In the Linux kernel, the following vulnerability has been resolved:
slimbus: messaging: Free transaction ID in delayed interrupt scenario
In case of interrupt delay for any reason, slimdotransfer() returns timeout error but the transaction ID (TID) is not freed. This results into invalid memory access inside qcomslimngdrxmsgq_cb() due to invalid TID.
Fix the issue by freeing the TID in slimdotransfer() before returning timeout error to avoid invalid memory access.
Call trace: _memcpyfromio+0x20/0x190 qcomslimngdrxmsgqcb+0x130/0x290 [slimqcomngdctrl] vchancomplete+0x2a0/0x4a0 taskletactioncommon+0x274/0x700 taskletaction+0x28/0x3c stext+0x188/0x620 runksoftirqd+0x34/0x74 smpbootthreadfn+0x1d8/0x464 kthread+0x178/0x238 retfromfork+0x10/0x20 Code: aa0003e8 91000429 f100044a 3940002b (3800150b) ---[ end trace 0fe00bec2b975c99 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt.
[ { "deprecated": false, "target": { "file": "drivers/slimbus/messaging.c" }, "signature_type": "Line", "id": "CVE-2025-21914-063b11e5", "digest": { "line_hashes": [ "315716484921017299596230543790606855114", "84132857717577666590289724445266135716", "167217773989646229998553446573125811631", "322911559456771276041434064591808490509" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@18ae4cee05c310c299ba75d7477dcf34be67aa16", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "drivers/slimbus/messaging.c", "function": "slim_do_transfer" }, "signature_type": "Function", "id": "CVE-2025-21914-10e45edf", "digest": { "length": 1343.0, "function_hash": "53347768618771739725092650599672106573" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6abf3d8bb51cbaf886c3f08109a0462890b10db6", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "drivers/slimbus/messaging.c", "function": "slim_do_transfer" }, "signature_type": "Function", "id": "CVE-2025-21914-15a0b41f", "digest": { "length": 1328.0, "function_hash": "44512236106931036089544719171962088899" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a32e5198a9134772eb03f7b72a7849094c55bda9", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "drivers/slimbus/messaging.c", "function": "slim_do_transfer" }, "signature_type": "Function", "id": "CVE-2025-21914-2404cee0", "digest": { "length": 1343.0, "function_hash": "53347768618771739725092650599672106573" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dcb0d43ba8eb9517e70b1a0e4b0ae0ab657a0e5a", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "drivers/slimbus/messaging.c" }, "signature_type": "Line", "id": "CVE-2025-21914-26ae6321", "digest": { "line_hashes": [ "315716484921017299596230543790606855114", "84132857717577666590289724445266135716", "167217773989646229998553446573125811631", "322911559456771276041434064591808490509" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a32e5198a9134772eb03f7b72a7849094c55bda9", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "drivers/slimbus/messaging.c", "function": "slim_do_transfer" }, "signature_type": "Function", "id": "CVE-2025-21914-273ca365", "digest": { "length": 1328.0, "function_hash": "44512236106931036089544719171962088899" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@faac8e894014e8167471a8e4a5eb35a8fefbb82a", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "drivers/slimbus/messaging.c", "function": "slim_do_transfer" }, "signature_type": "Function", "id": "CVE-2025-21914-5c5e296b", "digest": { "length": 1328.0, "function_hash": "44512236106931036089544719171962088899" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@18ae4cee05c310c299ba75d7477dcf34be67aa16", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "drivers/slimbus/messaging.c" }, "signature_type": "Line", "id": "CVE-2025-21914-60226b23", "digest": { "line_hashes": [ "315716484921017299596230543790606855114", "84132857717577666590289724445266135716", "167217773989646229998553446573125811631", "322911559456771276041434064591808490509" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@09d34c4cbc38485c7514069f25348e439555b282", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "drivers/slimbus/messaging.c", "function": "slim_do_transfer" }, "signature_type": "Function", "id": "CVE-2025-21914-6fedc554", "digest": { "length": 1343.0, "function_hash": "53347768618771739725092650599672106573" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c541c8f6da23e0b92f0a6216d899659a7572074", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "drivers/slimbus/messaging.c" }, "signature_type": "Line", "id": "CVE-2025-21914-7fae0d0c", "digest": { "line_hashes": [ "315716484921017299596230543790606855114", "84132857717577666590289724445266135716", "167217773989646229998553446573125811631", "322911559456771276041434064591808490509" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@faac8e894014e8167471a8e4a5eb35a8fefbb82a", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "drivers/slimbus/messaging.c", "function": "slim_do_transfer" }, "signature_type": "Function", "id": "CVE-2025-21914-85fc6c3a", "digest": { "length": 1328.0, "function_hash": "44512236106931036089544719171962088899" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@09d34c4cbc38485c7514069f25348e439555b282", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "drivers/slimbus/messaging.c" }, "signature_type": "Line", "id": "CVE-2025-21914-8725e4e5", "digest": { "line_hashes": [ "315716484921017299596230543790606855114", "84132857717577666590289724445266135716", "177759054323699319491868948728109681029", "46772281166951507841528809904720940933" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dcb0d43ba8eb9517e70b1a0e4b0ae0ab657a0e5a", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "drivers/slimbus/messaging.c", "function": "slim_do_transfer" }, "signature_type": "Function", "id": "CVE-2025-21914-aa88aff5", "digest": { "length": 1328.0, "function_hash": "44512236106931036089544719171962088899" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cec8c0ac173fe5321f03fdb1a09a9cb69bc9a9fe", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "drivers/slimbus/messaging.c" }, "signature_type": "Line", "id": "CVE-2025-21914-b8c873de", "digest": { "line_hashes": [ "315716484921017299596230543790606855114", "84132857717577666590289724445266135716", "167217773989646229998553446573125811631", "322911559456771276041434064591808490509" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cec8c0ac173fe5321f03fdb1a09a9cb69bc9a9fe", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "drivers/slimbus/messaging.c" }, "signature_type": "Line", "id": "CVE-2025-21914-b932d2b0", "digest": { "line_hashes": [ "315716484921017299596230543790606855114", "84132857717577666590289724445266135716", "177759054323699319491868948728109681029", "46772281166951507841528809904720940933" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c541c8f6da23e0b92f0a6216d899659a7572074", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "drivers/slimbus/messaging.c" }, "signature_type": "Line", "id": "CVE-2025-21914-bdd4a417", "digest": { "line_hashes": [ "315716484921017299596230543790606855114", "84132857717577666590289724445266135716", "177759054323699319491868948728109681029", "46772281166951507841528809904720940933" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6abf3d8bb51cbaf886c3f08109a0462890b10db6", "signature_version": "v1" } ]