CVE-2025-21951
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-21951
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21951.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-21951
- Related
- Published
- 2025-04-01T16:15:26Z
- Modified
- 2025-04-12T15:45:53.125049Z
- Downstream
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bus: mhi: host: pcigeneric: Use pcitryresetfunction() to avoid deadlock
There are multiple places from where the recovery work gets scheduled asynchronously. Also, there are multiple places where the caller waits synchronously for the recovery to be completed. One such place is during the PM shutdown() callback.
If the device is not alive during recoverywork, it will try to reset the device using pciresetfunction(). This function internally will take the devicelock() first before resetting the device. By this time, if the lock has already been acquired, then recoverywork will get stalled while waiting for the lock. And if the lock was already acquired by the caller which waits for the recoverywork to be completed, it will lead to deadlock.
This is what happened on the X1E80100 CRD device when the device died before shutdown() callback. Driver core calls the driver's shutdown() callback while holding the device_lock() leading to deadlock.
And this deadlock scenario can occur on other paths as well, like during the PM suspend() callback, where the driver core would hold the devicelock() before calling driver's suspend() callback. And if the recoverywork was already started, it could lead to deadlock. This is also observed on the X1E80100 CRD.
So to fix both issues, use pcitryresetfunction() in recoverywork. This function first checks for the availability of the devicelock() before trying to reset the device. If the lock is available, it will acquire it and reset the device. Otherwise, it will return -EAGAIN. If that happens, recoverywork will fail with the error message "Recovery failed" as not much could be done.
- References
-
- https://git.kernel.org/stable/c/1f9eb7078bc6b5fb5cbfbcb37c4bc01685332b95
- https://git.kernel.org/stable/c/62505657475c245c9cd46e42ac01026d1e61f027
- https://git.kernel.org/stable/c/7746f3bb8917fccb4571a576f3837d80fc513054
- https://git.kernel.org/stable/c/7a5ffadd54fe2662f5c99cdccf30144d060376f7
- https://git.kernel.org/stable/c/985d3cf56d8745ca637deee273929e01df449f85
- https://git.kernel.org/stable/c/a321d163de3d8aa38a6449ab2becf4b1581aed96
- https://security-tracker.debian.org/tracker/CVE-2025-21951
Affected packages
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.133-1
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.12.19-1