CVE-2024-40965: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's I2C subsystem (CVE-2024-40965) was discovered, affecting versions up to (excluding) 6.9.7. The issue involves improper locking in the LPI2C driver when repeatedly calling clkgetrate during data transfers. The vulnerability was discovered when a deadlock was observed while adding a tlv320aic32x4 audio codec to the system (NVD).

The vulnerability stems from incorrect handling of clock rate queries in the LPI2C driver. When a clock provider adds its clock, the clk mutex is already locked, but it needs to access I2C, which in turn requires the mutex for clkgetrate, resulting in a deadlock condition. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access required with low attack complexity (NVD).

The vulnerability can lead to a system deadlock when attempting to add certain audio codecs, specifically observed with the tlv320aic32x4 audio codec. This can result in system availability issues, potentially affecting the normal operation of I2C bus communications (NVD).

The vulnerability has been fixed by modifying the LPI2C driver to cache the clock rate value instead of repeatedly calling clkgetrate for each transfer. The fix involves locking the parent clock rate and storing it in a new rate_per variable. Updates are available in various Linux kernel versions, including 6.8.0-44.44 for Ubuntu 24.04 LTS and 5.15.0-133.144 for Ubuntu 22.04 LTS (Ubuntu Security, Kernel Patch).