CVE-2024-57807: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-57807 addresses a potential deadlock vulnerability in the Linux kernel's megaraid_sas driver. The issue was discovered and disclosed on January 11, 2025, affecting multiple versions of the Linux kernel up to versions 5.4.289, 5.10.233, 5.15.176, and 6.1.123. The vulnerability stems from a circular locking dependency in the SCSI subsystem (NVD).

The vulnerability manifests as a circular locking dependency between instance->resetmutex and shost->scanmutex in the megaraid_sas driver. The issue occurs when two CPU cores attempt to acquire these locks in different orders, potentially leading to a deadlock condition. The CVSS v3.1 base score is 5.5 (Medium) with a vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access is required and the primary impact is on availability (NVD).

The vulnerability can result in a system deadlock, potentially affecting the availability of systems using the megaraid_sas driver. The issue primarily impacts system availability without compromising confidentiality or integrity (NVD).

A fix has been implemented by temporarily releasing the resetmutex before calling megasasremovescsidevice and re-acquiring it afterward. This patch has been merged into the Linux kernel and is available through various distribution updates (Kernel Patch).