que el proceso A vea y tome el bloqueo de lista y consulte la lista de dominios, pero se agotar\u00e1 el tiempo de espera debido al bloqueo, ya que la respuesta se pondr\u00e1 en cola en el mismo qmi->wq y se ordenar\u00e1 workqueue y el proceso B no puede completar el nuevo trabajo de solicitud del servidor debido al bloqueo en el bloqueo de lista. Arr\u00e9glelo eliminando la iteraci\u00f3n de lista innecesaria, ya que la iteraci\u00f3n de lista ya se est\u00e1 realizando dentro del trabajo del localizador, as\u00ed que ev\u00edtelo aqu\u00ed y simplemente llame a schedule_work() aqu\u00ed. Proceso A Proceso B process_scheduled_works() pdr_add_lookup() qmi_data_ready_work() process_scheduled_works() pdr_locator_new_server() pdr->locator_init_complete=true; pdr_locator_work() mutex_lock(&pdr->list_lock); pdr_locate_service() mutex_lock(&pdr->list_lock); pdr_get_domain_list() pr_err(\"PDR: %s error en la espera de la transacci\u00f3n para obtener la lista de dominios: %d\\n\", req->service_name, ret); Registro de errores de tiempo de espera debido a un bloqueo: \"PDR: tms/servreg get domain list txn wait fallo: -110 PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110\" Gracias a Bjorn y Johan por informarme que esta confirmaci\u00f3n tambi\u00e9n corrige una regresi\u00f3n de audio al usar el pd-mapper dentro del kernel, ya que eso hace que sea m\u00e1s f\u00e1cil alcanzar esta ejecuci\u00f3n. [1]"}], "id": "CVE-2025-22014", "lastModified": "2025-04-10T13:15:50.823", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-08T09:15:25.783", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/02612f1e4c34d94d6c8ee75bf7d254ed697e22d4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0a566a79aca9851fae140536e0fc5b0853c90a90"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2eeb03ad9f42dfece63051be2400af487ddb96d2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/72a222b6af10c2a05a5fad0029246229ed8912c2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/daba84612236de3ab39083e62c9e326a654ebd20"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f2bbfd50e95bc117360f0f59e629aa03d821ebd6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f4489260f5713c94e1966e5f20445bff262876f4"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: soc: qcom: pdr: Fix the potential deadlock", "id": "2358221", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358221"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-833", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nsoc: qcom: pdr: Fix the potential deadlock\nWhen some client process A call pdr_add_lookup() to add the look up for\nthe service and does schedule locator work, later a process B got a new\nserver packet indicating locator is up and call pdr_locator_new_server()\nwhich eventually sets pdr->locator_init_complete to true which process A\nsees and takes list lock and queries domain list but it will timeout due\nto deadlock as the response will queued to the same qmi->wq and it is\nordered workqueue and process B is not able to complete new server\nrequest work due to deadlock on list lock.\nFix it by removing the unnecessary list iteration as the list iteration\nis already being done inside locator work, so avoid it here and just\ncall schedule_work() here.\nProcess A                        Process B\nprocess_scheduled_works()\npdr_add_lookup()                      qmi_data_ready_work()\nprocess_scheduled_works()             pdr_locator_new_server()\npdr->locator_init_complete=true;\npdr_locator_work()\nmutex_lock(&pdr->list_lock);\npdr_locate_service()                  mutex_lock(&pdr->list_lock);\npdr_get_domain_list()\npr_err(\"PDR: %s get domain list\ntxn wait failed: %d\\n\",\nreq->service_name,\nret);\nTimeout error log due to deadlock:\n\"\nPDR: tms/servreg get domain list txn wait failed: -110\nPDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110\n\"\nThanks to Bjorn and Johan for letting me know that this commit also fixes\nan audio regression when using the in-kernel pd-mapper as that makes it\neasier to hit this race. [1]"], "name": "CVE-2025-22014", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-22014\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22014\nhttps://lore.kernel.org/linux-cve-announce/2025040843-CVE-2025-22014-9c4f@gregkh/T"], "threat_severity": "Moderate"}