CVE-2025-40161

Vulnerability

Details

In the Linux kernel's mailbox: zynqmp-ipi driver, the interrupt cleanup routine incorrectly identifies whether an interrupt is an SGI (Software Generated Interrupt) or SPI (Shared Peripheral Interrupt). The original code checks if the IRQ number is less than 16, but with dynamic IRQ allocation this comparison fails [1]. As a result, the driver treats SPI interrupts as SGIs during unbind, leading to improper cleanup of SGI resources and ultimately causing a kernel crash [1].

Exploitation and

Impact

The vulnerability is triggered during the driver unbind operation (e.g., module removal or device removal). No special privileges or network access are required; an unprivileged user or a system administrator performing a normal driver unbind can trigger the crash, resulting in a denial of service (system panic). The flaw lies in the driver's internal logic and does not require any specific attack sequence.

Mitigation

The fix introduces an explicit irq_type field to the driver's private data structure (pdata) to reliably distinguish SGI interrupts (type-2) from others. During cleanup, only SGI resources are released when the recorded type matches. This patch has been applied to the Linux kernel stable tree as commit 32bf7c6e01f5ba17a53ba236a770bd0274cefdf4 [1].