CVE-2025-38632

Summary

In the Linux kernel, the following vulnerability has been resolved:

pinmux: fix race causing mux_owner NULL with active mux_usecount

commit 5a3e85c3c397 ("pinmux: Use sequential access to access desc->pinmux data") tried to address the issue when two client of the same gpio calls pinctrl_select_state() for the same functionality, was resulting in NULL pointer issue while accessing desc->mux_owner. However, issue was not completely fixed due to the way it was handled and it can still result in the same NULL pointer.

The issue occurs due to the following interleaving:

 cpu0 (process A)                   cpu1 (process B)

  pin_request() {                   pin_free() {

                                     mutex_lock()
                                     desc->mux_usecount--; //becomes 0
                                     ..
                                     mutex_unlock()

mutex_lock(desc->mux) desc->mux_usecount++; // becomes 1 desc->mux_owner = owner; mutex_unlock(desc->mux)

                                     mutex_lock(desc->mux)
                                     desc->mux_owner = NULL;
                                     mutex_unlock(desc->mux)

This sequence leads to a state where the pin appears to be in use (mux_usecount == 1) but has no owner (mux_owner == NULL), which can cause NULL pointer on next pin_request on the same pin.

Ensure that updates to mux_usecount and mux_owner are performed atomically under the same lock. Only clear mux_owner when mux_usecount reaches zero and no new owner has been assigned.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux2da32aed4a97ca1d70fb8b77926f72f30ce5fb4b < 9b2a3e7189028aa7c4d53a84364f2ea9fb209787affected
LinuxLinuxc11e2ec9a780f54982a187ee10ffd1b810715c85 < 9ea3f6b9a67be3476e331ce51cac316c2614a564affected
LinuxLinux5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e < b7bd6e3971eb7f0e34d2fdce1b18b08094e0c804affected
LinuxLinux5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e < 22b585cbd67d14df3b91529d1b990661c300faa9affected
LinuxLinux5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e < 0b075c011032f88d1cfde3b45d6dcf08b44140ebaffected
LinuxLinux6.6.66 < 6.6.102affected
LinuxLinux6.12.5 < 6.12.42affected
LinuxLinux6.13affected
LinuxLinux0 < 6.13unaffected
LinuxLinux6.6.102 <= 6.6.*unaffected
LinuxLinux6.12.42 <= 6.12.*unaffected
LinuxLinux6.15.10 <= 6.15.*unaffected
LinuxLinux6.16.1 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

References