CVE-2024-50006: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50006 is a vulnerability in the Linux kernel's ext4 filesystem component, discovered by the Linux Verification Center (linuxtesting.org) using the syzkaller fuzzing tool. The vulnerability was disclosed on October 21, 2024, affecting multiple versions of the Linux kernel up to versions 5.10.227, 5.15.168, 6.1.113, 6.6.55, and others (NVD).

The vulnerability is a potential deadlock condition in the jbd2_log_wait_commit function. It occurs when an EXT4_IOC_MIGRATE ioctl is set to require synchronous updates due to a file descriptor being opened with O_SYNC. The issue manifests when CONFIG_PROVE_LOCKING is enabled, where the jbd2_might_wait_for_commit macro locks jbd2_handle in the jbd2_journal_stop function while i_data_sem is locked. This creates a lock ordering violation as detected by lockdep, since jbd2_journal_start might simultaneously lock the same jbd2_handle. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium) with vector AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a deadlock condition if the EXT4_IOC_MIGRATE call races with a write(2) system call. This occurs specifically when the jbd2_journal_stop() function calls jbd2_might_wait_for_commit() while holding certain locks in an incorrect order (NVD).

The vulnerability has been fixed in various Linux kernel versions through patches that correct the lock ordering in ext4_ind_migrate(). Multiple Linux distributions have released updates addressing this issue, including Ubuntu which has provided fixes for affected kernel versions (Ubuntu).