CVE-2024-50098: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50098 affects the Linux kernel's SCSI UFS core component. The vulnerability was discovered when a deadlock condition occurred during system reboot, specifically in the UFS shutdown process. The issue arises when SDEV_QUIESCE is set for all LU's SCSI devices during UFS shutdown while an audio driver holds a mutex_lock during firmware binary reading (NVD).

The vulnerability manifests as a deadlock condition in the Linux kernel's UFS subsystem. During shutdown, the system sets SDEV_QUIESCE for all logical unit's SCSI devices, but this can conflict with other operations holding mutex locks, specifically when the audio driver is waiting on blk_mq_submit_bio() while reading firmware. The CVSS v3.1 base score is 5.5 (MEDIUM) with a vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a system deadlock during reboot operations, particularly at the beginning of the booting process. This can result in a denial of service condition where the system becomes unresponsive due to the mutex lock conflict between the UFS shutdown process and ongoing I/O operations (Kernel Patch).

The issue has been fixed by changing the behavior during UFS shutdown. Instead of setting SDEV_QUIESCE, the patch modifies the code to set SDEV_OFFLINE for all LUs except WLUN. This ensures that any I/O operations that occur after UFS shutdown will return an error instead of causing a deadlock. The fix has been implemented in various kernel versions including 5.14 through 6.1.114, 6.2 through 6.6.58, and 6.7 through 6.11.5 (NVD).