CVE-2023-54009

Root

Cause

The cdns_i2c_master_xfer() function in the Cadence I2C controller driver (drivers/i2c/busses/i2c-cadence.c) acquires a runtime PM reference when the function is entered. This reference is normally released when the function returns. However, there is one error path in the function that exits directly without releasing the runtime PM reference, causing a leak.

Attack

Surface and Exploitation

No special attack surface is required beyond normal use of the I2C bus. The vulnerability is triggered when an error occurs (e.g., invalid parameters or bus condition) in the I2C master transfer path. Any user or process that can initiate an I2C transfer via the Cadence controller could potentially trigger this leak. No authentication is needed beyond the capability to access the I2C device node.

Impact

If the error path is repeatedly hit, the runtime PM reference count will not be decremented, preventing the device from entering low-power states. This can lead to increased power consumption and, in extreme cases, may cause the device to remain active indefinitely, potentially degrading system performance or battery life.

Mitigation

The issue is fixed in the Linux kernel by ensuring that the error path releases the runtime PM reference, as seen in the committed patches [1][2]. Users should apply the kernel update containing these commits to resolve the vulnerability. No workaround is possible without patching the driver.