CVE-2024-42129 in Linux
Summary
by MITRE • 07/30/2024
In the Linux kernel, the following vulnerability has been resolved:
leds: mlxreg: Use devm_mutex_init() for mutex initialization
In this driver LEDs are registered using devm_led_classdev_register() so they are automatically unregistered after module's remove() is done. led_classdev_unregister() calls module's led_set_brightness() to turn off the LEDs and that callback uses mutex which was destroyed already in module's remove() so use devm API instead.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/29/2025
The vulnerability identified as CVE-2024-42129 resides within the Linux kernel's mlxreg LED driver subsystem, representing a critical synchronization issue that can lead to system instability and potential security implications. This flaw specifically affects the management of LED device registration and deregistration processes within the Mellanox register access driver. The vulnerability stems from improper mutex initialization handling during the driver's module removal sequence, creating a race condition that can result in use-after-free scenarios and system crashes.
The technical root cause of this vulnerability lies in the improper initialization of a mutex within the mlxreg LED driver implementation. When LEDs are registered using the devm_led_classdev_register() function, the driver correctly implements device management semantics that automatically handle cleanup during module removal. However, the mutex used for protecting LED brightness operations was initialized using the standard mutex_init() function rather than the device-managed devm_mutex_init() function. This discrepancy creates a scenario where the mutex is destroyed during module removal before the led_classdev_unregister() function can properly execute its callback chain, specifically the led_set_brightness() function that requires the mutex to be valid.
The operational impact of this vulnerability extends beyond simple system instability to potentially enable privilege escalation and denial of service conditions. When the module is removed, the destruction of the mutex occurs before the automatic cleanup of LED devices, leading to a use-after-free condition that can be exploited by malicious actors. The vulnerability is particularly concerning because it operates at the kernel level where such issues can compromise the entire system's integrity and availability. Attackers could potentially trigger this condition through module loading and unloading operations, causing system crashes or potentially enabling more sophisticated exploitation techniques that leverage the unstable memory state created by the improper mutex destruction.
The mitigation strategy for CVE-2024-42129 involves implementing the device-managed mutex initialization approach throughout the mlxreg LED driver. This change ensures that mutex lifecycle management aligns with the device management patterns already established by the devm_led_classdev_register() function. The fix requires replacing the standard mutex_init() call with devm_mutex_init() to ensure proper resource cleanup and synchronization during module operations. This approach aligns with the principle of device-managed resource allocation and follows the established patterns within the Linux kernel's device management subsystem. The solution directly addresses the underlying CWE-415: Double Free vulnerability category and prevents the improper resource management patterns that could lead to system compromise. This remediation follows the ATT&CK technique of privilege escalation through kernel exploitation by ensuring proper synchronization mechanisms during driver lifecycle operations, thereby reducing the attack surface and preventing potential exploitation of the use-after-free condition that could otherwise be leveraged for system compromise.