CVE-2025-22014 Overview
CVE-2025-22014 is a deadlock vulnerability in the Linux kernel's Qualcomm Protection Domain Restart (PDR) subsystem. The flaw occurs in the soc/qcom/pdr component when two concurrent processes interact with the PDR locator service, creating a race condition that leads to a deadlock on the list lock. This vulnerability can cause system hangs and denial of service conditions, particularly affecting systems using Qualcomm SoC platforms with in-kernel pd-mapper functionality.
Critical Impact
This deadlock vulnerability can cause service lookup failures, audio subsystem regressions, and system unresponsiveness on affected Qualcomm-based Linux systems.
Affected Products
- Linux Kernel versions prior to patched releases
- Linux Kernel 6.14 release candidates (rc1 through rc7)
- Debian Linux distributions (see LTS announcements)
Discovery Timeline
- April 8, 2025 - CVE-2025-22014 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-22014
Vulnerability Analysis
The vulnerability exists in the Qualcomm PDR (Protection Domain Restart) subsystem, specifically in how the pdr_add_lookup() and pdr_locator_new_server() functions interact when running concurrently. The deadlock condition arises from an improper locking sequence involving the pdr->list_lock mutex and the ordered workqueue qmi->wq.
When Process A calls pdr_add_lookup() to add a service lookup and schedules locator work, it may acquire the list lock while waiting for a domain list query response. Simultaneously, Process B may receive a new server packet indicating the locator is up and call pdr_locator_new_server(), which sets pdr->locator_init_complete to true. When Process A observes this flag and attempts to query the domain list while holding the list lock, the response gets queued to the same ordered workqueue that Process B is blocking on, waiting for the list lock. This circular dependency creates a deadlock.
The timeout manifests with error messages such as:
PDR: tms/servreg get domain list txn wait failed: -110
PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110
Root Cause
The root cause is unnecessary list iteration in the pdr_add_lookup() code path. Since list iteration is already performed inside the locator work handler, performing it again in pdr_add_lookup() while holding the list lock creates the deadlock scenario. The fix removes this redundant list iteration and simply calls schedule_work() instead, eliminating the lock contention issue.
Attack Vector
This is a local denial of service vulnerability that requires local access to the system. The vulnerability is triggered through normal kernel subsystem interactions rather than direct exploitation. An attacker with local access could potentially trigger the race condition to cause system hangs, though exploitation requires timing-dependent conditions involving the PDR subsystem's workqueue processing.
The deadlock occurs when:
- Process A holds pdr->list_lock while waiting for QMI response
- Process B attempts to acquire pdr->list_lock while processing in the same ordered workqueue
- The QMI response cannot be processed because Process B's work must complete first on the ordered queue
- Neither process can proceed, resulting in a deadlock with timeout
Detection Methods for CVE-2025-22014
Indicators of Compromise
- Kernel log messages containing "PDR: tms/servreg get domain list txn wait failed: -110"
- Service lookup failures for msm/adsp/sensor_pd:tms/servreg paths
- Audio subsystem failures or hangs on Qualcomm-based systems
- System unresponsiveness or hung processes related to PDR services
Detection Strategies
- Monitor kernel logs (dmesg) for PDR-related timeout errors with error code -110 (ETIMEDOUT)
- Implement monitoring for hung Qualcomm subsystem services, particularly audio-related processes
- Track system calls and workqueue activity for signs of deadlock conditions in qmi-related workers
- Use kernel debugging tools (lockdep) to detect potential deadlock scenarios in test environments
Monitoring Recommendations
- Enable kernel lockdep debugging during testing to catch potential deadlock conditions
- Set up alerts for repeated PDR service lookup failures in production systems
- Monitor system stability metrics on Qualcomm SoC platforms, especially after kernel updates
- Track audio subsystem health on affected devices as this vulnerability causes audio regressions
How to Mitigate CVE-2025-22014
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix commits
- Apply distribution-provided security updates (Debian LTS patches available)
- Monitor systems for signs of the deadlock condition until patches can be applied
- Consider avoiding heavy PDR service usage patterns if immediate patching is not possible
Patch Information
The vulnerability has been resolved through multiple kernel patches that remove the unnecessary list iteration from pdr_add_lookup(). The fix ensures that only schedule_work() is called, avoiding the lock contention that caused the deadlock.
Patches are available from the following kernel git commits:
- Commit 02612f1e4c34d94d6c8ee75bf7d254ed697e22d4 - Kernel Git Stable
- Commit 0a566a79aca9851fae140536e0fc5b0853c90a90 - Kernel Git Stable
- Commit 2eeb03ad9f42dfece63051be2400af487ddb96d2 - Kernel Git Stable
- Commit f2bbfd50e95bc117360f0f59e629aa03d821ebd6 - Kernel Git Stable
- Commit f4489260f5713c94e1966e5f20445bff262876f4 - Kernel Git Stable
Debian users should refer to the Debian LTS Security Announcements for distribution-specific patches.
Workarounds
- No official workarounds are available; applying the kernel patch is the recommended solution
- Systems not using Qualcomm SoC platforms or the in-kernel pd-mapper are not affected
- Temporarily disabling non-essential PDR-dependent services may reduce exposure until patching is complete
- If audio regressions are observed, consider disabling in-kernel pd-mapper until the patch is applied
# Check current kernel version
uname -r
# Update kernel on Debian-based systems
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
# Verify patch application by checking for the fix commit
zcat /proc/config.gz | grep -i QCOM_PDR_HELPERS
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
