CVE-2024-46846: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-46846 affects the Linux kernel's SPI Rockchip driver. The vulnerability was discovered when a previous commit (e882575efc77) introduced an issue with runtime PM and system PM handling. The vulnerability affects Linux kernel versions from 5.18 up to (excluding) 6.1.110, 6.2 up to (excluding) 6.6.51, and 6.7 up to (excluding) 6.10.10, as well as various release candidates of version 6.11 (NVD).

The vulnerability stems from improper handling of power management states in the SPI Rockchip driver. The issue occurs when the device is already runtime suspended during system sleep, causing double-disable of clocks and producing a warning. The vulnerability has a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to system instability due to improper clock management in the SPI Rockchip driver. When exploited, it causes unbalanced power management states, specifically affecting devices that are runtime suspended during system sleep operations (Kernel Patch).

The issue has been fixed by switching back to using pmruntimeforce_{suspend,resume}() functions and refactoring the resume() error handling. The fix is included in various kernel versions through patches. Users should update their Linux kernel to the latest patched version (Kernel Patch).