CVE-2025-23151

In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Fix race between unprepare and queue_buf A client driver may use mhi_unprepare_from_transfer() to quiesce incoming data during the client driver's tear down. The client driver might also be processing data at the same time, resulting in a call to mhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs after mhi_unprepare_from_transfer() has torn down the channel, a panic will occur due to an invalid dereference leading to a page fault. This occurs because mhi_gen_tre() does not verify the channel state after locking it. Fix this by having mhi_gen_tre() confirm the channel state is valid, or return error to avoid accessing deinitialized data. [mani: added stable tag]

CVSS

No CVSS.

References

Link	Resource
https://git.kernel.org/stable/c/0686a818d77a431fc3ba2fab4b46bbb04e8c9380
https://git.kernel.org/stable/c/178e5657c8fd285125cc6743a81b513bce099760
https://git.kernel.org/stable/c/3e7ecf181cbdde9753204ada3883ca1704d8702b
https://git.kernel.org/stable/c/5f084993c90d9d0b4a52a349ede5120f992a7ca1
https://git.kernel.org/stable/c/899d0353ea69681f474b6bc9de32c663b89672da
https://git.kernel.org/stable/c/a77955f7704b2a00385e232cbcc1cb06b5c7a425
https://git.kernel.org/stable/c/ee1fce83ed56450087309b9b74ad9bcb2b010fa6
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html

Configurations

No configuration.

History

03 Nov 2025, 20:17

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html -

02 May 2025, 13:53

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-01 13:15

Updated : 2025-11-03 20:17

NVD link : CVE-2025-23151

Mitre link : CVE-2025-23151

CVE.ORG link : CVE-2025-23151

JSON object : View

Products Affected

No product.

CWE

No CWE.

{"id": "CVE-2025-23151", "cveTags": [], "metrics": {}, "published": "2025-05-01T13:15:51.003", "references": [{"url": "https://git.kernel.org/stable/c/0686a818d77a431fc3ba2fab4b46bbb04e8c9380", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/178e5657c8fd285125cc6743a81b513bce099760", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3e7ecf181cbdde9753204ada3883ca1704d8702b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5f084993c90d9d0b4a52a349ede5120f992a7ca1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/899d0353ea69681f474b6bc9de32c663b89672da", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a77955f7704b2a00385e232cbcc1cb06b5c7a425", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ee1fce83ed56450087309b9b74ad9bcb2b010fa6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Fix race between unprepare and queue_buf\n\nA client driver may use mhi_unprepare_from_transfer() to quiesce\nincoming data during the client driver's tear down. The client driver\nmight also be processing data at the same time, resulting in a call to\nmhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs\nafter mhi_unprepare_from_transfer() has torn down the channel, a panic\nwill occur due to an invalid dereference leading to a page fault.\n\nThis occurs because mhi_gen_tre() does not verify the channel state\nafter locking it. Fix this by having mhi_gen_tre() confirm the channel\nstate is valid, or return error to avoid accessing deinitialized data.\n\n[mani: added stable tag]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bus: mhi: host: Correcci\u00f3n de la competencia entre unprepare y queue_buf. Un controlador de cliente podr\u00eda usar mhi_unprepare_from_transfer() para silenciar los datos entrantes durante su desconexi\u00f3n. El controlador de cliente tambi\u00e9n podr\u00eda estar procesando datos simult\u00e1neamente, lo que resulta en una llamada a mhi_queue_buf(), que invocar\u00e1 mhi_gen_tre(). Si mhi_gen_tre() se ejecuta despu\u00e9s de que mhi_unprepare_from_transfer() haya desconectado el canal, se producir\u00e1 un p\u00e1nico debido a una desreferencia no v\u00e1lida que provoca un fallo de p\u00e1gina. Esto ocurre porque mhi_gen_tre() no verifica el estado del canal despu\u00e9s de bloquearlo. Para solucionar esto, haga que mhi_gen_tre() confirme que el estado del canal es v\u00e1lido o devuelva un error para evitar acceder a los datos desinicializados. [mani: etiqueta estable a\u00f1adida]"}], "lastModified": "2025-11-03T20:17:46.280", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}