Linux Kernel MCP251X Driver Deadlock Vulnerability in Error Handling Path

A deadlock vulnerability has been identified in the Linux kernel MCP251X CAN bus controller driver, specifically within the 'mcp251x_open' function. This issue arises when 'free_irq' is called in the error handling path while holding the 'mpc_lock' mutex. If an interrupt occurs at this time, the interrupt handler will be blocked waiting for the mutex, creating a deadlock situation. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to a deadlock condition, where the 'free_irq' function is unable to complete because it is waiting for the interrupt handler to finish, while the handler is blocked waiting for the 'mpc_lock' mutex to be released.

Reproduction

To reproduce this vulnerability, trigger an interrupt during the execution of the 'mcp251x_open' function. The interrupt handler will wait for the 'mpc_lock' mutex, which is held by 'mcp251x_open'. If 'free_irq' is called while the mutex is held, it will create a deadlock, as 'free_irq' must wait for the handler to finish, which cannot happen until the mutex is released.

Remediation

The vulnerability has been addressed by modifying the 'mcp251x_open' function to release the 'mpc_lock' mutex before calling 'free_irq'. This change ensures that 'free_irq' can execute without causing a deadlock. Users should apply the latest patches available in the Linux kernel stable tree to mitigate this issue.