CVE-2024-57889 in Linux
Summary
by MITRE • 01/15/2025
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking
If a device uses MCP23xxx IO expander to receive IRQs, the following bug can happen:
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ... preempt_count: 1, expected: 0 ... Call Trace: ... __might_resched+0x104/0x10e __might_sleep+0x3e/0x62 mutex_lock+0x20/0x4c regmap_lock_mutex+0x10/0x18 regmap_update_bits_base+0x2c/0x66 mcp23s08_irq_set_type+0x1ae/0x1d6 __irq_set_trigger+0x56/0x172 __setup_irq+0x1e6/0x646 request_threaded_irq+0xb6/0x160 ...
We observed the problem while experimenting with a touchscreen driver which used MCP23017 IO expander (I2C).
The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from concurrent accesses, which is the default for regmaps without .fast_io, .disable_locking, etc.
mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter locks the mutex.
However, __setup_irq() locks desc->lock spinlock before calling these functions. As a result, the system tries to lock the mutex whole holding the spinlock.
It seems, the internal regmap locks are not needed in this driver at all. mcp->lock seems to protect the regmap from concurrent accesses already, except, probably, in mcp_pinconf_get/set.
mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes mcp->lock and enables regmap caching, so that the potentially slow I2C accesses are deferred until chip_bus_unlock().
The accesses to the regmap from mcp23s08_probe_one() do not need additional locking.
In all remaining places where the regmap is accessed, except mcp_pinconf_get/set(), the driver already takes mcp->lock.
This patch adds locking in mcp_pinconf_get/set() and disables internal locking in the regmap config. Among other things, it fixes the sleeping in atomic context described above.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/09/2026
The vulnerability described in CVE-2024-57889 represents a critical concurrency issue within the Linux kernel's pinctrl subsystem, specifically affecting the mcp23s08 driver implementation. This flaw manifests when devices utilizing MCP23xxx IO expanders for interrupt handling encounter a scenario where sleeping functions are invoked from invalid atomic contexts. The root cause stems from improper locking mechanisms within the driver's interaction with regmap infrastructure, creating a deadlock condition that violates fundamental kernel concurrency principles. The vulnerability directly impacts systems using touchscreen drivers or similar interrupt-based peripherals that rely on MCP23017 IO expanders via I2C interfaces.
The technical implementation flaw occurs due to conflicting locking strategies within the driver architecture. The mcp23s08_irq_set_type() function attempts to call regmap_update_bits_base() which internally acquires a mutex lock, while the calling context already holds a spinlock through __setup_irq() function. This creates an atomic context violation where the kernel's mutex_lock() function detects it's being called from an atomic context and triggers the BUG message. The system's locking hierarchy becomes incompatible as the mutex acquisition occurs while holding a spinlock, violating kernel locking semantics and potentially causing system crashes or hangs. This represents a classic deadlock scenario that can be categorized under CWE-362: Concurrent Execution using Shared Resource with Unprotected Read-Write Access, though specifically manifesting in kernel atomic context violations.
The operational impact of this vulnerability extends beyond simple system instability to potentially compromise device functionality and system reliability in embedded and IoT environments where MCP23xxx IO expanders are commonly deployed. Systems using touchscreen drivers or interrupt-based peripheral controllers that rely on the mcp23s08 driver implementation could experience complete system lockups or kernel panics when interrupt handlers are invoked. The vulnerability affects all Linux kernel versions that include the pinctrl-mcp23s08 driver implementation, particularly impacting devices in automotive, industrial, and embedded systems where reliable interrupt handling is critical. The issue can manifest during device initialization or when interrupt events occur, making it difficult to predict and isolate the exact conditions that trigger the failure.
The mitigation strategy for this vulnerability involves implementing proper locking mechanisms within the driver while disabling the internal regmap locking that conflicts with the existing driver-level protection. The fix requires adding appropriate locking in mcp_pinconf_get/set() functions to ensure proper synchronization, while simultaneously disabling the internal regmap locking through configuration changes. This approach aligns with ATT&CK technique T1547.001: Registry Run Keys / Startup Folder, though in this context it relates to proper kernel driver initialization and locking configuration. The solution ensures that the existing mcp->lock mechanism, which already provides sufficient protection for most driver operations, remains the primary synchronization primitive while eliminating the conflicting mutex acquisition that causes the atomic context violation. This patch addresses the core issue by restructuring the locking hierarchy to prevent the scenario where sleeping functions are called from atomic contexts, thereby maintaining system stability while preserving the intended functionality of the IO expander driver. The fix demonstrates proper adherence to kernel development practices and concurrency control principles, ensuring that device drivers maintain predictable behavior under all operational conditions.