CVE-2025-21878: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21878 affects the Linux kernel's i2c driver for NPCM platforms. The vulnerability was discovered and disclosed on March 27, 2025. The issue involves a soft lockup problem that occurs when the BMC machine reboots during an i2c transaction, causing the i2c module to maintain its status without being reset (NVD, CVE).

The vulnerability occurs because the i2c module retains its status after a BMC machine reboot during an i2c transaction. This causes the i2c interrupt handler to be continuously triggered during kernel boot after a warm reboot, since the i2c interrupt handler is registered during the boot process. The continuous triggering eventually leads to a soft lockup detected by the watchdog timer. The issue stems from read-only i2c status bits and improper interrupt handling (NVD).

When exploited, this vulnerability results in a kernel soft lockup condition that affects system stability. The system enters a state where the CPU appears stuck, with the watchdog detecting that CPU#0 is frozen for extended periods (26 seconds in the documented case). This leads to system unresponsiveness and potential denial of service (NVD).

The vulnerability has been patched by disabling the interrupt enable bit in the i2c module before calling devmrequestirq. This fix prevents the continuous triggering of the interrupt handler after a reboot since the i2c relative status bit is read-only (NVD).