CVE-2024-36924: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-36924 affects the Linux kernel's SCSI lpfc driver. The vulnerability was discovered in the handling of the hbalock mutex, where lpfcworkerwake_up() was being called while holding the lock. This issue was disclosed on May 30, 2024, and affects Linux kernel versions up to (excluding) 6.1.91, versions from 6.2 up to (excluding) 6.6.31, versions from 6.7 up to (excluding) 6.8.10, and version 6.9-rc1 (NVD).

The vulnerability stems from a locking issue in the Linux kernel's SCSI lpfc driver where lpfcworkerwakeup() calls the lpfcworkdone() routine while holding the hbalock. Since lpfcwork_done() also attempts to take the hbalock, this creates a potential deadlock condition. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and is classified as CWE-667 (Improper Locking) (NVD).

The vulnerability can lead to a potential deadlock in the Linux kernel's SCSI subsystem, specifically affecting systems using the lpfc driver. This could result in system availability issues, though there are no impacts to confidentiality or integrity (NVD).

The vulnerability has been fixed by releasing the hbalock before calling lpfcworkerwake_up(). The fix involves restructuring the code to ensure proper lock handling and reference counting. Patches have been released for affected kernel versions (Kernel Patch).