CVE-2025-22009: Linux Kernel Vulnerability Resolved - Regulator Probe Synchronization

If you're a Linux user, you might be interested in a recent vulnerability that has been resolved in the Linux kernel. It's called CVE-2025-22009, and it relates to the regulator subsystem and its probing process.

In particular, the issue was caused by a NULL pointer dereference at boot time in the kobject_get() function, leading to a call stack that included:

kobject_get()

This issue was verified by placing extra BUG_ON() statements, which showed that the 'dummy' regulator driver was not fully probed ('dummy_regulator_rdev' was still NULL). This is problematic, as the dummy_regulator_probe() and anatop_regulator_probe() functions can run on different kernel threads (kworker/u4:*). While the reasons for this were not fully investigated, the solution was to force synchronization between these two probe routines, thus fixing the NULL pointer dereference issue.

So, the fix implemented is the following code snippet that forces synchronous probing

regulator: dummy: force synchronous probing

By implementing this patch, boot time penalties because of the 'dummy' regulator are not expected to significantly impact the system. You can find the original reference to this vulnerability resolution in the Linux Kernel Mailing List.

With this fix in place, the Linux kernel is now more stable and secure, as the probability of unexpected crashes and other issues due to this vulnerability will be significantly reduced. It's always good to see patches like these being implemented, as they help maintain the overall stability and security of Linux-based systems.

Timeline

Published on: 04/08/2025 09:15:24 UTC
Last modified on: 04/10/2025 13:10:51 UTC