CVE-2025-40108 in Linuxinfo

Summary

by MITRE • 11/09/2025

In the Linux kernel, the following vulnerability has been resolved:

serial: qcom-geni: Fix blocked task

Revert commit 1afa70632c39 ("serial: qcom-geni: Enable PM runtime for serial driver") and its dependent commit 86fa39dd6fb7 ("serial: qcom-geni: Enable Serial on SA8255p Qualcomm platforms") because the first one causes regression - hang task on Qualcomm RB1 board (QRB2210) and unable to use serial at all during normal boot:

INFO: task kworker/u16:0:12 blocked for more than 42 seconds. Not tainted 6.17.0-rc1-00004-g53e760d89498 #9 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u16:0 state:D stack:0 pid:12 tgid:12 ppid:2 task_flags:0x4208060 flags:0x00000010 Workqueue: async async_run_entry_fn Call trace: __switch_to+0xe8/0x1a0 (T) __schedule+0x290/0x7c0 schedule+0x34/0x118 rpm_resume+0x14c/0x66c rpm_resume+0x2a4/0x66c rpm_resume+0x2a4/0x66c rpm_resume+0x2a4/0x66c __pm_runtime_resume+0x50/0x9c __driver_probe_device+0x58/0x120 driver_probe_device+0x3c/0x154 __driver_attach_async_helper+0x4c/0xc0 async_run_entry_fn+0x34/0xe0 process_one_work+0x148/0x290 worker_thread+0x2c4/0x3e0 kthread+0x118/0x1c0 ret_from_fork+0x10/0x20

The issue was reported on 12th of August and was ignored by author of commits introducing issue for two weeks. Only after complaining author produced a fix which did not work, so if original commits cannot be reliably fixed for 5 weeks, they obviously are buggy and need to be dropped.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 12/21/2025

The vulnerability identified as CVE-2025-40108 represents a critical regression in the Linux kernel's Qualcomm GENI serial driver implementation affecting the QRB2210 platform. This issue stems from the improper handling of power management runtime (PM runtime) features within the serial communication subsystem, specifically manifesting as a blocked task condition that prevents normal system boot operations. The problem occurs during the kernel's device probe sequence when the system attempts to initialize serial interfaces on Qualcomm platforms, leading to complete serial functionality failure and system hang conditions.

The technical root cause involves the introduction of commits 1afa70632c39 and 86fa39dd6fb7 which attempted to enable PM runtime support for the Qualcomm GENI serial driver. These changes created a deadlock scenario where the kernel's workqueue processing thread kworker/u16:0 becomes indefinitely blocked while attempting to resume power management states for serial devices. The call trace demonstrates the system becoming stuck in rpm_resume functions within the PM subsystem, indicating a circular dependency or resource contention during device initialization. This behavior directly violates the expected kernel scheduling behavior and results in a hung task condition that prevents further system initialization.

The operational impact of this vulnerability is severe as it completely disables serial communication capabilities on affected Qualcomm platforms, particularly the QRB2210 board. System administrators and developers attempting to perform debugging, system maintenance, or normal operations through serial interfaces encounter complete failure of these communication channels. The issue affects the fundamental boot process, making it impossible to establish serial console connections or perform any serial-based system interactions. According to industry standards such as CWE-362, this represents a race condition or deadlock vulnerability that can lead to system unresponsiveness, while the ATT&CK framework categorizes this under privilege escalation and system resource manipulation techniques that can disrupt normal system operations.

The resolution strategy implemented by reverting the problematic commits represents a necessary but temporary fix that addresses the immediate regression without fully resolving the underlying power management integration issues. This approach aligns with the kernel development practice of prioritizing system stability over feature implementation when critical regressions are detected. The extended timeline of five weeks required to develop a reliable fix demonstrates the complexity of power management integration in embedded systems and the importance of thorough testing before merging changes that affect core system functionality. The vulnerability highlights the challenges of implementing PM runtime features in device drivers where improper state management can lead to complete system lockups, making this issue particularly concerning for embedded and mobile platforms where serial communication is often essential for system diagnostics and recovery operations.

Responsible

Linux

Reservation

04/16/2025

Disclosure

11/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00168

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!