CVE-2024-57889: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-57889 affects the Linux kernel's pinctrl-mcp23s08 driver, specifically related to a sleeping in atomic context issue due to regmap locking. The vulnerability was discovered when using MCP23xxx IO expander for IRQs, and was disclosed on January 15, 2025. The issue affects Linux kernel systems using the MCP23xxx IO expander devices, particularly in configurations where the device is used to receive IRQs (NVD).

The vulnerability occurs when the pinctrl-mcp23s08 driver attempts to lock a mutex while holding a spinlock, which is not allowed in the Linux kernel. Specifically, mcp23s08irqsettype() calls regmapupdatebitsbase(), which attempts to lock a mutex, while _setupirq() has already locked desc->lock spinlock. The regmap in the driver uses a mutex for protection from concurrent accesses by default, but this creates a conflict when combined with spinlock operations (Kernel Commit).

When triggered, the vulnerability causes a system bug that manifests as a 'sleeping function called from invalid context' error. This occurs in atomic context at kernel/locking/mutex.c:283, with irqsdisabled and incorrect preemptcount values, potentially leading to system instability or crashes (Kernel Commit).

The issue has been fixed by adding proper locking in mcppinconfget/set() and disabling internal locking in the regmap config. The fix involves adding mutexlock/unlock operations around critical sections and setting .disablelocking = true in the regmap configuration. The patch has been included in various Linux kernel versions, including 5.10.234-1 and 6.1.128-1~deb11u1 for Debian systems (Debian LTS).