1.9 KiB
CVE-2025-23151
Description
In the Linux kernel, the following vulnerability has been resolved🚌 mhi: host: Fix race between unprepare and queue_bufA client driver may use mhi_unprepare_from_transfer() to quiesceincoming data during the client driver's tear down. The client drivermight also be processing data at the same time, resulting in a call tomhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runsafter mhi_unprepare_from_transfer() has torn down the channel, a panicwill occur due to an invalid dereference leading to a page fault.This occurs because mhi_gen_tre() does not verify the channel stateafter locking it. Fix this by having mhi_gen_tre() confirm the channelstate is valid, or return error to avoid accessing deinitialized data.[mani: added stable tag]
POC
Reference
No PoCs from references.