CVE-2025-23151

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A race condition exists between mhi unprepare from transfer() and mhi queue buf() functions. When a client driver uses mhi unprepare from transfer() to quiesce incoming data during its teardown, it may also be processing data simultaneously, leading to a call to mhi queue buf(), which invokes mhi gen tre(). If mhi gen tre() runs after the channel has been torn down by mhi unprepare from transfer(), a panic occurs due to an invalid dereference, resulting in a page fault. This happens because mhi gen tre() does not verify the channel state after locking it.

Recommendations To resolve this issue, modify the mhi gen tre() function to confirm that the channel state is valid before proceeding, or return an error to avoid accessing deinitialized data. As a temporary workaround, consider restricting access to the mhi gen tre() function until a patch is available.