Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-22014

CVE-2025-22014: Linux Kernel Race Condition Vulnerability

CVE-2025-22014 is a race condition vulnerability in Linux kernel's Qualcomm PDR module causing potential deadlocks during service lookups. This article covers the technical details, affected versions, and mitigation strategies.

Updated:

CVE-2025-22014 Overview

CVE-2025-22014 is a deadlock vulnerability in the Linux kernel's Qualcomm Protection Domain Restart (PDR) subsystem. The flaw occurs in the soc/qcom/pdr component when two concurrent processes interact with the PDR locator service, creating a race condition that leads to a deadlock on the list lock. This vulnerability can cause system hangs and denial of service conditions, particularly affecting systems using Qualcomm SoC platforms with in-kernel pd-mapper functionality.

Critical Impact

This deadlock vulnerability can cause service lookup failures, audio subsystem regressions, and system unresponsiveness on affected Qualcomm-based Linux systems.

Affected Products

  • Linux Kernel versions prior to patched releases
  • Linux Kernel 6.14 release candidates (rc1 through rc7)
  • Debian Linux distributions (see LTS announcements)

Discovery Timeline

  • April 8, 2025 - CVE-2025-22014 published to NVD
  • November 3, 2025 - Last updated in NVD database

Technical Details for CVE-2025-22014

Vulnerability Analysis

The vulnerability exists in the Qualcomm PDR (Protection Domain Restart) subsystem, specifically in how the pdr_add_lookup() and pdr_locator_new_server() functions interact when running concurrently. The deadlock condition arises from an improper locking sequence involving the pdr->list_lock mutex and the ordered workqueue qmi->wq.

When Process A calls pdr_add_lookup() to add a service lookup and schedules locator work, it may acquire the list lock while waiting for a domain list query response. Simultaneously, Process B may receive a new server packet indicating the locator is up and call pdr_locator_new_server(), which sets pdr->locator_init_complete to true. When Process A observes this flag and attempts to query the domain list while holding the list lock, the response gets queued to the same ordered workqueue that Process B is blocking on, waiting for the list lock. This circular dependency creates a deadlock.

The timeout manifests with error messages such as:

PDR: tms/servreg get domain list txn wait failed: -110
PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110

Root Cause

The root cause is unnecessary list iteration in the pdr_add_lookup() code path. Since list iteration is already performed inside the locator work handler, performing it again in pdr_add_lookup() while holding the list lock creates the deadlock scenario. The fix removes this redundant list iteration and simply calls schedule_work() instead, eliminating the lock contention issue.

Attack Vector

This is a local denial of service vulnerability that requires local access to the system. The vulnerability is triggered through normal kernel subsystem interactions rather than direct exploitation. An attacker with local access could potentially trigger the race condition to cause system hangs, though exploitation requires timing-dependent conditions involving the PDR subsystem's workqueue processing.

The deadlock occurs when:

  1. Process A holds pdr->list_lock while waiting for QMI response
  2. Process B attempts to acquire pdr->list_lock while processing in the same ordered workqueue
  3. The QMI response cannot be processed because Process B's work must complete first on the ordered queue
  4. Neither process can proceed, resulting in a deadlock with timeout

Detection Methods for CVE-2025-22014

Indicators of Compromise

  • Kernel log messages containing "PDR: tms/servreg get domain list txn wait failed: -110"
  • Service lookup failures for msm/adsp/sensor_pd:tms/servreg paths
  • Audio subsystem failures or hangs on Qualcomm-based systems
  • System unresponsiveness or hung processes related to PDR services

Detection Strategies

  • Monitor kernel logs (dmesg) for PDR-related timeout errors with error code -110 (ETIMEDOUT)
  • Implement monitoring for hung Qualcomm subsystem services, particularly audio-related processes
  • Track system calls and workqueue activity for signs of deadlock conditions in qmi-related workers
  • Use kernel debugging tools (lockdep) to detect potential deadlock scenarios in test environments

Monitoring Recommendations

  • Enable kernel lockdep debugging during testing to catch potential deadlock conditions
  • Set up alerts for repeated PDR service lookup failures in production systems
  • Monitor system stability metrics on Qualcomm SoC platforms, especially after kernel updates
  • Track audio subsystem health on affected devices as this vulnerability causes audio regressions

How to Mitigate CVE-2025-22014

Immediate Actions Required

  • Update the Linux kernel to a patched version containing the fix commits
  • Apply distribution-provided security updates (Debian LTS patches available)
  • Monitor systems for signs of the deadlock condition until patches can be applied
  • Consider avoiding heavy PDR service usage patterns if immediate patching is not possible

Patch Information

The vulnerability has been resolved through multiple kernel patches that remove the unnecessary list iteration from pdr_add_lookup(). The fix ensures that only schedule_work() is called, avoiding the lock contention that caused the deadlock.

Patches are available from the following kernel git commits:

Debian users should refer to the Debian LTS Security Announcements for distribution-specific patches.

Workarounds

  • No official workarounds are available; applying the kernel patch is the recommended solution
  • Systems not using Qualcomm SoC platforms or the in-kernel pd-mapper are not affected
  • Temporarily disabling non-essential PDR-dependent services may reduce exposure until patching is complete
  • If audio regressions are observed, consider disabling in-kernel pd-mapper until the patch is applied
bash
# Check current kernel version
uname -r

# Update kernel on Debian-based systems
sudo apt update && sudo apt upgrade linux-image-$(uname -r)

# Verify patch application by checking for the fix commit
zcat /proc/config.gz | grep -i QCOM_PDR_HELPERS

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne