CVE-2024-47680

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: check discard support for conventional zones<br /> <br /> As the helper function f2fs_bdev_support_discard() shows, f2fs checks if<br /> the target block devices support discard by calling<br /> bdev_max_discard_sectors() and bdev_is_zoned(). This check works well<br /> for most cases, but it does not work for conventional zones on zoned<br /> block devices. F2fs assumes that zoned block devices support discard,<br /> and calls __submit_discard_cmd(). When __submit_discard_cmd() is called<br /> for sequential write required zones, it works fine since<br /> __submit_discard_cmd() issues zone reset commands instead of discard<br /> commands. However, when __submit_discard_cmd() is called for<br /> conventional zones, __blkdev_issue_discard() is called even when the<br /> devices do not support discard.<br /> <br /> The inappropriate __blkdev_issue_discard() call was not a problem before<br /> the commit 30f1e7241422 ("block: move discard checks into the ioctl<br /> handler") because __blkdev_issue_discard() checked if the target devices<br /> support discard or not. If not, it returned EOPNOTSUPP. After the<br /> commit, __blkdev_issue_discard() no longer checks it. It always returns<br /> zero and sets NULL to the given bio pointer. This NULL pointer triggers<br /> f2fs_bug_on() in __submit_discard_cmd(). The BUG is recreated with the<br /> commands below at the umount step, where /dev/nullb0 is a zoned null_blk<br /> with 5GB total size, 128MB zone size and 10 conventional zones.<br /> <br /> $ mkfs.f2fs -f -m /dev/nullb0<br /> $ mount /dev/nullb0 /mnt<br /> $ for ((i=0;i