CVE-2025-22014 - Critical Vulnerability Resolved in Linux Kernel: Potential Deadlock in soc: qcom: pdr

The Linux kernel has recently encountered and resolved a critical vulnerability (CVE-2025-22014) related to soc: qcom: pdr, which led to potential deadlocks. This vulnerability allowed a deadlock situation when two different client processes, A and B, interacted with the pdr_add_lookup() function.

Specifically, the deadlock happened when client process A called pdr_add_lookup() for adding a service look-up and scheduled locator work, whereas another client process B received a new server packet indicating that the locator was up and called pdr_locator_new_server(). While process A held the list lock and queried the domain list, process B, not being able to complete the new server request work, led to a deadlock situation and caused a timeout error.

The vulnerability fix involves removing the unnecessary list iteration, as it's already being done inside the locator work. This ensures that the process only calls schedule_work(), avoiding potential deadlocks in the future.

Here's a representation illustrating the process flows

       Process A                        Process B

                                     process_scheduled_works()
pdr_add_lookup()                      qmi_data_ready_work()
 process_scheduled_works()             pdr_locator_new_server()
                                         pdr->locator_init_complete=true;
   pdr_locator_work()
    mutex_lock(&pdr->list_lock);

     pdr_locate_service()                  mutex_lock(&pdr->list_lock);

      pdr_get_domain_list()
       pr_err("PDR: %s get domain list
               txn wait failed: %d\n",
               req->service_name,
               ret);

The deadlock led to the following error log

"
 PDR: tms/servreg get domain list txn wait failed: -110
 PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110
"

For more information on the vulnerability, its fix and the original references, please follow the link to the [1] original patch and commit.

We are grateful to Bjorn and Johan for revealing that this commit also fixes an audio regression issue when using the in-kernel pd-mapper, as it helps to identify and address this race condition more effectively. This critical fix to the Linux kernel ensures a more robust system and helps maintain the security and stability of the kernel.

Original References

[1] https://lore.kernel.org/linux-arm-msm/20211013145209.744-1-bjorn.andersson@linaro.org/

Timeline

Published on: 04/08/2025 09:15:25 UTC
Last modified on: 04/10/2025 13:15:50 UTC