CVE-2024-49985 is a vulnerability identified in the Linux kernel specifically affecting the I2C bus controller implementation for the stm32f7 platform. The issue arises from improper handling of clock controller operations during runtime suspend and resume sequences. In particular, when a clock controller (such as Versaclock or an AIC32x4 I2C codec) is attached to the I2C bus controller, an I2C transfer initiated from the clock controller's clk_ops.prepare callback can cause a deadlock. This deadlock occurs because the clock controller first acquires the prepare_lock mutex and then performs an I2C transfer that triggers the I2C bus controller's runtime_resume callback. The runtime_resume callback calls clk_prepare_enable(), which attempts to acquire the same prepare_lock mutex again, resulting in a deadlock due to the mutex being already held. The root cause is the recursive locking attempt on prepare_lock during clock prepare operations. The fix involves changing the clock enable/disable calls during runtime suspend and resume to use clk_enable()/clk_disable() instead of prepare/unprepare, as the clocks are already prepared during probe() and unprepared during remove(). This prevents the recursive locking and deadlock scenario. The vulnerability affects Linux kernel versions identified by the commit hash 4e7bca6fc07bf9526d797b9787dcb21e40cd10cf and similar revisions. No known exploits are reported in the wild as of the publication date (October 21, 2024).

For European organizations, the primary impact of this vulnerability is potential system instability or denial of service (DoS) on devices running affected Linux kernel versions with stm32f7 I2C bus controllers and attached clock controllers. This is particularly relevant for embedded systems, industrial control systems, and IoT devices that rely on these specific hardware components and Linux kernel versions. A deadlock in the kernel can cause the affected device to hang or become unresponsive, disrupting critical operations. While this vulnerability does not directly lead to privilege escalation or data leakage, the availability impact can be significant in environments where uptime and reliability are critical, such as manufacturing plants, telecommunications infrastructure, or medical devices. The lack of known exploits reduces immediate risk, but the complexity of the issue means that unpatched systems remain vulnerable to accidental or triggered deadlocks during runtime suspend/resume cycles. Organizations using custom Linux builds or embedded Linux on stm32f7 platforms should prioritize patching to avoid operational disruptions.

European organizations should take the following specific mitigation steps: 1) Identify all devices and systems running affected Linux kernel versions with stm32f7 I2C bus controllers and attached clock controllers. 2) Apply the official Linux kernel patch that replaces clk_prepare_enable()/clk_prepare_disable() calls with clk_enable()/clk_disable() during runtime suspend and resume to prevent the deadlock condition. 3) For embedded or industrial devices where kernel updates are challenging, consider vendor firmware updates or workarounds that disable runtime suspend/resume for the affected I2C controllers if feasible. 4) Implement monitoring for kernel hangs or deadlocks related to I2C bus operations to detect potential exploitation or accidental triggering of this vulnerability. 5) Coordinate with hardware vendors to ensure updated drivers and firmware are deployed. 6) Test patches in staging environments to verify that the fix does not introduce regressions in clock or power management functionality. 7) Maintain an inventory of affected hardware and software to streamline patch management and incident response.