CVE-2024-42090: pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER
In create_pinctrl(), pinctrl_maps_mutex is acquired before calling
add_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl()
calls pinctrl_free(). However, pinctrl_free() attempts to acquire
pinctrl_maps_mutex, which is already held by create_pinctrl(), leading to
a potential deadlock.
This patch resolves the issue by releasing pinctrl_maps_mutex before
calling pinctrl_free(), preventing the deadlock.
This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.
Security readout for executives and security teams
Plain-English summary
CVE-2024-42090 is a Linux kernel bug that can cause a deadlock while setting up pin control resources. In business terms, this is mainly an availability concern: affected systems could hang in specific hardware or driver initialization paths. The sources do not show active exploitation or a public severity score.
Executive priority
Handle through normal kernel patch governance unless affected devices show instability or are operationally critical. There is no cited active exploitation, but kernel deadlocks can disrupt availability, so defer only with documented vendor risk acceptance.
Technical view
The issue is in create_pinctrl(). It holds pinctrl_maps_mutex, then calls add_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl() calls pinctrl_free(), which attempts to acquire the same mutex and can deadlock. The kernel fix releases pinctrl_maps_mutex before calling pinctrl_free().
Likely exposure
Exposure is most relevant to Linux systems using affected kernel builds and pinctrl driver paths, especially hardware-dependent environments. The bundle lists Linux kernel versions and multiple stable commits, but precise affected and fixed ranges should be confirmed against the running distribution or vendor advisory.
Exploitation context
The provided sources describe a kernel deadlock discovered by Coverity SAST. They do not provide evidence of active exploitation, public exploit availability, or inclusion in CISA KEV. Treat this as a reliability and denial-of-service risk until vendor-specific impact is confirmed.
Researcher notes
Evidence supports a mutex re-entry deadlock in the pinctrl subsystem during -EPROBE_DEFER handling. The source bundle does not include CVSS, CWE, exploitability analysis, or complete branch range semantics, so validation should rely on vendor kernel package metadata and referenced stable commits.
Mitigation direction
Update affected Linux kernels using your distribution or device vendor guidance.
Prioritize systems where pinctrl drivers are relevant to boot or device initialization.
Review Debian LTS and Siemens advisories if those ecosystems apply.
Schedule required reboots after kernel package updates.
Track kernel stable fixes referenced for your maintained branch.
Validation and detection
Inventory running kernel versions across servers, appliances, and embedded devices.
Map each kernel to vendor advisories or stable fix commits.
Confirm updated packages include the CVE-2024-42090 fix.
Check whether affected systems use relevant pinctrl paths or hardware drivers.
Monitor for boot-time or driver-probe hangs before and after patching.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-42090 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.