Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-57889

UNKNOWN
Published 2025-01-15T13:05:41.769Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-57889. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

In the Linux kernel, the following vulnerability has been resolved:

pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking

If a device uses MCP23xxx IO expander to receive IRQs, the following
bug can happen:

BUG: sleeping function called from invalid context
at kernel/locking/mutex.c:283
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ...
preempt_count: 1, expected: 0
...
Call Trace:
...
__might_resched+0x104/0x10e
__might_sleep+0x3e/0x62
mutex_lock+0x20/0x4c
regmap_lock_mutex+0x10/0x18
regmap_update_bits_base+0x2c/0x66
mcp23s08_irq_set_type+0x1ae/0x1d6
__irq_set_trigger+0x56/0x172
__setup_irq+0x1e6/0x646
request_threaded_irq+0xb6/0x160
...

We observed the problem while experimenting with a touchscreen driver which
used MCP23017 IO expander (I2C).

The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from
concurrent accesses, which is the default for regmaps without .fast_io,
.disable_locking, etc.

mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter
locks the mutex.

However, __setup_irq() locks desc->lock spinlock before calling these
functions. As a result, the system tries to lock the mutex whole holding
the spinlock.

It seems, the internal regmap locks are not needed in this driver at all.
mcp->lock seems to protect the regmap from concurrent accesses already,
except, probably, in mcp_pinconf_get/set.

mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under
chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes
mcp->lock and enables regmap caching, so that the potentially slow I2C
accesses are deferred until chip_bus_unlock().

The accesses to the regmap from mcp23s08_probe_one() do not need additional
locking.

In all remaining places where the regmap is accessed, except
mcp_pinconf_get/set(), the driver already takes mcp->lock.

This patch adds locking in mcp_pinconf_get/set() and disables internal
locking in the regmap config. Among other things, it fixes the sleeping
in atomic context described above.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Linux

Linux

Affected Versions:

8f38910ba4f662222157ce07a0d5becc4328c46a 8f38910ba4f662222157ce07a0d5becc4328c46a 8f38910ba4f662222157ce07a0d5becc4328c46a 8f38910ba4f662222157ce07a0d5becc4328c46a 8f38910ba4f662222157ce07a0d5becc4328c46a 8f38910ba4f662222157ce07a0d5becc4328c46a 8f38910ba4f662222157ce07a0d5becc4328c46a
Linux

Linux

Affected Versions:

4.13 0 5.4.289 5.10.233 5.15.176 6.1.124 6.6.70 6.12.9 6.13

References

https://git.kernel.org/stable/c/788d9e9a41b81893d6bb8faa05f045c975278318
https://git.kernel.org/stable/c/c55d186376a87b468c9ee30f2195e0f3857f61a0
https://git.kernel.org/stable/c/9372e160d8211a7e17f2abff8370794f182df785
https://git.kernel.org/stable/c/0310cbad163a908d09d99c26827859365cd71fcb
https://git.kernel.org/stable/c/8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec
https://git.kernel.org/stable/c/830f838589522404cd7c2f0f540602f25034af61
https://git.kernel.org/stable/c/a37eecb705f33726f1fb7cd2a67e514a15dfe693
Published: 2025-01-15T13:05:41.769Z
Last Modified: 2025-05-04T10:05:57.500Z
Copied to clipboard!