CVE-2025-38040: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability (CVE-2025-38040) was discovered in the Linux kernel's serial mctrl_gpio driver, specifically affecting the SAMA5D27 platform using atmel_serial. The issue was identified and disclosed on June 18, 2025, where a sleeping function was called from an invalid context at kernel/irq/manage.c:738 (Wiz Database).

The vulnerability occurs when disable_irq is called in mctrl_gpio_disable_ms while in an atomic context. The issue manifests when tty drivers perform modem lines configuration in regions protected by port lock. The bug is triggered specifically in the context of serial port operations, with preempt_count showing 1 when it was expected to be 0, and hardirqs being disabled. The warning is emitted when trying to toggle flow control using serdev_device_set_flow_control in a device driver (Debian Tracker, Wiz Database).

The vulnerability affects the Linux kernel's serial port handling, specifically the mctrl_gpio driver. When triggered, it can cause system instability due to improper interrupt handling and potential deadlock situations in the kernel's serial subsystem (Wiz Database).

The vulnerability has been resolved by splitting the mctrl_gpio_disable_ms function into two different APIs: a non-blocking version and a blocking version. The fix involves replacing mctrl_gpio_disable_ms calls with the appropriate version depending on whether the call is protected by port lock (Debian Tracker).