{"id":"CVE-2025-21943","summary":"gpio: aggregator: protect driver attr handlers against module unload","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: aggregator: protect driver attr handlers against module unload\n\nBoth new_device_store and delete_device_store touch module global\nresources (e.g. gpio_aggregator_lock). To prevent race conditions with\nmodule unload, a reference needs to be held.\n\nAdd try_module_get() in these handlers.\n\nFor new_device_store, this eliminates what appears to be the most dangerous\nscenario: if an id is allocated from gpio_aggregator_idr but\nplatform_device_register has not yet been called or completed, a concurrent\nmodule unload could fail to unregister/delete the device, leaving behind a\ndangling platform device/GPIO forwarder. This can result in various issues.\nThe following simple reproducer demonstrates these problems:\n\n  #!/bin/bash\n  while :; do\n    # note: whether 'gpiochip0 0' exists or not does not matter.\n    echo 'gpiochip0 0' \u003e /sys/bus/platform/drivers/gpio-aggregator/new_device\n  done &\n  while :; do\n    modprobe gpio-aggregator\n    modprobe -r gpio-aggregator\n  done &\n  wait\n\n  Starting with the following warning, several kinds of warnings will appear\n  and the system may become unstable:\n\n  ------------[ cut here ]------------\n  list_del corruption, ffff888103e2e980-\u003enext is LIST_POISON1 (dead000000000100)\n  WARNING: CPU: 1 PID: 1327 at lib/list_debug.c:56 __list_del_entry_valid_or_report+0xa3/0x120\n  [...]\n  RIP: 0010:__list_del_entry_valid_or_report+0xa3/0x120\n  [...]\n  Call Trace:\n   \u003cTASK\u003e\n   ? __list_del_entry_valid_or_report+0xa3/0x120\n   ? __warn.cold+0x93/0xf2\n   ? __list_del_entry_valid_or_report+0xa3/0x120\n   ? report_bug+0xe6/0x170\n   ? __irq_work_queue_local+0x39/0xe0\n   ? handle_bug+0x58/0x90\n   ? exc_invalid_op+0x13/0x60\n   ? asm_exc_invalid_op+0x16/0x20\n   ? __list_del_entry_valid_or_report+0xa3/0x120\n   gpiod_remove_lookup_table+0x22/0x60\n   new_device_store+0x315/0x350 [gpio_aggregator]\n   kernfs_fop_write_iter+0x137/0x1f0\n   vfs_write+0x262/0x430\n   ksys_write+0x60/0xd0\n   do_syscall_64+0x6c/0x180\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n   [...]\n   \u003c/TASK\u003e\n  ---[ end trace 0000000000000000 ]---","modified":"2026-04-02T12:45:17.542236Z","published":"2025-04-01T15:41:07.463Z","related":["SUSE-SU-2025:01614-1","SUSE-SU-2025:01707-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:20192-1","SUSE-SU-2025:20206-1","SUSE-SU-2025:20270-1","SUSE-SU-2025:20283-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21943.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/12f65d1203507f7db3ba59930fe29a3b8eee9945"},{"type":"WEB","url":"https://git.kernel.org/stable/c/56281a76b805b5ac61feb5d580139695a22f87f0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/807789018186cf508ceb3a1f8f02935cd195717b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8fb07fb1bba91d45846ed8605c3097fe67a7d54c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9334c88fc2fbc6836b307d269fcc1744c69701c0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d99dc8f7ea01ee1b21306e0eda8eb18a4af80db6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fd6aa1f8cbe0979eb66ac32ebc231bf0b10a2117"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21943.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21943"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"828546e24280f721350a7a0dcc92416e917b4382"},{"fixed":"fd6aa1f8cbe0979eb66ac32ebc231bf0b10a2117"},{"fixed":"807789018186cf508ceb3a1f8f02935cd195717b"},{"fixed":"9334c88fc2fbc6836b307d269fcc1744c69701c0"},{"fixed":"d99dc8f7ea01ee1b21306e0eda8eb18a4af80db6"},{"fixed":"8fb07fb1bba91d45846ed8605c3097fe67a7d54c"},{"fixed":"56281a76b805b5ac61feb5d580139695a22f87f0"},{"fixed":"12f65d1203507f7db3ba59930fe29a3b8eee9945"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21943.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}