CVE-2024-50183: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50183 affects the Linux kernel's SCSI lpfc driver. The vulnerability was discovered in the handling of NPIV (N_Port ID Virtualization) instances, where a race condition occurs during the deletion of NPIV instances. The issue specifically involves the failure to properly release fabric ndlps before tearing down NPIV resources (NVD).

The vulnerability stems from a synchronization issue in the SCSI lpfc driver where fabric ndlps are not properly released before an NPIV's resources are torn down. This creates kref imbalance race conditions. The CVSS v3.1 score is 4.7 (MEDIUM) with a vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H. The issue has been classified as CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition) (NVD).

The vulnerability can lead to a kernel reference counting imbalance, potentially resulting in system instability or denial of service conditions. The impact is primarily focused on availability, with no direct impact on confidentiality or integrity of the system (NVD).

The vulnerability has been fixed in the Linux kernel by implementing synchronous completion of DAID handling before deleting NPIV instances. The fix uses a waitqueue mechanism to ensure proper synchronization. The patch has been backported to various stable kernel versions including 6.1.x, 6.6.x, and 6.11.x (Kernel Patch).