ghsa-m7pp-g2rm-wrcq
Vulnerability from github
Published
2025-04-01 18:30
Modified
2025-04-10 18:32
Severity ?
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

gpio: aggregator: protect driver attr handlers against module unload

Both new_device_store and delete_device_store touch module global resources (e.g. gpio_aggregator_lock). To prevent race conditions with module unload, a reference needs to be held.

Add try_module_get() in these handlers.

For new_device_store, this eliminates what appears to be the most dangerous scenario: if an id is allocated from gpio_aggregator_idr but platform_device_register has not yet been called or completed, a concurrent module unload could fail to unregister/delete the device, leaving behind a dangling platform device/GPIO forwarder. This can result in various issues. The following simple reproducer demonstrates these problems:

#!/bin/bash while :; do # note: whether 'gpiochip0 0' exists or not does not matter. echo 'gpiochip0 0' > /sys/bus/platform/drivers/gpio-aggregator/new_device done & while :; do modprobe gpio-aggregator modprobe -r gpio-aggregator done & wait

Starting with the following warning, several kinds of warnings will appear and the system may become unstable:

------------[ cut here ]------------ list_del corruption, ffff888103e2e980->next is LIST_POISON1 (dead000000000100) WARNING: CPU: 1 PID: 1327 at lib/list_debug.c:56 __list_del_entry_valid_or_report+0xa3/0x120 [...] RIP: 0010:__list_del_entry_valid_or_report+0xa3/0x120 [...] Call Trace: ? __list_del_entry_valid_or_report+0xa3/0x120 ? __warn.cold+0x93/0xf2 ? __list_del_entry_valid_or_report+0xa3/0x120 ? report_bug+0xe6/0x170 ? __irq_work_queue_local+0x39/0xe0 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x13/0x60 ? asm_exc_invalid_op+0x16/0x20 ? __list_del_entry_valid_or_report+0xa3/0x120 gpiod_remove_lookup_table+0x22/0x60 new_device_store+0x315/0x350 [gpio_aggregator] kernfs_fop_write_iter+0x137/0x1f0 vfs_write+0x262/0x430 ksys_write+0x60/0xd0 do_syscall_64+0x6c/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] ---[ end trace 0000000000000000 ]---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-21943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T16:15:25Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: aggregator: protect driver attr handlers against module unload\n\nBoth new_device_store and delete_device_store touch module global\nresources (e.g. gpio_aggregator_lock). To prevent race conditions with\nmodule unload, a reference needs to be held.\n\nAdd try_module_get() in these handlers.\n\nFor new_device_store, this eliminates what appears to be the most dangerous\nscenario: if an id is allocated from gpio_aggregator_idr but\nplatform_device_register has not yet been called or completed, a concurrent\nmodule unload could fail to unregister/delete the device, leaving behind a\ndangling platform device/GPIO forwarder. This can result in various issues.\nThe following simple reproducer demonstrates these problems:\n\n  #!/bin/bash\n  while :; do\n    # note: whether \u0027gpiochip0 0\u0027 exists or not does not matter.\n    echo \u0027gpiochip0 0\u0027 \u003e /sys/bus/platform/drivers/gpio-aggregator/new_device\n  done \u0026\n  while :; do\n    modprobe gpio-aggregator\n    modprobe -r gpio-aggregator\n  done \u0026\n  wait\n\n  Starting with the following warning, several kinds of warnings will appear\n  and the system may become unstable:\n\n  ------------[ cut here ]------------\n  list_del corruption, ffff888103e2e980-\u003enext is LIST_POISON1 (dead000000000100)\n  WARNING: CPU: 1 PID: 1327 at lib/list_debug.c:56 __list_del_entry_valid_or_report+0xa3/0x120\n  [...]\n  RIP: 0010:__list_del_entry_valid_or_report+0xa3/0x120\n  [...]\n  Call Trace:\n   \u003cTASK\u003e\n   ? __list_del_entry_valid_or_report+0xa3/0x120\n   ? __warn.cold+0x93/0xf2\n   ? __list_del_entry_valid_or_report+0xa3/0x120\n   ? report_bug+0xe6/0x170\n   ? __irq_work_queue_local+0x39/0xe0\n   ? handle_bug+0x58/0x90\n   ? exc_invalid_op+0x13/0x60\n   ? asm_exc_invalid_op+0x16/0x20\n   ? __list_del_entry_valid_or_report+0xa3/0x120\n   gpiod_remove_lookup_table+0x22/0x60\n   new_device_store+0x315/0x350 [gpio_aggregator]\n   kernfs_fop_write_iter+0x137/0x1f0\n   vfs_write+0x262/0x430\n   ksys_write+0x60/0xd0\n   do_syscall_64+0x6c/0x180\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n   [...]\n   \u003c/TASK\u003e\n  ---[ end trace 0000000000000000 ]---",
  "id": "GHSA-m7pp-g2rm-wrcq",
  "modified": "2025-04-10T18:32:01Z",
  "published": "2025-04-01T18:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21943"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/12f65d1203507f7db3ba59930fe29a3b8eee9945"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/56281a76b805b5ac61feb5d580139695a22f87f0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/807789018186cf508ceb3a1f8f02935cd195717b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8fb07fb1bba91d45846ed8605c3097fe67a7d54c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9334c88fc2fbc6836b307d269fcc1744c69701c0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d99dc8f7ea01ee1b21306e0eda8eb18a4af80db6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fd6aa1f8cbe0979eb66ac32ebc231bf0b10a2117"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.