CVE-2024-57889: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking
Description
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking
If a device uses MCP23xxx IO expander to receive IRQs, the following
bug can happen:
BUG: sleeping function called from invalid context
at kernel/locking/mutex.c:283
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ...
preempt_count: 1, expected: 0
...
Call Trace:
...
__might_resched+0x104/0x10e
__might_sleep+0x3e/0x62
mutex_lock+0x20/0x4c
regmap_lock_mutex+0x10/0x18
regmap_update_bits_base+0x2c/0x66
mcp23s08_irq_set_type+0x1ae/0x1d6
__irq_set_trigger+0x56/0x172
__setup_irq+0x1e6/0x646
request_threaded_irq+0xb6/0x160
...
We observed the problem while experimenting with a touchscreen driver which
used MCP23017 IO expander (I2C).
The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from
concurrent accesses, which is the default for regmaps without .fast_io,
.disable_locking, etc.
mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter
locks the mutex.
However, __setup_irq() locks desc->lock spinlock before calling these
functions. As a result, the system tries to lock the mutex whole holding
the spinlock.
It seems, the internal regmap locks are not needed in this driver at all.
mcp->lock seems to protect the regmap from concurrent accesses already,
except, probably, in mcp_pinconf_get/set.
mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under...
Classification
CVE ID: CVE-2024-57889
Affected Products
Vendor: Linux
Product: Linux
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 12.42% (scored less or equal to compared to others)
EPSS Date: 2025-02-13 (when was this score calculated)
References
https://git.kernel.org/stable/c/788d9e9a41b81893d6bb8faa05f045c975278318https://git.kernel.org/stable/c/c55d186376a87b468c9ee30f2195e0f3857f61a0
https://git.kernel.org/stable/c/9372e160d8211a7e17f2abff8370794f182df785
https://git.kernel.org/stable/c/0310cbad163a908d09d99c26827859365cd71fcb
https://git.kernel.org/stable/c/8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec
https://git.kernel.org/stable/c/830f838589522404cd7c2f0f540602f25034af61
https://git.kernel.org/stable/c/a37eecb705f33726f1fb7cd2a67e514a15dfe693