CVE-2025-22014: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-22014 is a vulnerability discovered in the Linux kernel affecting the Qualcomm PDR (Platform Debug Runtime) subsystem. The vulnerability was disclosed on April 8, 2025, and received its last update on April 10, 2025. It affects multiple versions of the Linux kernel, including versions from 5.7 up to 6.14-rc7 (NVD).

The vulnerability is a potential deadlock condition in the Linux kernel's soc/qcom/pdr component. It occurs when a client process calls pdr_add_lookup() to add a service lookup while another process receives a new server packet and calls pdr_locator_new_server(). The issue manifests when process B sets pdr->locator_init_complete to true, which process A sees and attempts to take a list lock and query the domain list. This results in a timeout due to deadlock as the response is queued to an ordered workqueue, preventing process B from completing the new server request work. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and is classified as CWE-667 (Improper Locking) (NVD).

The vulnerability can lead to a denial of service condition through deadlock in affected Linux kernel versions. The CVSS scoring indicates that while the vulnerability requires local access and low privileges, it can result in a high impact on system availability with no impact on confidentiality or integrity (NVD).

The vulnerability has been fixed by removing unnecessary list iteration, as the list iteration is already being performed inside the locator work. The fix has been implemented in Linux kernel version 6.1.133-1 for the Debian stable distribution (bookworm) (Debian Security).