Linux Kernel Pinmux Race Condition Vulnerability Leading to Null Pointer Dereference

A vulnerability in the Linux kernel's pinmux handling can cause a null pointer dereference. This issue arises from a race condition where two clients of the same GPIO can interfere with each other, leading to an inconsistent state. The problem was partially addressed in a previous commit, but the fix was not complete. The vulnerability occurs when one process frees a pin while another is requesting it, causing the pin's ownership data to become corrupted. As a result, the pin appears to be in use but has no assigned owner, which can trigger a null pointer dereference when the pin is requested again.

Impact

Exploitation of this vulnerability can lead to a null pointer dereference, causing a crash or undefined behavior in the system.

Reproduction

To reproduce this vulnerability, two processes can be initiated that simultaneously request and free the same GPIO pin. This can be done by calling the 'pinctrl_select_state()' function for the same functionality on both processes. The interleaving of these calls can create a race condition, where one process frees the pin while the other is still using it, leading to the null pointer issue.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.