CVE-2025-21943 in Linux
Summary
by MITRE • 04/01/2025
In the Linux kernel, the following vulnerability has been resolved:
gpio: aggregator: protect driver attr handlers against module unload
Both new_device_store and delete_device_store touch module global resources (e.g. gpio_aggregator_lock). To prevent race conditions with module unload, a reference needs to be held.
Add try_module_get() in these handlers.
For new_device_store, this eliminates what appears to be the most dangerous scenario: if an id is allocated from gpio_aggregator_idr but platform_device_register has not yet been called or completed, a concurrent module unload could fail to unregister/delete the device, leaving behind a dangling platform device/GPIO forwarder. This can result in various issues. The following simple reproducer demonstrates these problems:
#!/bin/bash while :; do # note: whether 'gpiochip0 0' exists or not does not matter. echo 'gpiochip0 0' > /sys/bus/platform/drivers/gpio-aggregator/new_device done & while :; do modprobe gpio-aggregator modprobe -r gpio-aggregator done & wait
Starting with the following warning, several kinds of warnings will appear and the system may become unstable:
------------[ cut here ]------------
list_del corruption, ffff888103e2e980->next is LIST_POISON1 (dead000000000100) WARNING: CPU: 1 PID: 1327 at lib/list_debug.c:56 __list_del_entry_valid_or_report+0xa3/0x120 [...]
RIP: 0010:__list_del_entry_valid_or_report+0xa3/0x120 [...]
Call Trace: ? __list_del_entry_valid_or_report+0xa3/0x120 ? __warn.cold+0x93/0xf2 ? __list_del_entry_valid_or_report+0xa3/0x120 ? report_bug+0xe6/0x170 ? __irq_work_queue_local+0x39/0xe0 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x13/0x60 ? asm_exc_invalid_op+0x16/0x20 ? __list_del_entry_valid_or_report+0xa3/0x120 gpiod_remove_lookup_table+0x22/0x60 new_device_store+0x315/0x350 [gpio_aggregator]
kernfs_fop_write_iter+0x137/0x1f0 vfs_write+0x262/0x430 ksys_write+0x60/0xd0 do_syscall_64+0x6c/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...]
---[ end trace 0000000000000000 ]---
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/01/2026
The vulnerability CVE-2025-21943 resides within the Linux kernel's gpio-aggregator driver, specifically addressing a race condition that occurs during module unload operations. This flaw impacts the driver's attribute handlers, namely new_device_store and delete_device_store, which manipulate global resources including gpio_aggregator_lock. The issue stems from insufficient protection mechanisms that fail to prevent concurrent access patterns between device management operations and module unloading processes, creating a scenario where module cleanup can interfere with active device operations.
The technical flaw manifests when the gpio-aggregator driver's attribute handlers access module-global resources without proper reference counting mechanisms. The vulnerability is classified under CWE-362, which describes a race condition where concurrent threads or processes access shared resources without proper synchronization, leading to unpredictable behavior and system instability. When new_device_store attempts to allocate an identifier from gpio_aggregator_idr but platform_device_register has not yet completed, a concurrent module unload can result in incomplete device cleanup, leaving behind dangling platform devices and GPIO forwarders that persist in memory.
The operational impact of this vulnerability extends beyond simple resource leaks to potential system instability and kernel crashes. The reproducer demonstrates how concurrent execution of device creation and module loading/unloading operations can trigger list corruption errors, specifically list_del corruption, which manifests as LIST_POISON1 errors in kernel logs. These corruption events occur because the kernel's list management functions detect invalid list pointers, indicating that device structures have been freed while still referenced by other subsystems. The vulnerability affects the kernel's ability to maintain data structure integrity during dynamic module loading scenarios, potentially leading to memory corruption and system crashes.
Mitigation strategies for CVE-2025-21943 involve implementing proper reference counting mechanisms through the addition of try_module_get() calls within the affected attribute handlers. This approach aligns with ATT&CK technique T1547.001, which involves establishing persistence through kernel module manipulation, by ensuring that module references are properly managed during concurrent operations. The fix prevents race conditions by ensuring that the module remains loaded while active device operations are in progress, preventing premature cleanup that could leave dangling references. System administrators should apply the kernel patch that implements these reference counting protections, particularly in environments where gpio-aggregator functionality is actively used or where dynamic module loading scenarios are common. The solution also addresses broader security concerns related to kernel memory management and prevents potential exploitation scenarios where malicious actors could leverage such race conditions to cause system instability or potentially gain elevated privileges through kernel memory corruption.