{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-57889","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-01-11T14:45:42.027Z","datePublished":"2025-01-15T13:05:41.769Z","dateUpdated":"2025-11-03T20:54:59.702Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T10:05:57.500Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking\n\nIf a device uses MCP23xxx IO expander to receive IRQs, the following\nbug can happen:\n\n  BUG: sleeping function called from invalid context\n    at kernel/locking/mutex.c:283\n  in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ...\n  preempt_count: 1, expected: 0\n  ...\n  Call Trace:\n  ...\n  __might_resched+0x104/0x10e\n  __might_sleep+0x3e/0x62\n  mutex_lock+0x20/0x4c\n  regmap_lock_mutex+0x10/0x18\n  regmap_update_bits_base+0x2c/0x66\n  mcp23s08_irq_set_type+0x1ae/0x1d6\n  __irq_set_trigger+0x56/0x172\n  __setup_irq+0x1e6/0x646\n  request_threaded_irq+0xb6/0x160\n  ...\n\nWe observed the problem while experimenting with a touchscreen driver which\nused MCP23017 IO expander (I2C).\n\nThe regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from\nconcurrent accesses, which is the default for regmaps without .fast_io,\n.disable_locking, etc.\n\nmcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter\nlocks the mutex.\n\nHowever, __setup_irq() locks desc->lock spinlock before calling these\nfunctions. As a result, the system tries to lock the mutex whole holding\nthe spinlock.\n\nIt seems, the internal regmap locks are not needed in this driver at all.\nmcp->lock seems to protect the regmap from concurrent accesses already,\nexcept, probably, in mcp_pinconf_get/set.\n\nmcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under\nchip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes\nmcp->lock and enables regmap caching, so that the potentially slow I2C\naccesses are deferred until chip_bus_unlock().\n\nThe accesses to the regmap from mcp23s08_probe_one() do not need additional\nlocking.\n\nIn all remaining places where the regmap is accessed, except\nmcp_pinconf_get/set(), the driver already takes mcp->lock.\n\nThis patch adds locking in mcp_pinconf_get/set() and disables internal\nlocking in the regmap config. Among other things, it fixes the sleeping\nin atomic context described above."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/pinctrl/pinctrl-mcp23s08.c"],"versions":[{"version":"8f38910ba4f662222157ce07a0d5becc4328c46a","lessThan":"788d9e9a41b81893d6bb8faa05f045c975278318","status":"affected","versionType":"git"},{"version":"8f38910ba4f662222157ce07a0d5becc4328c46a","lessThan":"c55d186376a87b468c9ee30f2195e0f3857f61a0","status":"affected","versionType":"git"},{"version":"8f38910ba4f662222157ce07a0d5becc4328c46a","lessThan":"9372e160d8211a7e17f2abff8370794f182df785","status":"affected","versionType":"git"},{"version":"8f38910ba4f662222157ce07a0d5becc4328c46a","lessThan":"0310cbad163a908d09d99c26827859365cd71fcb","status":"affected","versionType":"git"},{"version":"8f38910ba4f662222157ce07a0d5becc4328c46a","lessThan":"8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec","status":"affected","versionType":"git"},{"version":"8f38910ba4f662222157ce07a0d5becc4328c46a","lessThan":"830f838589522404cd7c2f0f540602f25034af61","status":"affected","versionType":"git"},{"version":"8f38910ba4f662222157ce07a0d5becc4328c46a","lessThan":"a37eecb705f33726f1fb7cd2a67e514a15dfe693","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/pinctrl/pinctrl-mcp23s08.c"],"versions":[{"version":"4.13","status":"affected"},{"version":"0","lessThan":"4.13","status":"unaffected","versionType":"semver"},{"version":"5.4.289","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.233","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.176","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.124","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.70","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.9","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"5.4.289"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"5.10.233"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"5.15.176"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.1.124"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.6.70"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.12.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/788d9e9a41b81893d6bb8faa05f045c975278318"},{"url":"https://git.kernel.org/stable/c/c55d186376a87b468c9ee30f2195e0f3857f61a0"},{"url":"https://git.kernel.org/stable/c/9372e160d8211a7e17f2abff8370794f182df785"},{"url":"https://git.kernel.org/stable/c/0310cbad163a908d09d99c26827859365cd71fcb"},{"url":"https://git.kernel.org/stable/c/8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec"},{"url":"https://git.kernel.org/stable/c/830f838589522404cd7c2f0f540602f25034af61"},{"url":"https://git.kernel.org/stable/c/a37eecb705f33726f1fb7cd2a67e514a15dfe693"}],"title":"pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T20:54:59.702Z"}}]}}