CVE-2024-50098 is a vulnerability identified in the Linux kernel's handling of the Universal Flash Storage (UFS) subsystem, specifically related to the SCSI (Small Computer System Interface) layer. The issue arises during the shutdown sequence of the UFS device, where Logical Units (LUs) are transitioned to a quiescent state (SDEV_QUIESCE). During early boot or reboot, if the system attempts to shut down UFS devices, the audio driver may concurrently attempt to read firmware binaries via blk_mq_submit_bio(), which involves mutex locking. This concurrency can lead to a deadlock condition because the audio driver waits on a mutex held by blk_mq_submit_bio(), while the shutdown process waits for the audio driver to release the mutex, creating a circular wait scenario. The root cause is that the shutdown process sets LUs to SDEV_QUIESCE but does not mark them offline, allowing I/O operations to be queued and block indefinitely. The fix involves setting the SDEV_OFFLINE flag for all LUs except the well-known logical unit (WLUN) during UFS shutdown, ensuring that any I/O requests after shutdown return an error immediately instead of blocking. This change prevents the deadlock by disallowing new I/O operations on the device once it is shut down. The vulnerability affects specific Linux kernel versions identified by commit hashes (b294ff3e34490f36233230e9ca70503d3924a6f3). No known exploits are reported in the wild, and no CVSS score has been assigned yet. The issue primarily impacts systems using UFS storage devices with the Linux kernel, particularly those that perform reboot or shutdown sequences involving UFS devices and have audio drivers that interact with firmware binaries during boot.

For European organizations, the impact of CVE-2024-50098 could manifest as system instability or unplanned downtime during reboot or shutdown sequences on Linux-based systems utilizing UFS storage. This is particularly relevant for embedded systems, mobile devices, or specialized industrial equipment running Linux kernels with UFS support. Deadlocks during boot can cause prolonged system hangs, delaying recovery or maintenance operations, which may affect critical infrastructure, manufacturing systems, or telecommunications equipment. While the vulnerability does not directly expose confidentiality or integrity risks, the availability impact can be significant in environments requiring high uptime or rapid reboot cycles. Organizations relying on Linux-based appliances or servers with UFS storage may experience operational disruptions. However, since exploitation requires specific timing during boot and involves internal kernel operations, the risk of remote exploitation is low. The lack of known exploits suggests the threat is currently theoretical but should be addressed proactively to avoid potential service interruptions.

To mitigate CVE-2024-50098, European organizations should: 1) Apply the latest Linux kernel updates that include the patch setting SDEV_OFFLINE during UFS shutdown to prevent deadlocks. 2) Audit and inventory systems using UFS storage devices and verify kernel versions to identify vulnerable systems. 3) For embedded or specialized devices where kernel updates are challenging, consider vendor firmware updates or workarounds that avoid reboot sequences triggering the deadlock scenario. 4) Implement monitoring for system hangs or delays during reboot/shutdown processes to detect symptoms of this issue early. 5) Coordinate with hardware and software vendors to ensure that audio drivers and storage subsystems are compatible with the patched kernel behavior. 6) In critical environments, schedule controlled reboots and validate system stability post-update to minimize operational impact. 7) Avoid unnecessary reboots during peak operational hours until patches are applied.