CVE-2024-47809

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.74

Description: A possible null pointer dereference issue has been identified in the Linux kernel. This issue occurs when the request lock() function is called and lkb->lkb resource is not assigned yet, which happens before validate lock args() is called by attach lkb(). Another issue is that a resource name could be a non-printable bytearray, and it cannot be assumed to be ASCII coded. The log functionality is probably never hit when DLM is used normally and no debug logging is enabled. The null pointer dereference can only occur on a newly created lkb that does not have the resource assigned yet.

Recommendations: For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider disabling the request lock() function until a patch is available. Restrict access to the dlm module to minimize the risk of exploitation. Avoid using the lkb resource variable in the affected code until the issue is resolved.