{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38632","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.029Z","datePublished":"2025-08-22T16:00:40.423Z","dateUpdated":"2026-05-11T21:31:58.618Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:31:58.618Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\npinmux: fix race causing mux_owner NULL with active mux_usecount\n\ncommit 5a3e85c3c397 (\"pinmux: Use sequential access to access\ndesc->pinmux data\") tried to address the issue when two client of the\nsame gpio calls pinctrl_select_state() for the same functionality, was\nresulting in NULL pointer issue while accessing desc->mux_owner.\nHowever, issue was not completely fixed due to the way it was handled\nand it can still result in the same NULL pointer.\n\nThe issue occurs due to the following interleaving:\n\n     cpu0 (process A)                   cpu1 (process B)\n\n      pin_request() {                   pin_free() {\n\n                                         mutex_lock()\n                                         desc->mux_usecount--; //becomes 0\n                                         ..\n                                         mutex_unlock()\n\n  mutex_lock(desc->mux)\n  desc->mux_usecount++; // becomes 1\n  desc->mux_owner = owner;\n  mutex_unlock(desc->mux)\n\n                                         mutex_lock(desc->mux)\n                                         desc->mux_owner = NULL;\n                                         mutex_unlock(desc->mux)\n\nThis sequence leads to a state where the pin appears to be in use\n(`mux_usecount == 1`) but has no owner (`mux_owner == NULL`), which can\ncause NULL pointer on next pin_request on the same pin.\n\nEnsure that updates to mux_usecount and mux_owner are performed\natomically under the same lock. Only clear mux_owner when mux_usecount\nreaches zero and no new owner has been assigned."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/pinctrl/pinmux.c"],"versions":[{"version":"2da32aed4a97ca1d70fb8b77926f72f30ce5fb4b","lessThan":"9b2a3e7189028aa7c4d53a84364f2ea9fb209787","status":"affected","versionType":"git"},{"version":"c11e2ec9a780f54982a187ee10ffd1b810715c85","lessThan":"9ea3f6b9a67be3476e331ce51cac316c2614a564","status":"affected","versionType":"git"},{"version":"5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e","lessThan":"b7bd6e3971eb7f0e34d2fdce1b18b08094e0c804","status":"affected","versionType":"git"},{"version":"5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e","lessThan":"22b585cbd67d14df3b91529d1b990661c300faa9","status":"affected","versionType":"git"},{"version":"5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e","lessThan":"0b075c011032f88d1cfde3b45d6dcf08b44140eb","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/pinctrl/pinmux.c"],"versions":[{"version":"6.13","status":"affected"},{"version":"0","lessThan":"6.13","status":"unaffected","versionType":"semver"},{"version":"6.6.102","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.42","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.10","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16.1","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.66","versionEndExcluding":"6.6.102"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.5","versionEndExcluding":"6.12.42"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.16.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9b2a3e7189028aa7c4d53a84364f2ea9fb209787"},{"url":"https://git.kernel.org/stable/c/9ea3f6b9a67be3476e331ce51cac316c2614a564"},{"url":"https://git.kernel.org/stable/c/b7bd6e3971eb7f0e34d2fdce1b18b08094e0c804"},{"url":"https://git.kernel.org/stable/c/22b585cbd67d14df3b91529d1b990661c300faa9"},{"url":"https://git.kernel.org/stable/c/0b075c011032f88d1cfde3b45d6dcf08b44140eb"}],"title":"pinmux: fix race causing mux_owner NULL with active mux_usecount","x_generator":{"engine":"bippy-1.2.0"}}}}