vulnerability
Red Hat: CVE-2025-23151: kernel: bus: mhi: host: Fix race between unprepare and queue_buf
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:L/AC:M/Au:M/C:N/I:N/A:C) | May 1, 2025 | Jul 9, 2025 | Jul 10, 2025 |
Description
In the Linux kernel, the following vulnerability has been resolved:
bus: mhi: host: Fix race between unprepare and queue_buf
A client driver may use mhi_unprepare_from_transfer() to quiesce
incoming data during the client driver's tear down. The client driver
might also be processing data at the same time, resulting in a call to
mhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs
after mhi_unprepare_from_transfer() has torn down the channel, a panic
will occur due to an invalid dereference leading to a page fault.
This occurs because mhi_gen_tre() does not verify the channel state
after locking it. Fix this by having mhi_gen_tre() confirm the channel
state is valid, or return error to avoid accessing deinitialized data.
[mani: added stable tag]
Solution
References
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.