CVE-2024-49985: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49985 affects the Linux kernel's I2C subsystem, specifically the STM32F7 I2C bus controller implementation. The vulnerability was discovered in October 2024 and affects Linux kernel versions from 5.0 up to versions before 5.10.227, 5.15.168, 6.1.113, 6.6.55, 6.10.14, and 6.11.3. The issue involves improper locking mechanisms in the clock controller's runtime suspend/resume functionality (NVD).

The vulnerability stems from a deadlock condition in the drivers/clk/clk.c prepare_lock mutex. When a clock controller (such as Versaclock or AIC32x4 I2C codec) is attached to the I2C bus controller, an I2C transfer triggered from the clock controller's clk_ops .prepare callback can cause a deadlock. This occurs because the clock controller first acquires the prepare_lock mutex and then performs the prepare operation, including I2C access. The I2C access triggers the bus controller's .runtime_resume callback, which attempts to acquire the same prepare_lock mutex again, resulting in a deadlock. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a deadlock condition in the Linux kernel's I2C subsystem, potentially causing a denial of service on affected systems. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity (NVD).

The vulnerability has been patched by modifying the clock handling during runtime suspend/resume operations. Instead of using clk_prepare_enable() and clk_disable_unprepare(), the fix implements simple clk_enable()/clk_disable() calls since the clocks are already prepared during probe() and unprepared in remove(). This change avoids hitting the prepare_lock mutex and prevents the deadlock condition (Kernel Patch).