| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025011512-CVE-2024-57889-a2a5@gregkh>
Date: Wed, 15 Jan 2025 14:06:12 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-57889: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking
If a device uses MCP23xxx IO expander to receive IRQs, the following
bug can happen:
BUG: sleeping function called from invalid context
at kernel/locking/mutex.c:283
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ...
preempt_count: 1, expected: 0
...
Call Trace:
...
__might_resched+0x104/0x10e
__might_sleep+0x3e/0x62
mutex_lock+0x20/0x4c
regmap_lock_mutex+0x10/0x18
regmap_update_bits_base+0x2c/0x66
mcp23s08_irq_set_type+0x1ae/0x1d6
__irq_set_trigger+0x56/0x172
__setup_irq+0x1e6/0x646
request_threaded_irq+0xb6/0x160
...
We observed the problem while experimenting with a touchscreen driver which
used MCP23017 IO expander (I2C).
The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from
concurrent accesses, which is the default for regmaps without .fast_io,
.disable_locking, etc.
mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter
locks the mutex.
However, __setup_irq() locks desc->lock spinlock before calling these
functions. As a result, the system tries to lock the mutex whole holding
the spinlock.
It seems, the internal regmap locks are not needed in this driver at all.
mcp->lock seems to protect the regmap from concurrent accesses already,
except, probably, in mcp_pinconf_get/set.
mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under
chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes
mcp->lock and enables regmap caching, so that the potentially slow I2C
accesses are deferred until chip_bus_unlock().
The accesses to the regmap from mcp23s08_probe_one() do not need additional
locking.
In all remaining places where the regmap is accessed, except
mcp_pinconf_get/set(), the driver already takes mcp->lock.
This patch adds locking in mcp_pinconf_get/set() and disables internal
locking in the regmap config. Among other things, it fixes the sleeping
in atomic context described above.
The Linux kernel CVE team has assigned CVE-2024-57889 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 5.4.289 with commit 788d9e9a41b81893d6bb8faa05f045c975278318
Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 5.10.233 with commit c55d186376a87b468c9ee30f2195e0f3857f61a0
Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 5.15.176 with commit 9372e160d8211a7e17f2abff8370794f182df785
Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 6.1.124 with commit 0310cbad163a908d09d99c26827859365cd71fcb
Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 6.6.70 with commit 8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec
Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 6.12.9 with commit 830f838589522404cd7c2f0f540602f25034af61
Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 6.13-rc6 with commit a37eecb705f33726f1fb7cd2a67e514a15dfe693
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-57889
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/pinctrl/pinctrl-mcp23s08.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/788d9e9a41b81893d6bb8faa05f045c975278318
https://git.kernel.org/stable/c/c55d186376a87b468c9ee30f2195e0f3857f61a0
https://git.kernel.org/stable/c/9372e160d8211a7e17f2abff8370794f182df785
https://git.kernel.org/stable/c/0310cbad163a908d09d99c26827859365cd71fcb
https://git.kernel.org/stable/c/8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec
https://git.kernel.org/stable/c/830f838589522404cd7c2f0f540602f25034af61
https://git.kernel.org/stable/c/a37eecb705f33726f1fb7cd2a67e514a15dfe693
Powered by blists - more mailing lists