CVE-2024-53130

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint<br /> <br /> When using the "block:block_dirty_buffer" tracepoint, mark_buffer_dirty()<br /> may cause a NULL pointer dereference, or a general protection fault when<br /> KASAN is enabled.<br /> <br /> This happens because, since the tracepoint was added in<br /> mark_buffer_dirty(), it references the dev_t member bh-&gt;b_bdev-&gt;bd_dev<br /> regardless of whether the buffer head has a pointer to a block_device<br /> structure.<br /> <br /> In the current implementation, nilfs_grab_buffer(), which grabs a buffer<br /> to read (or create) a block of metadata, including b-tree node blocks,<br /> does not set the block device, but instead does so only if the buffer is<br /> not in the "uptodate" state for each of its caller block reading<br /> functions. However, if the uptodate flag is set on a folio/page, and the<br /> buffer heads are detached from it by try_to_free_buffers(), and new buffer<br /> heads are then attached by create_empty_buffers(), the uptodate flag may<br /> be restored to each buffer without the block device being set to<br /> bh-&gt;b_bdev, and mark_buffer_dirty() may be called later in that state,<br /> resulting in the bug mentioned above.<br /> <br /> Fix this issue by making nilfs_grab_buffer() always set the block device<br /> of the super block structure to the buffer head, regardless of the state<br /> of the buffer&amp;#39;s uptodate flag.