pinmux: fix race causing mux_owner NULL with active mux_usecount
Description
In the Linux kernel, the following vulnerability has been resolved:
pinmux: fix race causing mux_owner NULL with active mux_usecount
commit 5a3e85c3c397 ("pinmux: Use sequential access to access desc->pinmux data") tried to address the issue when two client of the same gpio calls pinctrl_select_state() for the same functionality, was resulting in NULL pointer issue while accessing desc->mux_owner. However, issue was not completely fixed due to the way it was handled and it can still result in the same NULL pointer.
The issue occurs due to the following interleaving:
cpu0 (process A) cpu1 (process B)
pin_request() { pin_free() {
mutex_lock() desc->mux_usecount--; //becomes 0 .. mutex_unlock()
mutex_lock(desc->mux) desc->mux_usecount++; // becomes 1 desc->mux_owner = owner; mutex_unlock(desc->mux)
mutex_lock(desc->mux) desc->mux_owner = NULL; mutex_unlock(desc->mux)
This sequence leads to a state where the pin appears to be in use (mux_usecount == 1) but has no owner (mux_owner == NULL), which can cause NULL pointer on next pin_request on the same pin.
Ensure that updates to mux_usecount and mux_owner are performed atomically under the same lock. Only clear mux_owner when mux_usecount reaches zero and no new owner has been assigned.
Affected products
2- Linux/Linuxv5Range: 6.13
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/0b075c011032f88d1cfde3b45d6dcf08b44140ebmitre
- git.kernel.org/stable/c/22b585cbd67d14df3b91529d1b990661c300faa9mitre
- git.kernel.org/stable/c/9b2a3e7189028aa7c4d53a84364f2ea9fb209787mitre
- git.kernel.org/stable/c/9ea3f6b9a67be3476e331ce51cac316c2614a564mitre
- git.kernel.org/stable/c/b7bd6e3971eb7f0e34d2fdce1b18b08094e0c804mitre
News mentions
0No linked articles in our index yet.