CVE-2025-21684: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: gpio: xilinx: Convert gpio_lock to raw spinlock irq_chip functions may be called in raw spinlock context. Therefore, we must also use a raw spinlock for our own internal locking. This fixes the following lockdep splat: [ 5.349336] ============================= [ 5.353349] [ BUG: Invalid wait context ] [ 5.357361] 6.13.0-rc5+ #69 Tainted: G W [ 5.363031] ----------------------------- [ 5.367045] kworker/u17:1/44 is trying to lock: [ 5.371587] ffffff88018b02c0 (&chip->gpio_lock){....}-{3:3}, at: xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.380079] other info that might help us debug this: [ 5.385138] context-{5:5} [ 5.387762] 5 locks held by kworker/u17:1/44: [ 5.392123] #0: ffffff8800014958 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3204) [ 5.402260] #1: ffffffc082fcbdd8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3205) [ 5.411528] #2: ffffff880172c900 (&dev->mutex){....}-{4:4}, at: __device_attach (drivers/base/dd.c:1006) [ 5.419929] #3: ffffff88039c8268 (request_class#2){+.+.}-{4:4}, at: __setup_irq (kernel/irq/internals.h:156 kernel/irq/manage.c:1596) [ 5.428331] #4: ffffff88039c80c8 (lock_class#2){....}-{2:2}, at: __setup_irq (kernel/irq/manage.c:1614) [ 5.436472] stack backtrace: [ 5.439359] CPU: 2 UID: 0 PID: 44 Comm: kworker/u17:1 Tainted: G W 6.13.0-rc5+ #69 [ 5.448690] Tainted: [W]=WARN [ 5.451656] Hardware name: xlnx,zynqmp (DT) [ 5.455845] Workqueue: events_unbound deferred_probe_work_func [ 5.461699] Call trace: [ 5.464147] show_stack+0x18/0x24 C [ 5.467821] dump_stack_lvl (lib/dump_stack.c:123) [ 5.471501] dump_stack (lib/dump_stack.c:130) [ 5.474824] __lock_acquire (kernel/locking/lockdep.c:4828 kernel/locking/lockdep.c:4898 kernel/locking/lockdep.c:5176) [ 5.478758] lock_acquire (arch/arm64/include/asm/percpu.h:40 kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814) [ 5.482429] _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) [ 5.486797] xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.490737] irq_enable (kernel/irq/internals.h:236 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345) [ 5.494060] __irq_startup (kernel/irq/internals.h:241 kernel/irq/chip.c:180 kernel/irq/chip.c:250) [ 5.497645] irq_startup (kernel/irq/chip.c:270) [ 5.501143] __setup_irq (kernel/irq/manage.c:1807) [ 5.504728] request_threaded_irq (kernel/irq/manage.c:2208)
AI Analysis
Technical Summary
CVE-2025-21684 is a vulnerability identified in the Linux kernel specifically related to the gpio-xilinx driver, which handles General Purpose Input/Output (GPIO) operations for Xilinx hardware platforms. The core issue arises from improper locking mechanisms within the irq_chip functions, which may be invoked in a raw spinlock context. The vulnerability stems from the use of a standard spinlock (gpio_lock) instead of a raw spinlock, leading to potential lock dependency (lockdep) violations and invalid wait contexts. This can cause kernel warnings, instability, or crashes as demonstrated by the kernel logs showing an invalid wait context and multiple locks held simultaneously by a kernel worker thread. The problem is rooted in concurrency control within the kernel's interrupt handling and GPIO management code, where irq_chip functions must use raw spinlocks to avoid deadlocks or improper locking states. The fix involves converting gpio_lock to a raw spinlock to align with the irq_chip's locking context requirements. This vulnerability affects Linux kernel versions including the 6.13.0-rc5+ release candidate and likely other versions using the affected gpio-xilinx driver code. Although no known exploits are reported in the wild, the issue could lead to denial of service (DoS) conditions via kernel panics or system instability when the gpio-xilinx driver is in use, particularly on Xilinx Zynq UltraScale+ MPSoC platforms or similar hardware. The vulnerability does not appear to allow privilege escalation or arbitrary code execution directly but impacts system reliability and availability due to kernel locking errors and potential crashes.
Potential Impact
For European organizations, the impact of CVE-2025-21684 primarily concerns systems running Linux kernels with the gpio-xilinx driver enabled, which are typically embedded or industrial systems using Xilinx hardware platforms. Such platforms are common in telecommunications, automotive, industrial automation, and aerospace sectors prevalent in Europe. A successful exploitation or triggering of this vulnerability could cause kernel panics or system crashes, leading to denial of service conditions. This can disrupt critical infrastructure operations, manufacturing processes, or telecommunications services. Given the specialized hardware involved, the impact is more pronounced in organizations relying on embedded Linux systems with Xilinx components rather than general-purpose servers or desktops. The vulnerability could also affect development and testing environments using affected kernel versions. Although no direct data breach or privilege escalation is indicated, the loss of system availability can have cascading effects on operational continuity, safety systems, and service level agreements. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to accidental or malicious triggering of the bug, especially in environments with high concurrency and interrupt load.
Mitigation Recommendations
To mitigate CVE-2025-21684, organizations should: 1) Apply the latest Linux kernel patches that convert gpio_lock to a raw spinlock in the gpio-xilinx driver, ensuring compatibility with irq_chip locking contexts. 2) For embedded systems using Xilinx platforms, coordinate with hardware vendors and maintainers to obtain updated kernel builds or firmware that incorporate the fix. 3) Conduct thorough testing of updated kernels in staging environments to verify stability and absence of regressions related to GPIO and interrupt handling. 4) Monitor kernel logs for lockdep warnings or invalid wait context errors as early indicators of the issue. 5) Implement robust system monitoring and automated reboot strategies to minimize downtime if kernel panics occur before patching. 6) Limit access to systems running affected kernels to trusted personnel to reduce risk of accidental triggering. 7) Maintain an inventory of Linux kernel versions and hardware platforms in use to prioritize patch deployment. 8) Engage with Linux kernel security mailing lists and Xilinx support channels for updates and advisories. These steps go beyond generic patching by emphasizing vendor coordination, proactive monitoring, and operational continuity planning specific to embedded Linux environments with Xilinx hardware.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Finland
CVE-2025-21684: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: gpio: xilinx: Convert gpio_lock to raw spinlock irq_chip functions may be called in raw spinlock context. Therefore, we must also use a raw spinlock for our own internal locking. This fixes the following lockdep splat: [ 5.349336] ============================= [ 5.353349] [ BUG: Invalid wait context ] [ 5.357361] 6.13.0-rc5+ #69 Tainted: G W [ 5.363031] ----------------------------- [ 5.367045] kworker/u17:1/44 is trying to lock: [ 5.371587] ffffff88018b02c0 (&chip->gpio_lock){....}-{3:3}, at: xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.380079] other info that might help us debug this: [ 5.385138] context-{5:5} [ 5.387762] 5 locks held by kworker/u17:1/44: [ 5.392123] #0: ffffff8800014958 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3204) [ 5.402260] #1: ffffffc082fcbdd8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3205) [ 5.411528] #2: ffffff880172c900 (&dev->mutex){....}-{4:4}, at: __device_attach (drivers/base/dd.c:1006) [ 5.419929] #3: ffffff88039c8268 (request_class#2){+.+.}-{4:4}, at: __setup_irq (kernel/irq/internals.h:156 kernel/irq/manage.c:1596) [ 5.428331] #4: ffffff88039c80c8 (lock_class#2){....}-{2:2}, at: __setup_irq (kernel/irq/manage.c:1614) [ 5.436472] stack backtrace: [ 5.439359] CPU: 2 UID: 0 PID: 44 Comm: kworker/u17:1 Tainted: G W 6.13.0-rc5+ #69 [ 5.448690] Tainted: [W]=WARN [ 5.451656] Hardware name: xlnx,zynqmp (DT) [ 5.455845] Workqueue: events_unbound deferred_probe_work_func [ 5.461699] Call trace: [ 5.464147] show_stack+0x18/0x24 C [ 5.467821] dump_stack_lvl (lib/dump_stack.c:123) [ 5.471501] dump_stack (lib/dump_stack.c:130) [ 5.474824] __lock_acquire (kernel/locking/lockdep.c:4828 kernel/locking/lockdep.c:4898 kernel/locking/lockdep.c:5176) [ 5.478758] lock_acquire (arch/arm64/include/asm/percpu.h:40 kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814) [ 5.482429] _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) [ 5.486797] xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.490737] irq_enable (kernel/irq/internals.h:236 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345) [ 5.494060] __irq_startup (kernel/irq/internals.h:241 kernel/irq/chip.c:180 kernel/irq/chip.c:250) [ 5.497645] irq_startup (kernel/irq/chip.c:270) [ 5.501143] __setup_irq (kernel/irq/manage.c:1807) [ 5.504728] request_threaded_irq (kernel/irq/manage.c:2208)
AI-Powered Analysis
Technical Analysis
CVE-2025-21684 is a vulnerability identified in the Linux kernel specifically related to the gpio-xilinx driver, which handles General Purpose Input/Output (GPIO) operations for Xilinx hardware platforms. The core issue arises from improper locking mechanisms within the irq_chip functions, which may be invoked in a raw spinlock context. The vulnerability stems from the use of a standard spinlock (gpio_lock) instead of a raw spinlock, leading to potential lock dependency (lockdep) violations and invalid wait contexts. This can cause kernel warnings, instability, or crashes as demonstrated by the kernel logs showing an invalid wait context and multiple locks held simultaneously by a kernel worker thread. The problem is rooted in concurrency control within the kernel's interrupt handling and GPIO management code, where irq_chip functions must use raw spinlocks to avoid deadlocks or improper locking states. The fix involves converting gpio_lock to a raw spinlock to align with the irq_chip's locking context requirements. This vulnerability affects Linux kernel versions including the 6.13.0-rc5+ release candidate and likely other versions using the affected gpio-xilinx driver code. Although no known exploits are reported in the wild, the issue could lead to denial of service (DoS) conditions via kernel panics or system instability when the gpio-xilinx driver is in use, particularly on Xilinx Zynq UltraScale+ MPSoC platforms or similar hardware. The vulnerability does not appear to allow privilege escalation or arbitrary code execution directly but impacts system reliability and availability due to kernel locking errors and potential crashes.
Potential Impact
For European organizations, the impact of CVE-2025-21684 primarily concerns systems running Linux kernels with the gpio-xilinx driver enabled, which are typically embedded or industrial systems using Xilinx hardware platforms. Such platforms are common in telecommunications, automotive, industrial automation, and aerospace sectors prevalent in Europe. A successful exploitation or triggering of this vulnerability could cause kernel panics or system crashes, leading to denial of service conditions. This can disrupt critical infrastructure operations, manufacturing processes, or telecommunications services. Given the specialized hardware involved, the impact is more pronounced in organizations relying on embedded Linux systems with Xilinx components rather than general-purpose servers or desktops. The vulnerability could also affect development and testing environments using affected kernel versions. Although no direct data breach or privilege escalation is indicated, the loss of system availability can have cascading effects on operational continuity, safety systems, and service level agreements. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to accidental or malicious triggering of the bug, especially in environments with high concurrency and interrupt load.
Mitigation Recommendations
To mitigate CVE-2025-21684, organizations should: 1) Apply the latest Linux kernel patches that convert gpio_lock to a raw spinlock in the gpio-xilinx driver, ensuring compatibility with irq_chip locking contexts. 2) For embedded systems using Xilinx platforms, coordinate with hardware vendors and maintainers to obtain updated kernel builds or firmware that incorporate the fix. 3) Conduct thorough testing of updated kernels in staging environments to verify stability and absence of regressions related to GPIO and interrupt handling. 4) Monitor kernel logs for lockdep warnings or invalid wait context errors as early indicators of the issue. 5) Implement robust system monitoring and automated reboot strategies to minimize downtime if kernel panics occur before patching. 6) Limit access to systems running affected kernels to trusted personnel to reduce risk of accidental triggering. 7) Maintain an inventory of Linux kernel versions and hardware platforms in use to prioritize patch deployment. 8) Engage with Linux kernel security mailing lists and Xilinx support channels for updates and advisories. These steps go beyond generic patching by emphasizing vendor coordination, proactive monitoring, and operational continuity planning specific to embedded Linux environments with Xilinx hardware.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.740Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe97f0
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 5:25:49 PM
Last updated: 8/4/2025, 11:37:47 AM
Views: 14
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.