Linux Kernel GPIO Aggregator Driver Race Condition Vulnerability Allowing Unregistered Device Forwarding

A vulnerability in the Linux kernel's GPIO aggregator driver can lead to race conditions during module unloading. The issue arises because the 'new_device_store' and 'delete_device_store' functions manipulate global resources, such as the 'gpio_aggregator_lock', without holding a reference to the module. This lack of synchronization can cause problems if a module is unloaded while a device is being registered, potentially leaving behind a dangling platform device or GPIO forwarder. Such a scenario can disrupt system stability and functionality.

Impact

Exploitation of this vulnerability can cause list corruption, leading to various system warnings and potential instability.

Reproduction

The vulnerability can be reproduced by repeatedly writing to the 'new_device' attribute of the 'gpio-aggregator' driver while concurrently loading and unloading the module. This process creates a race condition that can disrupt the proper management of platform devices, causing list corruption and system warnings about the corruption.

Remediation

The vulnerability has been addressed by modifying the device handling functions to include a module reference, preventing the race condition during module unload.