CVE-2025-22014

soc: qcom: pdr: Fix the potential deadlock

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pdr: Fix the potential deadlock When some client process A call pdr_add_lookup() to add the look up for
the service and does schedule locator work, later a process B got a new
server packet indicating locator is up and call pdr_locator_new_server()
which eventually sets pdr->locator_init_complete to true which process A
sees and takes list lock and queries domain list but it will timeout due
to deadlock as the response will queued to the same qmi->wq and it is
ordered workqueue and process B is not able to complete new server
request work due to deadlock on list lock. Fix it by removing the unnecessary list iteration as the list iteration
is already being done inside locator work, so avoid it here and just
call schedule_work() here. Process A Process B process_scheduled_works()
pdr_add_lookup() qmi_data_ready_work() process_scheduled_works() pdr_locator_new_server() pdr->locator_init_complete=true; pdr_locator_work() mutex_lock(&pdr->list_lock); pdr_locate_service() mutex_lock(&pdr->list_lock); pdr_get_domain_list() pr_err("PDR: %s get domain list txn wait failed: %d
", req->service_name, ret); Timeout error log due to deadlock: " PDR: tms/servreg get domain list txn wait failed: -110 PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110
" Thanks to Bjorn and Johan for letting me know that this commit also fixes
an audio regression when using the in-kernel pd-mapper as that makes it
easier to hit this race. [1]

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: soc: qcom: pdr: Corrige el posible bloqueo cuando algún proceso de cliente A llama a pdr_add_lookup() para agregar la búsqueda para el servicio y realiza el trabajo del localizador de programación, más tarde un proceso B obtiene un nuevo paquete de servidor que indica que el localizador está activo y llama a pdr_locator_new_server() que finalmente establece pdr->locator_init_complete en verdadero, lo que hace que el proceso A vea y tome el bloqueo de lista y consulte la lista de dominios, pero se agotará el tiempo de espera debido al bloqueo, ya que la respuesta se pondrá en cola en el mismo qmi->wq y se ordenará workqueue y el proceso B no puede completar el nuevo trabajo de solicitud del servidor debido al bloqueo en el bloqueo de lista. Arréglelo eliminando la iteración de lista innecesaria, ya que la iteración de lista ya se está realizando dentro del trabajo del localizador, así que evítelo aquí y simplemente llame a schedule_work() aquí. Proceso A Proceso B process_scheduled_works() pdr_add_lookup() qmi_data_ready_work() process_scheduled_works() pdr_locator_new_server() pdr->locator_init_complete=true; pdr_locator_work() mutex_lock(&pdr->list_lock); pdr_locate_service() mutex_lock(&pdr->list_lock); pdr_get_domain_list() pr_err("PDR: %s error en la espera de la transacción para obtener la lista de dominios: %d
", req->service_name, ret); Registro de errores de tiempo de espera debido a un bloqueo: "PDR: tms/servreg get domain list txn wait fallo: -110 PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110" Gracias a Bjorn y Johan por informarme que esta confirmación también corrige una regresión de audio al usar el pd-mapper dentro del kernel, ya que eso hace que sea más fácil alcanzar esta ejecución. [1]

In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pdr: Fix the potential deadlock When some client process A call pdr_add_lookup() to add the look up for the service and does schedule locator work, later a process B got a new server packet indicating locator is up and call pdr_locator_new_server() which eventually sets pdr->locator_init_complete to true which process A sees and takes list lock and queries domain list but it will timeout due to deadlock as the response will queued to the same qmi->wq and it is ordered workqueue and process B is not able to complete new server request work due to deadlock on list lock. Fix it by removing the unnecessary list iteration as the list iteration is already being done inside locator work, so avoid it here and just call schedule_work() here. Process A Process B process_scheduled_works() pdr_add_lookup() qmi_data_ready_work() process_scheduled_works() pdr_locator_new_server() pdr->locator_init_complete=true; pdr_locator_work() mutex_lock(&pdr->list_lock); pdr_locate_service() mutex_lock(&pdr->list_lock); pdr_get_domain_list() pr_err("PDR: %s get domain list txn wait failed: %d
", req->service_name, ret); Timeout error log due to deadlock: " PDR: tms/servreg get domain list txn wait failed: -110 PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110 " Thanks to Bjorn and Johan for letting me know that this commit also fixes an audio regression when using the in-kernel pd-mapper as that makes it easier to hit this race. [1]

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-12-29 CVE Reserved
2025-04-08 CVE Published
2025-04-10 CVE Updated
2025-04-11 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/fbe639b44a82755d639df1c5d147c93f02ac5a0f	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/72a222b6af10c2a05a5fad0029246229ed8912c2	2025-04-10
https://git.kernel.org/stable/c/daba84612236de3ab39083e62c9e326a654ebd20	2025-04-10
https://git.kernel.org/stable/c/0a566a79aca9851fae140536e0fc5b0853c90a90	2025-03-28
https://git.kernel.org/stable/c/f2bbfd50e95bc117360f0f59e629aa03d821ebd6	2025-03-28
https://git.kernel.org/stable/c/f4489260f5713c94e1966e5f20445bff262876f4	2025-03-28
https://git.kernel.org/stable/c/02612f1e4c34d94d6c8ee75bf7d254ed697e22d4	2025-03-28
https://git.kernel.org/stable/c/2eeb03ad9f42dfece63051be2400af487ddb96d2	2025-02-14

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.10.236 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.10.236"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.15.180 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.15.180"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 6.1.132 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.1.132"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 6.6.85 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.6.85"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 6.12.21 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.12.21"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 6.13.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.13.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 6.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.14"		en		Affected