Zhongqiu Han

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue occurs when the GPIO chip device file is being closed by invoking `gpio chrdev release()`, where `watched lines` is freed by `bitmap free()`, but the unregistration of `lineinfo changed nb` notifier chain failed due to waiting write `rwsem`. A race condition leads to the use-after-free of `watched lines`. The side effect of this issue is that a GPIO line event is being generated for userspace where it shouldn't. However, since the `chrdev` is being closed, userspace won't have the chance to read that event anyway. **Recommendations** To fix the issue, call the `bitmap free()` function after the unregistration of `lineinfo changed nb` notifier chain. As a temporary workaround, consider disabling the `lineinfo changed notify()` function until a patch is available. Restrict access to the `gpiolib` module to minimize the risk of exploitation. Avoid using the `watched lines` variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.