CVE-2024-37021: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-37021 affects the Linux kernel's FPGA manager implementation. The vulnerability was discovered in June 2024 and involves a potential null pointer dereference in the FPGA manager module. The issue affects Linux kernel versions from 4.4 up to (excluding) 6.1.120, from 6.2 up to (excluding) 6.6.33, and from 6.7 up to (excluding) 6.9.4 (NVD).

The vulnerability stems from the FPGA manager's implementation assuming that the low-level module registers a driver for the parent device and uses its owner pointer to take the module's refcount. This assumption can lead to a null pointer dereference when attempting to get the manager if the parent device does not have a driver. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

If exploited, this vulnerability can lead to a denial of service condition through a system crash when attempting to access the FPGA manager functionality with an invalid parent device driver configuration (Kernel Patch).

The issue has been fixed by adding a module owner pointer to the fpga_manager struct and modifying the functions for registering the manager to take an additional owner module parameter. The fix includes renaming functions to avoid conflicts and using helper macros that automatically set the module that registers the manager as the owner. Updates are available in the Linux kernel patches (Kernel Patch).