{ "threat_severity" : "Moderate", "public_date" : "2024-10-21T00:00:00Z", "bugzilla" : { "description" : "kernel: netfilter: flowtable_offload: fix using __this_cpu_add in preemptible", "id" : "2320792", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2320792" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-362", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: flowtable_offload: fix using __this_cpu_add in preemptible\nflow_offload_queue_work() can be called in workqueue without\nbh disabled, like the call trace showed in my act_ct testing,\ncalling NF_FLOW_TABLE_STAT_INC() there would cause a call\ntrace:\nBUG: using __this_cpu_add() in preemptible [00000000] code: kworker/u4:0/138560\ncaller is flow_offload_queue_work+0xec/0x1b0 [nf_flow_table]\nWorkqueue: act_ct_workqueue tcf_ct_flow_table_cleanup_work [act_ct]\nCall Trace:\n\ndump_stack_lvl+0x33/0x46\ncheck_preemption_disabled+0xc3/0xf0\nflow_offload_queue_work+0xec/0x1b0 [nf_flow_table]\nnf_flow_table_iterate+0x138/0x170 [nf_flow_table]\nnf_flow_table_free+0x140/0x1a0 [nf_flow_table]\ntcf_ct_flow_table_cleanup_work+0x2f/0x2b0 [act_ct]\nprocess_one_work+0x6a3/0x1030\nworker_thread+0x8a/0xdf0\nThis patch fixes it by using NF_FLOW_TABLE_STAT_INC_ATOMIC()\ninstead in flow_offload_queue_work().\nNote that for FLOW_CLS_REPLACE branch in flow_offload_queue_work(),\nit may not be called in preemptible path, but it's good to use\nNF_FLOW_TABLE_STAT_INC_ATOMIC() for all cases in\nflow_offload_queue_work()." ], "statement" : "This issue is fixed in RHEL-9.2 and above:\n~~~\nin (rhel-9.2, rhel-9.3, rhel-9.4, rhel-9.5, rhel-9.6) netfilter: flowtable_offload: fix using __this_cpu_add in preemptible\n~~~\nPlease note that while RHEL-9 kernel-rt still appears as affected, it has been fixed in the same RHSA as RHEL-9 kernel. This is because from RHEL-9.3 onwards, the kernel and kernel-rt fixes are bundled together in a single errata.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-48976\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48976\nhttps://lore.kernel.org/linux-cve-announce/2024102145-CVE-2022-48976-2980@gregkh/T" ], "name" : "CVE-2022-48976", "csaw" : false }