CVE-2024-57889

pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking If a device uses MCP23xxx IO expander to receive IRQs, the following
bug can happen: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ... preempt_count: 1, expected: 0 ... Call Trace: ... __might_resched+0x104/0x10e __might_sleep+0x3e/0x62 mutex_lock+0x20/0x4c regmap_lock_mutex+0x10/0x18 regmap_update_bits_base+0x2c/0x66 mcp23s08_irq_set_type+0x1ae/0x1d6 __irq_set_trigger+0x56/0x172 __setup_irq+0x1e6/0x646 request_threaded_irq+0xb6/0x160 ... We observed the problem while experimenting with a touchscreen driver which
used MCP23017 IO expander (I2C). The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from
concurrent accesses, which is the default for regmaps without .fast_io,
.disable_locking, etc. mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter
locks the mutex. However, __setup_irq() locks desc->lock spinlock before calling these
functions. As a result, the system tries to lock the mutex whole holding
the spinlock. It seems, the internal regmap locks are not needed in this driver at all.
mcp->lock seems to protect the regmap from concurrent accesses already,
except, probably, in mcp_pinconf_get/set. mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under
chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes
mcp->lock and enables regmap caching, so that the potentially slow I2C
accesses are deferred until chip_bus_unlock(). The accesses to the regmap from mcp23s08_probe_one() do not need additional
locking. In all remaining places where the regmap is accessed, except
mcp_pinconf_get/set(), the driver already takes mcp->lock. This patch adds locking in mcp_pinconf_get/set() and disables internal
locking in the regmap config. Among other things, it fixes the sleeping
in atomic context described above.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: pinctrl: mcp23s08: Se corrige la suspensión en un contexto atómico debido al bloqueo de regmap Si un dispositivo usa el expansor de E/S MCP23xxx para recibir IRQ, puede ocurrir el siguiente error: ERROR: función de suspensión llamada desde un contexto no válido en kernel/locking/mutex.c:283 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ... preempt_count: 1, expected: 0 ... Seguimiento de llamadas: ... __might_resched+0x104/0x10e __might_sleep+0x3e/0x62 mutex_lock+0x20/0x4c regmap_lock_mutex+0x10/0x18 regmap_update_bits_base+0x2c/0x66 Observamos el problema mientras experimentábamos con un controlador de pantalla táctil que usaba el expansor de E/S MCP23017 (I2C). El mapa de reglas en el controlador pinctrl-mcp23s08 usa un mutex para protección contra accesos concurrentes, que es el valor predeterminado para los mapas de reglas sin .fast_io, .disable_locking, etc. mcp23s08_irq_set_type() llama a regmap_update_bits_base(), y este último bloquea el mutex. Sin embargo, __setup_irq() bloquea el spinlock desc->lock antes de llamar a estas funciones. Como resultado, el sistema intenta bloquear el mutex que contiene el spinlock. Parece que los bloqueos internos del mapa de reglas no son necesarios en este controlador en absoluto. mcp->lock parece proteger el mapa de reglas de accesos concurrentes, excepto, probablemente, en mcp_pinconf_get/set. mcp23s08_irq_set_type() y mcp23s08_irq_mask/unmask() se llaman bajo chip_bus_lock(), que llama a mcp23s08_irq_bus_lock(). Este último toma mcp->lock y habilita el almacenamiento en caché del mapa de reglas, de modo que los accesos I2C potencialmente lentos se posponen hasta chip_bus_unlock(). Los accesos al mapa de reglas desde mcp23s08_probe_one() no necesitan bloqueo adicional. En todos los lugares restantes donde se accede al mapa de reglas, excepto mcp_pinconf_get/set(), el controlador ya toma mcp->lock. Este parche agrega bloqueo en mcp_pinconf_get/set() y deshabilita el bloqueo interno en la configuración de regmap. Entre otras cosas, corrige el problema de suspensión en el contexto atómico descrito anteriormente.

In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking If a device uses MCP23xxx IO expander to receive IRQs, the following bug can happen: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ... preempt_count: 1, expected: 0 ... Call Trace: ... __might_resched+0x104/0x10e __might_sleep+0x3e/0x62 mutex_lock+0x20/0x4c regmap_lock_mutex+0x10/0x18 regmap_update_bits_base+0x2c/0x66 mcp23s08_irq_set_type+0x1ae/0x1d6 __irq_set_trigger+0x56/0x172 __setup_irq+0x1e6/0x646 request_threaded_irq+0xb6/0x160 ... We observed the problem while experimenting with a touchscreen driver which used MCP23017 IO expander (I2C). The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from concurrent accesses, which is the default for regmaps without .fast_io, .disable_locking, etc. mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter locks the mutex. However, __setup_irq() locks desc->lock spinlock before calling these functions. As a result, the system tries to lock the mutex whole holding the spinlock. It seems, the internal regmap locks are not needed in this driver at all. mcp->lock seems to protect the regmap from concurrent accesses already, except, probably, in mcp_pinconf_get/set. mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes mcp->lock and enables regmap caching, so that the potentially slow I2C accesses are deferred until chip_bus_unlock(). The accesses to the regmap from mcp23s08_probe_one() do not need additional locking. In all remaining places where the regmap is accessed, except mcp_pinconf_get/set(), the driver already takes mcp->lock. This patch adds locking in mcp_pinconf_get/set() and disables internal locking in the regmap config. Among other things, it fixes the sleeping in atomic context described above.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-01-11 CVE Reserved
2025-01-15 CVE Published
2025-01-15 CVE Updated
2025-01-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/8f38910ba4f662222157ce07a0d5becc4328c46a	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/788d9e9a41b81893d6bb8faa05f045c975278318	2025-01-09
https://git.kernel.org/stable/c/c55d186376a87b468c9ee30f2195e0f3857f61a0	2025-01-09
https://git.kernel.org/stable/c/9372e160d8211a7e17f2abff8370794f182df785	2025-01-09
https://git.kernel.org/stable/c/0310cbad163a908d09d99c26827859365cd71fcb	2025-01-09
https://git.kernel.org/stable/c/8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec	2025-01-09
https://git.kernel.org/stable/c/830f838589522404cd7c2f0f540602f25034af61	2025-01-09
https://git.kernel.org/stable/c/a37eecb705f33726f1fb7cd2a67e514a15dfe693	2024-12-17

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.13 < 5.4.289 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.13 < 5.4.289"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.13 < 5.10.233 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.13 < 5.10.233"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.13 < 5.15.176 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.13 < 5.15.176"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.13 < 6.1.124 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.13 < 6.1.124"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.13 < 6.6.70 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.13 < 6.6.70"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.13 < 6.12.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.13 < 6.12.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.13 < 6.13-rc6 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.13 < 6.13-rc6"		en		Affected