cve/published/2024/CVE-2024-57889.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-57889: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking

 If a device uses MCP23xxx IO expander to receive IRQs, the following
 bug can happen:

   BUG: sleeping function called from invalid context
     at kernel/locking/mutex.c:283
   in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ...
   preempt_count: 1, expected: 0
   ...
   Call Trace:
   ...
   __might_resched+0x104/0x10e
   __might_sleep+0x3e/0x62
   mutex_lock+0x20/0x4c
   regmap_lock_mutex+0x10/0x18
   regmap_update_bits_base+0x2c/0x66
   mcp23s08_irq_set_type+0x1ae/0x1d6
   __irq_set_trigger+0x56/0x172
   __setup_irq+0x1e6/0x646
   request_threaded_irq+0xb6/0x160
   ...

 We observed the problem while experimenting with a touchscreen driver which
 used MCP23017 IO expander (I2C).

 The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from
 concurrent accesses, which is the default for regmaps without .fast_io,
 .disable_locking, etc.

 mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter
 locks the mutex.

 However, __setup_irq() locks desc->lock spinlock before calling these
 functions. As a result, the system tries to lock the mutex whole holding
 the spinlock.

 It seems, the internal regmap locks are not needed in this driver at all.
 mcp->lock seems to protect the regmap from concurrent accesses already,
 except, probably, in mcp_pinconf_get/set.

 mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under
 chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes
 mcp->lock and enables regmap caching, so that the potentially slow I2C
 accesses are deferred until chip_bus_unlock().

 The accesses to the regmap from mcp23s08_probe_one() do not need additional
 locking.

 In all remaining places where the regmap is accessed, except
 mcp_pinconf_get/set(), the driver already takes mcp->lock.

 This patch adds locking in mcp_pinconf_get/set() and disables internal
 locking in the regmap config. Among other things, it fixes the sleeping
 in atomic context described above.

 The Linux kernel CVE team has assigned CVE-2024-57889 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 5.4.289 with commit 788d9e9a41b81893d6bb8faa05f045c975278318
 	Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 5.10.233 with commit c55d186376a87b468c9ee30f2195e0f3857f61a0
 	Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 5.15.176 with commit 9372e160d8211a7e17f2abff8370794f182df785
 	Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 6.1.124 with commit 0310cbad163a908d09d99c26827859365cd71fcb
 	Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 6.6.70 with commit 8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec
 	Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 6.12.9 with commit 830f838589522404cd7c2f0f540602f25034af61
 	Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 6.13 with commit a37eecb705f33726f1fb7cd2a67e514a15dfe693

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-57889
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/pinctrl/pinctrl-mcp23s08.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/788d9e9a41b81893d6bb8faa05f045c975278318
 	https://git.kernel.org/stable/c/c55d186376a87b468c9ee30f2195e0f3857f61a0
 	https://git.kernel.org/stable/c/9372e160d8211a7e17f2abff8370794f182df785
 	https://git.kernel.org/stable/c/0310cbad163a908d09d99c26827859365cd71fcb
 	https://git.kernel.org/stable/c/8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec
 	https://git.kernel.org/stable/c/830f838589522404cd7c2f0f540602f25034af61
 	https://git.kernel.org/stable/c/a37eecb705f33726f1fb7cd2a67e514a15dfe693
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-57889: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking

	If a device uses MCP23xxx IO expander to receive IRQs, the following
	bug can happen:

	BUG: sleeping function called from invalid context
	at kernel/locking/mutex.c:283
	in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ...
	preempt_count: 1, expected: 0
	...
	Call Trace:
	...
	__might_resched+0x104/0x10e
	__might_sleep+0x3e/0x62
	mutex_lock+0x20/0x4c
	regmap_lock_mutex+0x10/0x18
	regmap_update_bits_base+0x2c/0x66
	mcp23s08_irq_set_type+0x1ae/0x1d6
	__irq_set_trigger+0x56/0x172
	__setup_irq+0x1e6/0x646
	request_threaded_irq+0xb6/0x160
	...

	We observed the problem while experimenting with a touchscreen driver which
	used MCP23017 IO expander (I2C).

	The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from
	concurrent accesses, which is the default for regmaps without .fast_io,
	.disable_locking, etc.

	mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter
	locks the mutex.

	However, __setup_irq() locks desc->lock spinlock before calling these
	functions. As a result, the system tries to lock the mutex whole holding
	the spinlock.

	It seems, the internal regmap locks are not needed in this driver at all.
	mcp->lock seems to protect the regmap from concurrent accesses already,
	except, probably, in mcp_pinconf_get/set.

	mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under
	chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes
	mcp->lock and enables regmap caching, so that the potentially slow I2C
	accesses are deferred until chip_bus_unlock().

	The accesses to the regmap from mcp23s08_probe_one() do not need additional
	locking.

	In all remaining places where the regmap is accessed, except
	mcp_pinconf_get/set(), the driver already takes mcp->lock.

	This patch adds locking in mcp_pinconf_get/set() and disables internal
	locking in the regmap config. Among other things, it fixes the sleeping
	in atomic context described above.

	The Linux kernel CVE team has assigned CVE-2024-57889 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 5.4.289 with commit 788d9e9a41b81893d6bb8faa05f045c975278318
	Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 5.10.233 with commit c55d186376a87b468c9ee30f2195e0f3857f61a0
	Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 5.15.176 with commit 9372e160d8211a7e17f2abff8370794f182df785
	Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 6.1.124 with commit 0310cbad163a908d09d99c26827859365cd71fcb
	Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 6.6.70 with commit 8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec
	Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 6.12.9 with commit 830f838589522404cd7c2f0f540602f25034af61
	Issue introduced in 4.13 with commit 8f38910ba4f662222157ce07a0d5becc4328c46a and fixed in 6.13 with commit a37eecb705f33726f1fb7cd2a67e514a15dfe693

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57889
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/pinctrl/pinctrl-mcp23s08.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/788d9e9a41b81893d6bb8faa05f045c975278318
	https://git.kernel.org/stable/c/c55d186376a87b468c9ee30f2195e0f3857f61a0
	https://git.kernel.org/stable/c/9372e160d8211a7e17f2abff8370794f182df785
	https://git.kernel.org/stable/c/0310cbad163a908d09d99c26827859365cd71fcb
	https://git.kernel.org/stable/c/8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec
	https://git.kernel.org/stable/c/830f838589522404cd7c2f0f540602f25034af61
	https://git.kernel.org/stable/c/a37eecb705f33726f1fb7cd2a67e514a15dfe693