{"uuid": "6e46ad47-0c84-4d6a-913c-12738fd85880", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-57889", "type": "seen", "source": "https://t.me/cvedetector/15455", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-57889 - Linux Kernel PineA64 Pinctrl regmap(mutex)\", \n  \"Content\": \"CVE ID : CVE-2024-57889 \nPublished : Jan. 15, 2025, 1:15 p.m. | 36\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \npinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking  \n  \nIf a device uses MCP23xxx IO expander to receive IRQs, the following  \nbug can happen:  \n  \n  BUG: sleeping function called from invalid context  \n    at kernel/locking/mutex.c:283  \n  in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ...  \n  preempt_count: 1, expected: 0  \n  ...  \n  Call Trace:  \n  ...  \n  __might_resched+0x104/0x10e  \n  __might_sleep+0x3e/0x62  \n  mutex_lock+0x20/0x4c  \n  regmap_lock_mutex+0x10/0x18  \n  regmap_update_bits_base+0x2c/0x66  \n  mcp23s08_irq_set_type+0x1ae/0x1d6  \n  __irq_set_trigger+0x56/0x172  \n  __setup_irq+0x1e6/0x646  \n  request_threaded_irq+0xb6/0x160  \n  ...  \n  \nWe observed the problem while experimenting with a touchscreen driver which  \nused MCP23017 IO expander (I2C).  \n  \nThe regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from  \nconcurrent accesses, which is the default for regmaps without .fast_io,  \n.disable_locking, etc.  \n  \nmcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter  \nlocks the mutex.  \n  \nHowever, __setup_irq() locks desc->lock spinlock before calling these  \nfunctions. As a result, the system tries to lock the mutex whole holding  \nthe spinlock.  \n  \nIt seems, the internal regmap locks are not needed in this driver at all.  \nmcp->lock seems to protect the regmap from concurrent accesses already,  \nexcept, probably, in mcp_pinconf_get/set.  \n  \nmcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under  \nchip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes  \nmcp->lock and enables regmap caching, so that the potentially slow I2C  \naccesses are deferred until chip_bus_unlock().  \n  \nThe accesses to the regmap from mcp23s08_probe_one() do not need additional  \nlocking.  \n  \nIn all remaining places where the regmap is accessed, except  \nmcp_pinconf_get/set(), the driver already takes mcp->lock.  \n  \nThis patch adds locking in mcp_pinconf_get/set() and disables internal  \nlocking in the regmap config. Among other things, it fixes the sleeping  \nin atomic context described above. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"15 Jan 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-01-15T15:07:02.000000Z"}