CVE-2025-38632

commit 5a3e85c3c397 ("pinmux: Use sequential access to access desc->pinmux data") tried to address the issue when two client of the same gpio calls pinctrlselectstate() for the same functionality, was resulting in NULL pointer issue while accessing desc->mux_owner. However, issue was not completely fixed due to the way it was handled and it can still result in the same NULL pointer.

The issue occurs due to the following interleaving:

 cpu0 (process A)                   cpu1 (process B)

  pin_request() {                   pin_free() {

                                     mutex_lock()
                                     desc->mux_usecount--; //becomes 0
                                     ..
                                     mutex_unlock()

mutexlock(desc->mux) desc->muxusecount++; // becomes 1 desc->muxowner = owner; mutexunlock(desc->mux)

                                     mutex_lock(desc->mux)
                                     desc->mux_owner = NULL;
                                     mutex_unlock(desc->mux)

This sequence leads to a state where the pin appears to be in use (mux_usecount == 1) but has no owner (mux_owner == NULL), which can cause NULL pointer on next pin_request on the same pin.

Ensure that updates to muxusecount and muxowner are performed atomically under the same lock. Only clear muxowner when muxusecount reaches zero and no new owner has been assigned.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

2da32aed4a97ca1d70fb8b77926f72f30ce5fb4b

Fixed

9b2a3e7189028aa7c4d53a84364f2ea9fb209787

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c11e2ec9a780f54982a187ee10ffd1b810715c85

Fixed

9ea3f6b9a67be3476e331ce51cac316c2614a564

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e

Fixed

b7bd6e3971eb7f0e34d2fdce1b18b08094e0c804

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e

Fixed

22b585cbd67d14df3b91529d1b990661c300faa9

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e

Fixed

0b075c011032f88d1cfde3b45d6dcf08b44140eb

Affected versions

v6.*

v6.12

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.20

v6.12.21

v6.12.22

v6.12.23

v6.12.24

v6.12.25

v6.12.26

v6.12.27

v6.12.28

v6.12.29

v6.12.30

v6.12.31

v6.12.32

v6.12.33

v6.12.34

v6.12.35

v6.12.36

v6.12.37

v6.12.38

v6.12.39

v6.12.40

v6.12.41

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.15.1

v6.15.2

v6.15.3

v6.15.4

v6.15.5

v6.15.6

v6.15.7

v6.15.8

v6.15.9

v6.16

v6.16-rc1

v6.16-rc2

v6.16-rc3

v6.16-rc4

v6.16-rc5

v6.16-rc6

v6.16-rc7

v6.6.100

v6.6.101

v6.6.66

v6.6.67

v6.6.68

v6.6.69

v6.6.70

v6.6.71

v6.6.72

v6.6.73

v6.6.74

v6.6.75

v6.6.76

v6.6.77

v6.6.78

v6.6.79

v6.6.80

v6.6.81

v6.6.82

v6.6.83

v6.6.84

v6.6.85

v6.6.86

v6.6.87

v6.6.88

v6.6.89

v6.6.90

v6.6.91

v6.6.92

v6.6.93

v6.6.94

v6.6.95

v6.6.96

v6.6.97

v6.6.98

v6.6.99

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.102

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.42

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.15.10

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.16.1