CVE-2025-21943

Severity CVSS v4.0:

Pending analysis

Type:

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Publication date:

01/04/2025

Last modified:

10/04/2025

Description

In the Linux kernel, the following vulnerability has been resolved: gpio: aggregator: protect driver attr handlers against module unload Both new_device_store and delete_device_store touch module global resources (e.g. gpio_aggregator_lock). To prevent race conditions with module unload, a reference needs to be held. Add try_module_get() in these handlers. For new_device_store, this eliminates what appears to be the most dangerous scenario: if an id is allocated from gpio_aggregator_idr but platform_device_register has not yet been called or completed, a concurrent module unload could fail to unregister/delete the device, leaving behind a dangling platform device/GPIO forwarder. This can result in various issues. The following simple reproducer demonstrates these problems: #!/bin/bash while :; do # note: whether &#39;gpiochip0 0&#39; exists or not does not matter. echo &#39;gpiochip0 0&#39; > /sys/bus/platform/drivers/gpio-aggregator/new_device done & while :; do modprobe gpio-aggregator modprobe -r gpio-aggregator done & wait Starting with the following warning, several kinds of warnings will appear and the system may become unstable: ------------[ cut here ]------------ list_del corruption, ffff888103e2e980->next is LIST_POISON1 (dead000000000100) WARNING: CPU: 1 PID: 1327 at lib/list_debug.c:56 __list_del_entry_valid_or_report+0xa3/0x120 [...] RIP: 0010:__list_del_entry_valid_or_report+0xa3/0x120 [...] Call Trace: ? __list_del_entry_valid_or_report+0xa3/0x120 ? __warn.cold+0x93/0xf2 ? __list_del_entry_valid_or_report+0xa3/0x120 ? report_bug+0xe6/0x170 ? __irq_work_queue_local+0x39/0xe0 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x13/0x60 ? asm_exc_invalid_op+0x16/0x20 ? __list_del_entry_valid_or_report+0xa3/0x120 gpiod_remove_lookup_table+0x22/0x60 new_device_store+0x315/0x350 [gpio_aggregator] kernfs_fop_write_iter+0x137/0x1f0 vfs_write+0x262/0x430 ksys_write+0x60/0xd0 do_syscall_64+0x6c/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] ---[ end trace 0000000000000000 ]---

Impact

Vector 3.x

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 4.70 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x

4.70

Severity 3.x

MEDIUM

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:o:linux:linux_kernel::::::::	5.8 (including)	5.10.235 (excluding)
cpe:2.3:o:linux:linux_kernel::::::::	5.11 (including)	5.15.179 (excluding)
cpe:2.3:o:linux:linux_kernel::::::::	5.16 (including)	6.1.131 (excluding)
cpe:2.3:o:linux:linux_kernel::::::::	6.2 (including)	6.6.83 (excluding)
cpe:2.3:o:linux:linux_kernel::::::::	6.7 (including)	6.12.19 (excluding)
cpe:2.3:o:linux:linux_kernel::::::::	6.13 (including)	6.13.7 (excluding)
cpe:2.3:o:linux:linux_kernel:6.14:rc1::::::
cpe:2.3:o:linux:linux_kernel:6.14:rc2::::::
cpe:2.3:o:linux:linux_kernel:6.14:rc3::::::
cpe:2.3:o:linux:linux_kernel:6.14:rc4::::::
cpe:2.3:o:linux:linux_kernel:6.14:rc5::::::

To consult the complete list of CPE names with products and versions, see this page

CVE-2025-21943

Description

Impact

Vulnerable products and versions

References to Advisories, Solutions, and Tools