2363342 – (CVE-2025-23151) CVE-2025-23151 kernel: bus: mhi: host: Fix race between unprepare and queue_buf

Bug 2363342 (CVE-2025-23151) - CVE-2025-23151 kernel: bus: mhi: host: Fix race between unprepare and queue_buf

Summary: CVE-2025-23151 kernel: bus: mhi: host: Fix race between unprepare and queue_buf

Keywords:
Status:	NEW
Alias:	CVE-2025-23151
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-05-01 14:04 UTC by OSIDB Bzimport
Modified:	2025-05-29 11:46 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-05-01 14:04:34 UTC

In the Linux kernel, the following vulnerability has been resolved:

bus: mhi: host: Fix race between unprepare and queue_buf

A client driver may use mhi_unprepare_from_transfer() to quiesce
incoming data during the client driver's tear down. The client driver
might also be processing data at the same time, resulting in a call to
mhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs
after mhi_unprepare_from_transfer() has torn down the channel, a panic
will occur due to an invalid dereference leading to a page fault.

This occurs because mhi_gen_tre() does not verify the channel state
after locking it. Fix this by having mhi_gen_tre() confirm the channel
state is valid, or return error to avoid accessing deinitialized data.

[mani: added stable tag]

Comment 1 Avinash Hanwate 2025-05-02 03:28:05 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025050128-CVE-2025-23151-aba7@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.