CVE-2024-47680: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-47680 affects the Linux kernel's F2FS (Flash-Friendly File System) implementation. The vulnerability was discovered in the way F2FS handles discard operations for conventional zones on zoned block devices. The issue affects Linux kernel versions from 6.10 up to (excluding) 6.10.13 and from 6.11 up to (excluding) 6.11.2 (NVD).

The vulnerability stems from F2FS's incorrect handling of discard operations. The helper function f2fs_bdev_support_discard() checks if block devices support discard by calling bdev_max_discard_sectors() and bdev_is_zoned(). While this works for most cases, it fails for conventional zones on zoned block devices. After commit 30f1e7241422, __blkdev_issue_discard() no longer checks if devices support discard operations, instead always returning zero and setting NULL to the bio pointer. This NULL pointer triggers f2fs_bug_on() in __submit_discard_cmd(). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 MEDIUM (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (NVD).

When exploited, this vulnerability can cause a denial of service (system crash) through a NULL pointer dereference when unmounting an F2FS filesystem on a zoned block device that has conventional zones not supporting discard operations (NVD).

The vulnerability has been fixed in Linux kernel versions 6.10.13 and 6.11.2. The fix involves checking if the device supports discard operations for conventional zones before issuing discard commands, and returning EOPNOTSUPP if discard is not supported (Kernel Patch).