{"schema_version":"1.7.2","id":"OESA-2024-2533","modified":"2024-12-13T13:17:36Z","published":"2024-12-13T13:17:36Z","upstream":["CVE-2024-47713","CVE-2024-49861","CVE-2024-49863","CVE-2024-49906","CVE-2024-49923","CVE-2024-49977","CVE-2024-49991","CVE-2024-50103","CVE-2024-50116","CVE-2024-50127","CVE-2024-50134","CVE-2024-50187","CVE-2024-50201","CVE-2024-50267","CVE-2024-50272","CVE-2024-50278","CVE-2024-50290","CVE-2024-50292","CVE-2024-50302","CVE-2024-53104","CVE-2024-53110","CVE-2024-53112","CVE-2024-53125","CVE-2024-53130"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()  Since \u0026apos;__dev_queue_xmit()\u0026apos; should be called with interrupts enabled, the following backtrace:  ieee80211_do_stop()  ...  spin_lock_irqsave(\u0026amp;local-\u0026gt;queue_stop_reason_lock, flags)  ...  ieee80211_free_txskb()   ieee80211_report_used_skb()    ieee80211_report_ack_skb()     cfg80211_mgmt_tx_status_ext()      nl80211_frame_tx_status()       genlmsg_multicast_netns()        genlmsg_multicast_netns_filtered()         nlmsg_multicast_filtered()   netlink_broadcast_filtered()    do_one_broadcast()     netlink_broadcast_deliver()      __netlink_sendskb()       netlink_deliver_tap()        __netlink_deliver_tap_skb()         dev_queue_xmit()          __dev_queue_xmit() ; with IRQS disabled  ...  spin_unlock_irqrestore(\u0026amp;local-\u0026gt;queue_stop_reason_lock, flags)  issues the warning (as reported by syzbot reproducer):  WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120  Fix this by implementing a two-phase skb reclamation in \u0026apos;ieee80211_do_stop()\u0026apos;, where actual work is performed outside of a section with interrupts disabled.(CVE-2024-47713)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  bpf: Fix helper writes to read-only maps  Lonial found an issue that despite user- and BPF-side frozen BPF map (like in case of .rodata), it was still possible to write into it from a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT} as arguments.  In check_func_arg() when the argument is as mentioned, the meta-\u0026gt;raw_mode is never set. Later, check_helper_mem_access(), under the case of PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the subsequent call to check_map_access_type() and given the BPF map is read-only it succeeds.  The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT when results are written into them as opposed to read out of them. The latter indicates that it\u0026apos;s okay to pass a pointer to uninitialized memory as the memory is written to anyway.  However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM just with additional alignment requirement. So it is better to just get rid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the fixed size memory types. For this, add MEM_ALIGNED to additionally ensure alignment given these helpers write directly into the args via *\u0026lt;ptr\u0026gt; = val. The .arg*_size has been initialized reflecting the actual sizeof(*\u0026lt;ptr\u0026gt;).  MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated argument types, since in !MEM_FIXED_SIZE cases the verifier does not know the buffer size a priori and therefore cannot blindly write *\u0026lt;ptr\u0026gt; = val.(CVE-2024-49861)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()  Since commit 3f8ca2e115e5 (\u0026quot;vhost/scsi: Extract common handling code from control queue handler\u0026quot;) a null pointer dereference bug can be triggered when guest sends an SCSI AN request.  In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with `\u0026amp;v_req.tmf.lun[1]` within a switch-case block and is then passed to vhost_scsi_get_req() which extracts `vc-\u0026gt;req` and `tpg`. However, for a `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is set to NULL in this branch. Later, in vhost_scsi_get_req(), `vc-\u0026gt;target` is dereferenced without being checked, leading to a null pointer dereference bug. This bug can be triggered from guest.  When this bug occurs, the vhost_worker process is killed while holding `vq-\u0026gt;mutex` and the corresponding tpg will remain occupied indefinitely.  Below is the KASAN report: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 840 Comm: poc Not tainted 6.10.0+ #1 Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:vhost_scsi_get_req+0x165/0x3a0 Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 02 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 65 30 4c 89 e2 48 c1 ea 03 \u0026lt;0f\u0026gt; b6 04 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 be 01 00 00 RSP: 0018:ffff888017affb50 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88801b000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888017affcb8 RBP: ffff888017affb80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff888017affc88 R14: ffff888017affd1c R15: ffff888017993000 FS:  000055556e076500(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200027c0 CR3: 0000000010ed0004 CR4: 0000000000370ef0 Call Trace:  \u0026lt;TASK\u0026gt;  ? show_regs+0x86/0xa0  ? die_addr+0x4b/0xd0  ? exc_general_protection+0x163/0x260  ? asm_exc_general_protection+0x27/0x30  ? vhost_scsi_get_req+0x165/0x3a0  vhost_scsi_ctl_handle_vq+0x2a4/0xca0  ? __pfx_vhost_scsi_ctl_handle_vq+0x10/0x10  ? __switch_to+0x721/0xeb0  ? __schedule+0xda5/0x5710  ? __kasan_check_write+0x14/0x30  ? _raw_spin_lock+0x82/0xf0  vhost_scsi_ctl_handle_kick+0x52/0x90  vhost_run_work_list+0x134/0x1b0  vhost_task_fn+0x121/0x350 ...  \u0026lt;/TASK\u0026gt; ---[ end trace 0000000000000000 ]---  Let\u0026apos;s add a check in vhost_scsi_get_req.  [whitespace fixes](CVE-2024-49863)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  drm/amd/display: Check null pointer before try to access it  [why \u0026amp; how] Change the order of the pipe_ctx-\u0026gt;plane_state check to ensure that plane_state is not null before accessing it.(CVE-2024-49906)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags  [WHAT \u0026amp; HOW] \u0026quot;dcn20_validate_apply_pipe_split_flags\u0026quot; dereferences merge, and thus it cannot be a null pointer. Let\u0026apos;s pass a valid pointer to avoid null dereference.  This fixes 2 FORWARD_NULL issues reported by Coverity.(CVE-2024-49923)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Fix zero-division error when disabling tc cbs  The commit b8c43360f6e4 (\u0026quot;net: stmmac: No need to calculate speed divider when offload is disabled\u0026quot;) allows the \u0026quot;port_transmit_rate_kbps\u0026quot; to be set to a value of 0, which is then passed to the \u0026quot;div_s64\u0026quot; function when tc-cbs is disabled. This leads to a zero-division error.  When tc-cbs is disabled, the idleslope, sendslope, and credit values the credit values are not required to be configured. Therefore, adding a return statement after setting the txQ mode to DCB when tc-cbs is disabled would prevent a zero-division error.(CVE-2024-49977)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer  Pass pointer reference to amdgpu_bo_unref to clear the correct pointer, otherwise amdgpu_bo_unref clear the local variable, the original pointer not set to NULL, this could cause use-after-free bug.(CVE-2024-49991)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe()  A devm_kzalloc() in asoc_qcom_lpass_cpu_platform_probe() could possibly return NULL pointer. NULL Pointer Dereference may be triggerred without addtional check. Add a NULL check for the returned pointer.(CVE-2024-50103)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  nilfs2: fix kernel bug due to missing clearing of buffer delay flag  Syzbot reported that after nilfs2 reads a corrupted file system image and degrades to read-only, the BUG_ON check for the buffer delay flag in submit_bh_wbc() may fail, causing a kernel bug.  This is because the buffer delay flag is not cleared when clearing the buffer state flags to discard a page/folio or a buffer head. So, fix this.  This became necessary when the use of nilfs2\u0026apos;s own page clear routine was expanded.  This state inconsistency does not occur if the buffer is written normally by log writing.(CVE-2024-50116)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  net: sched: fix use-after-free in taprio_change()  In \u0026apos;taprio_change()\u0026apos;, \u0026apos;admin\u0026apos; pointer may become dangling due to sched switch / removal caused by \u0026apos;advance_sched()\u0026apos;, and critical section protected by \u0026apos;q-\u0026gt;current_entry_lock\u0026apos; is too small to prevent from such a scenario (which causes use-after-free detected by KASAN). Fix this by prefer \u0026apos;rcu_replace_pointer()\u0026apos; over \u0026apos;rcu_assign_pointer()\u0026apos; to update \u0026apos;admin\u0026apos; immediately before an attempt to schedule freeing.(CVE-2024-50127)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA  Replace the fake VLA at end of the vbva_mouse_pointer_shape shape with a real VLA to fix a \u0026quot;memcpy: detected field-spanning write error\u0026quot; warning:  [   13.319813] memcpy: detected field-spanning write (size 16896) of single field \u0026quot;p-\u0026gt;data\u0026quot; at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 (size 4) [   13.319841] WARNING: CPU: 0 PID: 1105 at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 hgsmi_update_pointer_shape+0x192/0x1c0 [vboxvideo] [   13.320038] Call Trace: [   13.320173]  hgsmi_update_pointer_shape [vboxvideo] [   13.320184]  vbox_cursor_atomic_update [vboxvideo]  Note as mentioned in the added comment it seems the original length calculation for the allocated and send hgsmi buffer is 4 bytes too large. Changing this is not the goal of this patch, so this behavior is kept.(CVE-2024-50134)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  drm/vc4: Stop the active perfmon before being destroyed  Upon closing the file descriptor, the active performance monitor is not stopped. Although all perfmons are destroyed in `vc4_perfmon_close_file()`, the active performance monitor\u0026apos;s pointer (`vc4-\u0026gt;active_perfmon`) is still retained.  If we open a new file descriptor and submit a few jobs with performance monitors, the driver will attempt to stop the active performance monitor using the stale pointer in `vc4-\u0026gt;active_perfmon`. However, this pointer is no longer valid because the previous process has already terminated, and all performance monitors associated with it have been destroyed and freed.  To fix this, when the active performance monitor belongs to a given process, explicitly stop it before destroying and freeing it.(CVE-2024-50187)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  drm/radeon: Fix encoder-\u0026gt;possible_clones  Include the encoder itself in its possible_clones bitmask. In the past nothing validated that drivers were populating possible_clones correctly, but that changed in commit 74d2aacbe840 (\u0026quot;drm: Validate encoder-\u0026gt;possible_clones\u0026quot;). Looks like radeon never got the memo and is still not following the rules 100% correctly.  This results in some warnings during driver initialization: Bogus possible_clones: [ENCODER:46:TV-46] possible_clones=0x4 (full encoder mask=0x7) WARNING: CPU: 0 PID: 170 at drivers/gpu/drm/drm_mode_config.c:615 drm_mode_config_validate+0x113/0x39c ...  (cherry picked from commit 3b6e7d40649c0d75572039aff9d0911864c689db)(CVE-2024-50201)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  USB: serial: io_edgeport: fix use after free in debug printk  The \u0026quot;dev_dbg(\u0026amp;urb-\u0026gt;dev-\u0026gt;dev, ...\u0026quot; which happens after usb_free_urb(urb) is a use after free of the \u0026quot;urb\u0026quot; pointer.  Store the \u0026quot;dev\u0026quot; pointer at the start of the function to avoid this issue.(CVE-2024-50267)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  filemap: Fix bounds checking in filemap_read()  If the caller supplies an iocb-\u0026gt;ki_pos value that is close to the filesystem upper limit, and an iterator with a count that causes us to overflow that limit, then filemap_read() enters an infinite loop.  This behaviour was discovered when testing xfstests generic/525 with the \u0026quot;localio\u0026quot; optimisation for loopback NFS mounts.(CVE-2024-50272)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  dm cache: fix potential out-of-bounds access on the first resume  Out-of-bounds access occurs if the fast device is expanded unexpectedly before the first-time resume of the cache table. This happens because expanding the fast device requires reloading the cache table for cache_create to allocate new in-core data structures that fit the new size, and the check in cache_preresume is not performed during the first resume, leading to the issue.  Reproduce steps:  1. prepare component devices:  dmsetup create cmeta --table \u0026quot;0 8192 linear /dev/sdc 0\u0026quot; dmsetup create cdata --table \u0026quot;0 65536 linear /dev/sdc 8192\u0026quot; dmsetup create corig --table \u0026quot;0 524288 linear /dev/sdc 262144\u0026quot; dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct  2. load a cache table of 512 cache blocks, and deliberately expand the    fast device before resuming the cache, making the in-core data    structures inadequate.  dmsetup create cache --notable dmsetup reload cache --table \u0026quot;0 524288 cache /dev/mapper/cmeta \\ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\u0026quot; dmsetup reload cdata --table \u0026quot;0 131072 linear /dev/sdc 8192\u0026quot; dmsetup resume cdata dmsetup resume cache  3. suspend the cache to write out the in-core dirty bitset and hint    array, leading to out-of-bounds access to the dirty bitset at offset    0x40:  dmsetup suspend cache  KASAN reports:    BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80   Read of size 8 at addr ffffc90000085040 by task dmsetup/90    (...snip...)   The buggy address belongs to the virtual mapping at    [ffffc90000085000, ffffc90000087000) created by:    cache_ctr+0x176a/0x35f0    (...snip...)   Memory state around the buggy address:    ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8    ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8   \u0026gt;ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8                                              ^    ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8    ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8  Fix by checking the size change on the first resume.(CVE-2024-50278)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  media: cx24116: prevent overflows on SNR calculus  as reported by Coverity, if reading SNR registers fail, a negative number will be returned, causing an underflow when reading SNR registers.  Prevent that.(CVE-2024-50290)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove  In case of error when requesting ctrl_chan DMA channel, ctrl_chan is not null. So the release of the dma channel leads to the following issue: [    4.879000] st,stm32-spdifrx 500d0000.audio-controller: dma_request_slave_channel error -19 [    4.888975] Unable to handle kernel NULL pointer dereference at virtual address 000000000000003d [...] [    5.096577] Call trace: [    5.099099]  dma_release_channel+0x24/0x100 [    5.103235]  stm32_spdifrx_remove+0x24/0x60 [snd_soc_stm32_spdifrx] [    5.109494]  stm32_spdifrx_probe+0x320/0x4c4 [snd_soc_stm32_spdifrx]  To avoid this issue, release channel only if the pointer is valid.(CVE-2024-50292)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  HID: core: zero-initialize the report buffer  Since the report buffer is used by all kinds of drivers in various ways, let\u0026apos;s zero-initialize it during allocation to make sure that it can\u0026apos;t be ever used to leak kernel memory via specially-crafted report.(CVE-2024-50302)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format  This can lead to out of bounds writes since frames of this type were not taken into account when calculating the size of the frames buffer in uvc_parse_streaming.(CVE-2024-53104)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  vp_vdpa: fix id_table array not null terminated error  Allocate one extra virtio_device_id as null terminator, otherwise vdpa_mgmtdev_get_classes() may iterate multiple times and visit undefined memory.(CVE-2024-53110)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  ocfs2: uncache inode which has failed entering the group  Syzbot has reported the following BUG:  kernel BUG at fs/ocfs2/uptodate.c:509! ... Call Trace:  \u0026lt;TASK\u0026gt;  ? __die_body+0x5f/0xb0  ? die+0x9e/0xc0  ? do_trap+0x15a/0x3a0  ? ocfs2_set_new_buffer_uptodate+0x145/0x160  ? do_error_trap+0x1dc/0x2c0  ? ocfs2_set_new_buffer_uptodate+0x145/0x160  ? __pfx_do_error_trap+0x10/0x10  ? handle_invalid_op+0x34/0x40  ? ocfs2_set_new_buffer_uptodate+0x145/0x160  ? exc_invalid_op+0x38/0x50  ? asm_exc_invalid_op+0x1a/0x20  ? ocfs2_set_new_buffer_uptodate+0x2e/0x160  ? ocfs2_set_new_buffer_uptodate+0x144/0x160  ? ocfs2_set_new_buffer_uptodate+0x145/0x160  ocfs2_group_add+0x39f/0x15a0  ? __pfx_ocfs2_group_add+0x10/0x10  ? __pfx_lock_acquire+0x10/0x10  ? mnt_get_write_access+0x68/0x2b0  ? __pfx_lock_release+0x10/0x10  ? rcu_read_lock_any_held+0xb7/0x160  ? __pfx_rcu_read_lock_any_held+0x10/0x10  ? smack_log+0x123/0x540  ? mnt_get_write_access+0x68/0x2b0  ? mnt_get_write_access+0x68/0x2b0  ? mnt_get_write_access+0x226/0x2b0  ocfs2_ioctl+0x65e/0x7d0  ? __pfx_ocfs2_ioctl+0x10/0x10  ? smack_file_ioctl+0x29e/0x3a0  ? __pfx_smack_file_ioctl+0x10/0x10  ? lockdep_hardirqs_on_prepare+0x43d/0x780  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10  ? __pfx_ocfs2_ioctl+0x10/0x10  __se_sys_ioctl+0xfb/0x170  do_syscall_64+0xf3/0x230  entry_SYSCALL_64_after_hwframe+0x77/0x7f ...  \u0026lt;/TASK\u0026gt;  When \u0026apos;ioctl(OCFS2_IOC_GROUP_ADD, ...)\u0026apos; has failed for the particular inode in \u0026apos;ocfs2_verify_group_and_input()\u0026apos;, corresponding buffer head remains cached and subsequent call to the same \u0026apos;ioctl()\u0026apos; for the same inode issues the BUG() in \u0026apos;ocfs2_set_new_buffer_uptodate()\u0026apos; (trying to cache the same buffer head of that inode). Fix this by uncaching the buffer head with \u0026apos;ocfs2_remove_from_cache()\u0026apos; on error path in \u0026apos;ocfs2_group_add()\u0026apos;.(CVE-2024-53112)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  bpf: sync_linked_regs() must preserve subreg_def  Range propagation must not affect subreg_def marks, otherwise the following example is rewritten by verifier incorrectly when BPF_F_TEST_RND_HI32 flag is set:    0: call bpf_ktime_get_ns                   call bpf_ktime_get_ns   1: r0 \u0026amp;= 0x7fffffff       after verifier   r0 \u0026amp;= 0x7fffffff   2: w1 = w0                rewrites         w1 = w0   3: if w0 \u0026lt; 10 goto +0     --------------\u0026gt;  r11 = 0x2f5674a6     (r)   4: r1 \u0026gt;\u0026gt;= 32                               r11 \u0026lt;\u0026lt;= 32           (r)   5: r0 = r1                                 r1 |= r11            (r)   6: exit;                                   if w0 \u0026lt; 0xa goto pc+0                                              r1 \u0026gt;\u0026gt;= 32                                              r0 = r1                                              exit  (or zero extension of w1 at (2) is missing for architectures that  require zero extension for upper register half).  The following happens w/o this patch: - r0 is marked as not a subreg at (0); - w1 is marked as subreg at (2); - w1 subreg_def is overridden at (3) by copy_register_state(); - w1 is read at (5) but mark_insn_zext() does not mark (2)   for zero extension, because w1 subreg_def is not set; - because of BPF_F_TEST_RND_HI32 flag verifier inserts random   value for hi32 bits of (2) (marked (r)); - this random value is read at (5).(CVE-2024-53125)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint  When using the \u0026quot;block:block_dirty_buffer\u0026quot; tracepoint, mark_buffer_dirty() may cause a NULL pointer dereference, or a general protection fault when KASAN is enabled.  This happens because, since the tracepoint was added in mark_buffer_dirty(), it references the dev_t member bh-\u0026gt;b_bdev-\u0026gt;bd_dev regardless of whether the buffer head has a pointer to a block_device structure.  In the current implementation, nilfs_grab_buffer(), which grabs a buffer to read (or create) a block of metadata, including b-tree node blocks, does not set the block device, but instead does so only if the buffer is not in the \u0026quot;uptodate\u0026quot; state for each of its caller block reading functions.  However, if the uptodate flag is set on a folio/page, and the buffer heads are detached from it by try_to_free_buffers(), and new buffer heads are then attached by create_empty_buffers(), the uptodate flag may be restored to each buffer without the block device being set to bh-\u0026gt;b_bdev, and mark_buffer_dirty() may be called later in that state, resulting in the bug mentioned above.  Fix this issue by making nilfs_grab_buffer() always set the block device of the super block structure to the buffer head, regardless of the state of the buffer\u0026apos;s uptodate flag.(CVE-2024-53130)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP4","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-240.0.0.139.oe2203sp4"}]}],"ecosystem_specific":{"aarch64":["bpftool-5.10.0-240.0.0.139.oe2203sp4.aarch64.rpm","bpftool-debuginfo-5.10.0-240.0.0.139.oe2203sp4.aarch64.rpm","kernel-5.10.0-240.0.0.139.oe2203sp4.aarch64.rpm","kernel-debuginfo-5.10.0-240.0.0.139.oe2203sp4.aarch64.rpm","kernel-debugsource-5.10.0-240.0.0.139.oe2203sp4.aarch64.rpm","kernel-devel-5.10.0-240.0.0.139.oe2203sp4.aarch64.rpm","kernel-headers-5.10.0-240.0.0.139.oe2203sp4.aarch64.rpm","kernel-source-5.10.0-240.0.0.139.oe2203sp4.aarch64.rpm","kernel-tools-5.10.0-240.0.0.139.oe2203sp4.aarch64.rpm","kernel-tools-debuginfo-5.10.0-240.0.0.139.oe2203sp4.aarch64.rpm","kernel-tools-devel-5.10.0-240.0.0.139.oe2203sp4.aarch64.rpm","perf-5.10.0-240.0.0.139.oe2203sp4.aarch64.rpm","perf-debuginfo-5.10.0-240.0.0.139.oe2203sp4.aarch64.rpm","python3-perf-5.10.0-240.0.0.139.oe2203sp4.aarch64.rpm","python3-perf-debuginfo-5.10.0-240.0.0.139.oe2203sp4.aarch64.rpm"],"src":["kernel-5.10.0-240.0.0.139.oe2203sp4.src.rpm"],"x86_64":["bpftool-5.10.0-240.0.0.139.oe2203sp4.x86_64.rpm","bpftool-debuginfo-5.10.0-240.0.0.139.oe2203sp4.x86_64.rpm","kernel-5.10.0-240.0.0.139.oe2203sp4.x86_64.rpm","kernel-debuginfo-5.10.0-240.0.0.139.oe2203sp4.x86_64.rpm","kernel-debugsource-5.10.0-240.0.0.139.oe2203sp4.x86_64.rpm","kernel-devel-5.10.0-240.0.0.139.oe2203sp4.x86_64.rpm","kernel-headers-5.10.0-240.0.0.139.oe2203sp4.x86_64.rpm","kernel-source-5.10.0-240.0.0.139.oe2203sp4.x86_64.rpm","kernel-tools-5.10.0-240.0.0.139.oe2203sp4.x86_64.rpm","kernel-tools-debuginfo-5.10.0-240.0.0.139.oe2203sp4.x86_64.rpm","kernel-tools-devel-5.10.0-240.0.0.139.oe2203sp4.x86_64.rpm","perf-5.10.0-240.0.0.139.oe2203sp4.x86_64.rpm","perf-debuginfo-5.10.0-240.0.0.139.oe2203sp4.x86_64.rpm","python3-perf-5.10.0-240.0.0.139.oe2203sp4.x86_64.rpm","python3-perf-debuginfo-5.10.0-240.0.0.139.oe2203sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2533"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47713"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49861"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49863"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49906"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49923"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49977"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49991"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50103"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50116"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50127"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50134"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50187"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50201"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50267"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50272"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50278"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50290"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50292"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50302"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53104"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53110"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53112"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53125"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53130"}],"database_specific":{"severity":"High"}}