CVE-2024-49985

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58

Description: A vulnerability in the Linux kernel has been resolved, specifically in the i2c: stm32f7 module. The issue occurs when a clock controller is attached to the I2C bus controller, such as Versaclock or AIC32x4 I2C codec. An I2C transfer triggered from the clock controller's clk ops prepare callback may cause a deadlock on the prepare lock mutex in drivers/clk/clk.c. This happens because the clock controller grabs the prepare lock mutex, performs the prepare operation, including I2C access, and then attempts to grab the prepare lock mutex again, resulting in a deadlock. The fix involves using simple clk enable() and clk disable() calls to enable and disable the clock on runtime suspend and resume, avoiding the prepare lock mutex.

Recommendations: For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider disabling the clk prepare enable() function until a patch is available. Restrict access to the prepare lock mutex to minimize the risk of exploitation. Avoid using the clk ops prepare callback in the affected I2C bus controller until the issue is resolved.