{"schema_version":"1.7.2","id":"OESA-2024-2536","modified":"2024-12-13T13:18:07Z","published":"2024-12-13T13:18:07Z","upstream":["CVE-2024-47713","CVE-2024-49861","CVE-2024-49906","CVE-2024-49923","CVE-2024-49977","CVE-2024-49991","CVE-2024-50103","CVE-2024-50116","CVE-2024-50127","CVE-2024-50134","CVE-2024-50187","CVE-2024-50201","CVE-2024-50210","CVE-2024-50267","CVE-2024-50272","CVE-2024-50278","CVE-2024-50290","CVE-2024-50292","CVE-2024-50301","CVE-2024-50302","CVE-2024-53104","CVE-2024-53110","CVE-2024-53112","CVE-2024-53125","CVE-2024-53130"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()  Since \u0026apos;__dev_queue_xmit()\u0026apos; should be called with interrupts enabled, the following backtrace:  ieee80211_do_stop()  ...  spin_lock_irqsave(\u0026amp;local-\u0026gt;queue_stop_reason_lock, flags)  ...  ieee80211_free_txskb()   ieee80211_report_used_skb()    ieee80211_report_ack_skb()     cfg80211_mgmt_tx_status_ext()      nl80211_frame_tx_status()       genlmsg_multicast_netns()        genlmsg_multicast_netns_filtered()         nlmsg_multicast_filtered()   netlink_broadcast_filtered()    do_one_broadcast()     netlink_broadcast_deliver()      __netlink_sendskb()       netlink_deliver_tap()        __netlink_deliver_tap_skb()         dev_queue_xmit()          __dev_queue_xmit() ; with IRQS disabled  ...  spin_unlock_irqrestore(\u0026amp;local-\u0026gt;queue_stop_reason_lock, flags)  issues the warning (as reported by syzbot reproducer):  WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120  Fix this by implementing a two-phase skb reclamation in \u0026apos;ieee80211_do_stop()\u0026apos;, where actual work is performed outside of a section with interrupts disabled.(CVE-2024-47713)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  bpf: Fix helper writes to read-only maps  Lonial found an issue that despite user- and BPF-side frozen BPF map (like in case of .rodata), it was still possible to write into it from a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT} as arguments.  In check_func_arg() when the argument is as mentioned, the meta-\u0026gt;raw_mode is never set. Later, check_helper_mem_access(), under the case of PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the subsequent call to check_map_access_type() and given the BPF map is read-only it succeeds.  The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT when results are written into them as opposed to read out of them. The latter indicates that it\u0026apos;s okay to pass a pointer to uninitialized memory as the memory is written to anyway.  However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM just with additional alignment requirement. So it is better to just get rid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the fixed size memory types. For this, add MEM_ALIGNED to additionally ensure alignment given these helpers write directly into the args via *\u0026lt;ptr\u0026gt; = val. The .arg*_size has been initialized reflecting the actual sizeof(*\u0026lt;ptr\u0026gt;).  MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated argument types, since in !MEM_FIXED_SIZE cases the verifier does not know the buffer size a priori and therefore cannot blindly write *\u0026lt;ptr\u0026gt; = val.(CVE-2024-49861)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  drm/amd/display: Check null pointer before try to access it  [why \u0026amp; how] Change the order of the pipe_ctx-\u0026gt;plane_state check to ensure that plane_state is not null before accessing it.(CVE-2024-49906)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags  [WHAT \u0026amp; HOW] \u0026quot;dcn20_validate_apply_pipe_split_flags\u0026quot; dereferences merge, and thus it cannot be a null pointer. Let\u0026apos;s pass a valid pointer to avoid null dereference.  This fixes 2 FORWARD_NULL issues reported by Coverity.(CVE-2024-49923)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Fix zero-division error when disabling tc cbs  The commit b8c43360f6e4 (\u0026quot;net: stmmac: No need to calculate speed divider when offload is disabled\u0026quot;) allows the \u0026quot;port_transmit_rate_kbps\u0026quot; to be set to a value of 0, which is then passed to the \u0026quot;div_s64\u0026quot; function when tc-cbs is disabled. This leads to a zero-division error.  When tc-cbs is disabled, the idleslope, sendslope, and credit values the credit values are not required to be configured. Therefore, adding a return statement after setting the txQ mode to DCB when tc-cbs is disabled would prevent a zero-division error.(CVE-2024-49977)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer  Pass pointer reference to amdgpu_bo_unref to clear the correct pointer, otherwise amdgpu_bo_unref clear the local variable, the original pointer not set to NULL, this could cause use-after-free bug.(CVE-2024-49991)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe()  A devm_kzalloc() in asoc_qcom_lpass_cpu_platform_probe() could possibly return NULL pointer. NULL Pointer Dereference may be triggerred without addtional check. Add a NULL check for the returned pointer.(CVE-2024-50103)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  nilfs2: fix kernel bug due to missing clearing of buffer delay flag  Syzbot reported that after nilfs2 reads a corrupted file system image and degrades to read-only, the BUG_ON check for the buffer delay flag in submit_bh_wbc() may fail, causing a kernel bug.  This is because the buffer delay flag is not cleared when clearing the buffer state flags to discard a page/folio or a buffer head. So, fix this.  This became necessary when the use of nilfs2\u0026apos;s own page clear routine was expanded.  This state inconsistency does not occur if the buffer is written normally by log writing.(CVE-2024-50116)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  net: sched: fix use-after-free in taprio_change()  In \u0026apos;taprio_change()\u0026apos;, \u0026apos;admin\u0026apos; pointer may become dangling due to sched switch / removal caused by \u0026apos;advance_sched()\u0026apos;, and critical section protected by \u0026apos;q-\u0026gt;current_entry_lock\u0026apos; is too small to prevent from such a scenario (which causes use-after-free detected by KASAN). Fix this by prefer \u0026apos;rcu_replace_pointer()\u0026apos; over \u0026apos;rcu_assign_pointer()\u0026apos; to update \u0026apos;admin\u0026apos; immediately before an attempt to schedule freeing.(CVE-2024-50127)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA  Replace the fake VLA at end of the vbva_mouse_pointer_shape shape with a real VLA to fix a \u0026quot;memcpy: detected field-spanning write error\u0026quot; warning:  [   13.319813] memcpy: detected field-spanning write (size 16896) of single field \u0026quot;p-\u0026gt;data\u0026quot; at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 (size 4) [   13.319841] WARNING: CPU: 0 PID: 1105 at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 hgsmi_update_pointer_shape+0x192/0x1c0 [vboxvideo] [   13.320038] Call Trace: [   13.320173]  hgsmi_update_pointer_shape [vboxvideo] [   13.320184]  vbox_cursor_atomic_update [vboxvideo]  Note as mentioned in the added comment it seems the original length calculation for the allocated and send hgsmi buffer is 4 bytes too large. Changing this is not the goal of this patch, so this behavior is kept.(CVE-2024-50134)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  drm/vc4: Stop the active perfmon before being destroyed  Upon closing the file descriptor, the active performance monitor is not stopped. Although all perfmons are destroyed in `vc4_perfmon_close_file()`, the active performance monitor\u0026apos;s pointer (`vc4-\u0026gt;active_perfmon`) is still retained.  If we open a new file descriptor and submit a few jobs with performance monitors, the driver will attempt to stop the active performance monitor using the stale pointer in `vc4-\u0026gt;active_perfmon`. However, this pointer is no longer valid because the previous process has already terminated, and all performance monitors associated with it have been destroyed and freed.  To fix this, when the active performance monitor belongs to a given process, explicitly stop it before destroying and freeing it.(CVE-2024-50187)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  drm/radeon: Fix encoder-\u0026gt;possible_clones  Include the encoder itself in its possible_clones bitmask. In the past nothing validated that drivers were populating possible_clones correctly, but that changed in commit 74d2aacbe840 (\u0026quot;drm: Validate encoder-\u0026gt;possible_clones\u0026quot;). Looks like radeon never got the memo and is still not following the rules 100% correctly.  This results in some warnings during driver initialization: Bogus possible_clones: [ENCODER:46:TV-46] possible_clones=0x4 (full encoder mask=0x7) WARNING: CPU: 0 PID: 170 at drivers/gpu/drm/drm_mode_config.c:615 drm_mode_config_validate+0x113/0x39c ...  (cherry picked from commit 3b6e7d40649c0d75572039aff9d0911864c689db)(CVE-2024-50201)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime()  If get_clock_desc() succeeds, it calls fget() for the clockid\u0026apos;s fd, and get the clk-\u0026gt;rwsem read lock, so the error path should release the lock to make the lock balance and fput the clockid\u0026apos;s fd to make the refcount balance and release the fd related resource.  However the below commit left the error path locked behind resulting in unbalanced locking. Check timespec64_valid_strict() before get_clock_desc() to fix it, because the \u0026quot;ts\u0026quot; is not changed after that.  [pabeni@redhat.com: fixed commit message typo](CVE-2024-50210)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  USB: serial: io_edgeport: fix use after free in debug printk  The \u0026quot;dev_dbg(\u0026amp;urb-\u0026gt;dev-\u0026gt;dev, ...\u0026quot; which happens after usb_free_urb(urb) is a use after free of the \u0026quot;urb\u0026quot; pointer.  Store the \u0026quot;dev\u0026quot; pointer at the start of the function to avoid this issue.(CVE-2024-50267)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  filemap: Fix bounds checking in filemap_read()  If the caller supplies an iocb-\u0026gt;ki_pos value that is close to the filesystem upper limit, and an iterator with a count that causes us to overflow that limit, then filemap_read() enters an infinite loop.  This behaviour was discovered when testing xfstests generic/525 with the \u0026quot;localio\u0026quot; optimisation for loopback NFS mounts.(CVE-2024-50272)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  dm cache: fix potential out-of-bounds access on the first resume  Out-of-bounds access occurs if the fast device is expanded unexpectedly before the first-time resume of the cache table. This happens because expanding the fast device requires reloading the cache table for cache_create to allocate new in-core data structures that fit the new size, and the check in cache_preresume is not performed during the first resume, leading to the issue.  Reproduce steps:  1. prepare component devices:  dmsetup create cmeta --table \u0026quot;0 8192 linear /dev/sdc 0\u0026quot; dmsetup create cdata --table \u0026quot;0 65536 linear /dev/sdc 8192\u0026quot; dmsetup create corig --table \u0026quot;0 524288 linear /dev/sdc 262144\u0026quot; dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct  2. load a cache table of 512 cache blocks, and deliberately expand the    fast device before resuming the cache, making the in-core data    structures inadequate.  dmsetup create cache --notable dmsetup reload cache --table \u0026quot;0 524288 cache /dev/mapper/cmeta \\ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\u0026quot; dmsetup reload cdata --table \u0026quot;0 131072 linear /dev/sdc 8192\u0026quot; dmsetup resume cdata dmsetup resume cache  3. suspend the cache to write out the in-core dirty bitset and hint    array, leading to out-of-bounds access to the dirty bitset at offset    0x40:  dmsetup suspend cache  KASAN reports:    BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80   Read of size 8 at addr ffffc90000085040 by task dmsetup/90    (...snip...)   The buggy address belongs to the virtual mapping at    [ffffc90000085000, ffffc90000087000) created by:    cache_ctr+0x176a/0x35f0    (...snip...)   Memory state around the buggy address:    ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8    ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8   \u0026gt;ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8                                              ^    ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8    ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8  Fix by checking the size change on the first resume.(CVE-2024-50278)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  media: cx24116: prevent overflows on SNR calculus  as reported by Coverity, if reading SNR registers fail, a negative number will be returned, causing an underflow when reading SNR registers.  Prevent that.(CVE-2024-50290)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove  In case of error when requesting ctrl_chan DMA channel, ctrl_chan is not null. So the release of the dma channel leads to the following issue: [    4.879000] st,stm32-spdifrx 500d0000.audio-controller: dma_request_slave_channel error -19 [    4.888975] Unable to handle kernel NULL pointer dereference at virtual address 000000000000003d [...] [    5.096577] Call trace: [    5.099099]  dma_release_channel+0x24/0x100 [    5.103235]  stm32_spdifrx_remove+0x24/0x60 [snd_soc_stm32_spdifrx] [    5.109494]  stm32_spdifrx_probe+0x320/0x4c4 [snd_soc_stm32_spdifrx]  To avoid this issue, release channel only if the pointer is valid.(CVE-2024-50292)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  security/keys: fix slab-out-of-bounds in key_task_permission  KASAN reports an out of bounds read: BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 security/keys/permission.c:54 Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362  CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 Call Trace:  __dump_stack lib/dump_stack.c:82 [inline]  dump_stack+0x107/0x167 lib/dump_stack.c:123  print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400  __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560  kasan_report+0x3a/0x50 mm/kasan/report.c:585  __kuid_val include/linux/uidgid.h:36 [inline]  uid_eq include/linux/uidgid.h:63 [inline]  key_task_permission+0x394/0x410 security/keys/permission.c:54  search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793  This issue was also reported by syzbot.  It can be reproduced by following these steps(more details [1]): 1. Obtain more than 32 inputs that have similar hashes, which ends with the    pattern \u0026apos;0xxxxxxxe6\u0026apos;. 2. Reboot and add the keys obtained in step 1.  The reproducer demonstrates how this issue happened: 1. In the search_nested_keyrings function, when it iterates through the    slots in a node(below tag ascend_to_node), if the slot pointer is meta    and node-\u0026gt;back_pointer != NULL(it means a root), it will proceed to    descend_to_node. However, there is an exception. If node is the root,    and one of the slots points to a shortcut, it will be treated as a    keyring. 2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function.    However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as    ASSOC_ARRAY_PTR_SUBTYPE_MASK. 3. When 32 keys with the similar hashes are added to the tree, the ROOT    has keys with hashes that are not similar (e.g. slot 0) and it splits    NODE A without using a shortcut. When NODE A is filled with keys that    all hashes are xxe6, the keys are similar, NODE A will split with a    shortcut. Finally, it forms the tree as shown below, where slot 6 points    to a shortcut.                        NODE A               +------\u0026gt;+---+       ROOT    |       | 0 | xxe6       +---+   |       +---+  xxxx | 0 | shortcut  :   : xxe6       +---+   |       +---+  xxe6 :   :   |       |   | xxe6       +---+   |       +---+       | 6 |---+       :   : xxe6       +---+           +---+  xxe6 :   :           | f | xxe6       +---+           +---+  xxe6 | f |       +---+  4. As mentioned above, If a slot(slot 6) of the root points to a shortcut,    it may be mistakenly transferred to a key*, leading to a read    out-of-bounds read.  To fix this issue, one should jump to descend_to_node if the ptr is a shortcut, regardless of whether the node is root or not.  [1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/  [jarkko: tweaked the commit message a bit to have an appropriate closes  tag.](CVE-2024-50301)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  HID: core: zero-initialize the report buffer  Since the report buffer is used by all kinds of drivers in various ways, let\u0026apos;s zero-initialize it during allocation to make sure that it can\u0026apos;t be ever used to leak kernel memory via specially-crafted report.(CVE-2024-50302)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format  This can lead to out of bounds writes since frames of this type were not taken into account when calculating the size of the frames buffer in uvc_parse_streaming.(CVE-2024-53104)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  vp_vdpa: fix id_table array not null terminated error  Allocate one extra virtio_device_id as null terminator, otherwise vdpa_mgmtdev_get_classes() may iterate multiple times and visit undefined memory.(CVE-2024-53110)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  ocfs2: uncache inode which has failed entering the group  Syzbot has reported the following BUG:  kernel BUG at fs/ocfs2/uptodate.c:509! ... Call Trace:  \u0026lt;TASK\u0026gt;  ? __die_body+0x5f/0xb0  ? die+0x9e/0xc0  ? do_trap+0x15a/0x3a0  ? ocfs2_set_new_buffer_uptodate+0x145/0x160  ? do_error_trap+0x1dc/0x2c0  ? ocfs2_set_new_buffer_uptodate+0x145/0x160  ? __pfx_do_error_trap+0x10/0x10  ? handle_invalid_op+0x34/0x40  ? ocfs2_set_new_buffer_uptodate+0x145/0x160  ? exc_invalid_op+0x38/0x50  ? asm_exc_invalid_op+0x1a/0x20  ? ocfs2_set_new_buffer_uptodate+0x2e/0x160  ? ocfs2_set_new_buffer_uptodate+0x144/0x160  ? ocfs2_set_new_buffer_uptodate+0x145/0x160  ocfs2_group_add+0x39f/0x15a0  ? __pfx_ocfs2_group_add+0x10/0x10  ? __pfx_lock_acquire+0x10/0x10  ? mnt_get_write_access+0x68/0x2b0  ? __pfx_lock_release+0x10/0x10  ? rcu_read_lock_any_held+0xb7/0x160  ? __pfx_rcu_read_lock_any_held+0x10/0x10  ? smack_log+0x123/0x540  ? mnt_get_write_access+0x68/0x2b0  ? mnt_get_write_access+0x68/0x2b0  ? mnt_get_write_access+0x226/0x2b0  ocfs2_ioctl+0x65e/0x7d0  ? __pfx_ocfs2_ioctl+0x10/0x10  ? smack_file_ioctl+0x29e/0x3a0  ? __pfx_smack_file_ioctl+0x10/0x10  ? lockdep_hardirqs_on_prepare+0x43d/0x780  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10  ? __pfx_ocfs2_ioctl+0x10/0x10  __se_sys_ioctl+0xfb/0x170  do_syscall_64+0xf3/0x230  entry_SYSCALL_64_after_hwframe+0x77/0x7f ...  \u0026lt;/TASK\u0026gt;  When \u0026apos;ioctl(OCFS2_IOC_GROUP_ADD, ...)\u0026apos; has failed for the particular inode in \u0026apos;ocfs2_verify_group_and_input()\u0026apos;, corresponding buffer head remains cached and subsequent call to the same \u0026apos;ioctl()\u0026apos; for the same inode issues the BUG() in \u0026apos;ocfs2_set_new_buffer_uptodate()\u0026apos; (trying to cache the same buffer head of that inode). Fix this by uncaching the buffer head with \u0026apos;ocfs2_remove_from_cache()\u0026apos; on error path in \u0026apos;ocfs2_group_add()\u0026apos;.(CVE-2024-53112)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  bpf: sync_linked_regs() must preserve subreg_def  Range propagation must not affect subreg_def marks, otherwise the following example is rewritten by verifier incorrectly when BPF_F_TEST_RND_HI32 flag is set:    0: call bpf_ktime_get_ns                   call bpf_ktime_get_ns   1: r0 \u0026amp;= 0x7fffffff       after verifier   r0 \u0026amp;= 0x7fffffff   2: w1 = w0                rewrites         w1 = w0   3: if w0 \u0026lt; 10 goto +0     --------------\u0026gt;  r11 = 0x2f5674a6     (r)   4: r1 \u0026gt;\u0026gt;= 32                               r11 \u0026lt;\u0026lt;= 32           (r)   5: r0 = r1                                 r1 |= r11            (r)   6: exit;                                   if w0 \u0026lt; 0xa goto pc+0                                              r1 \u0026gt;\u0026gt;= 32                                              r0 = r1                                              exit  (or zero extension of w1 at (2) is missing for architectures that  require zero extension for upper register half).  The following happens w/o this patch: - r0 is marked as not a subreg at (0); - w1 is marked as subreg at (2); - w1 subreg_def is overridden at (3) by copy_register_state(); - w1 is read at (5) but mark_insn_zext() does not mark (2)   for zero extension, because w1 subreg_def is not set; - because of BPF_F_TEST_RND_HI32 flag verifier inserts random   value for hi32 bits of (2) (marked (r)); - this random value is read at (5).(CVE-2024-53125)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint  When using the \u0026quot;block:block_dirty_buffer\u0026quot; tracepoint, mark_buffer_dirty() may cause a NULL pointer dereference, or a general protection fault when KASAN is enabled.  This happens because, since the tracepoint was added in mark_buffer_dirty(), it references the dev_t member bh-\u0026gt;b_bdev-\u0026gt;bd_dev regardless of whether the buffer head has a pointer to a block_device structure.  In the current implementation, nilfs_grab_buffer(), which grabs a buffer to read (or create) a block of metadata, including b-tree node blocks, does not set the block device, but instead does so only if the buffer is not in the \u0026quot;uptodate\u0026quot; state for each of its caller block reading functions.  However, if the uptodate flag is set on a folio/page, and the buffer heads are detached from it by try_to_free_buffers(), and new buffer heads are then attached by create_empty_buffers(), the uptodate flag may be restored to each buffer without the block device being set to bh-\u0026gt;b_bdev, and mark_buffer_dirty() may be called later in that state, resulting in the bug mentioned above.  Fix this issue by making nilfs_grab_buffer() always set the block device of the super block structure to the buffer head, regardless of the state of the buffer\u0026apos;s uptodate flag.(CVE-2024-53130)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP1","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-22.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-136.105.0.186.oe2203sp1"}]}],"ecosystem_specific":{"aarch64":["kernel-5.10.0-136.105.0.186.oe2203sp1.aarch64.rpm","kernel-debuginfo-5.10.0-136.105.0.186.oe2203sp1.aarch64.rpm","kernel-debugsource-5.10.0-136.105.0.186.oe2203sp1.aarch64.rpm","kernel-devel-5.10.0-136.105.0.186.oe2203sp1.aarch64.rpm","kernel-headers-5.10.0-136.105.0.186.oe2203sp1.aarch64.rpm","kernel-source-5.10.0-136.105.0.186.oe2203sp1.aarch64.rpm","kernel-tools-5.10.0-136.105.0.186.oe2203sp1.aarch64.rpm","kernel-tools-debuginfo-5.10.0-136.105.0.186.oe2203sp1.aarch64.rpm","kernel-tools-devel-5.10.0-136.105.0.186.oe2203sp1.aarch64.rpm","perf-5.10.0-136.105.0.186.oe2203sp1.aarch64.rpm","perf-debuginfo-5.10.0-136.105.0.186.oe2203sp1.aarch64.rpm","python3-perf-5.10.0-136.105.0.186.oe2203sp1.aarch64.rpm","python3-perf-debuginfo-5.10.0-136.105.0.186.oe2203sp1.aarch64.rpm"],"src":["kernel-5.10.0-136.105.0.186.oe2203sp1.src.rpm"],"x86_64":["kernel-5.10.0-136.105.0.186.oe2203sp1.x86_64.rpm","kernel-debuginfo-5.10.0-136.105.0.186.oe2203sp1.x86_64.rpm","kernel-debugsource-5.10.0-136.105.0.186.oe2203sp1.x86_64.rpm","kernel-devel-5.10.0-136.105.0.186.oe2203sp1.x86_64.rpm","kernel-headers-5.10.0-136.105.0.186.oe2203sp1.x86_64.rpm","kernel-source-5.10.0-136.105.0.186.oe2203sp1.x86_64.rpm","kernel-tools-5.10.0-136.105.0.186.oe2203sp1.x86_64.rpm","kernel-tools-debuginfo-5.10.0-136.105.0.186.oe2203sp1.x86_64.rpm","kernel-tools-devel-5.10.0-136.105.0.186.oe2203sp1.x86_64.rpm","perf-5.10.0-136.105.0.186.oe2203sp1.x86_64.rpm","perf-debuginfo-5.10.0-136.105.0.186.oe2203sp1.x86_64.rpm","python3-perf-5.10.0-136.105.0.186.oe2203sp1.x86_64.rpm","python3-perf-debuginfo-5.10.0-136.105.0.186.oe2203sp1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2536"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47713"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49861"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49906"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49923"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49977"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49991"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50103"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50116"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50127"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50134"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50187"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50201"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50210"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50267"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50272"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50278"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50290"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50292"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50301"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50302"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53104"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53110"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53112"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53125"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53130"}],"database_specific":{"severity":"High"}}