{
  "threat_severity" : "Moderate",
  "public_date" : "2025-02-26T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: cpufreq: governor: Use kobject release() method to free dbs_data",
    "id" : "2348128",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2348128"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ncpufreq: governor: Use kobject release() method to free dbs_data\nThe struct dbs_data embeds a struct gov_attr_set and\nthe struct gov_attr_set embeds a kobject. Since every kobject must have\na release() method and we can't use kfree() to free it directly,\nso introduce cpufreq_dbs_data_release() to release the dbs_data via\nthe kobject::release() method. This fixes the calltrace like below:\nODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x34\nWARNING: CPU: 12 PID: 810 at lib/debugobjects.c:505 debug_print_object+0xb8/0x100\nModules linked in:\nCPU: 12 PID: 810 Comm: sh Not tainted 5.16.0-next-20220120-yocto-standard+ #536\nHardware name: Marvell OcteonTX CN96XX board (DT)\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : debug_print_object+0xb8/0x100\nlr : debug_print_object+0xb8/0x100\nsp : ffff80001dfcf9a0\nx29: ffff80001dfcf9a0 x28: 0000000000000001 x27: ffff0001464f0000\nx26: 0000000000000000 x25: ffff8000090e3f00 x24: ffff80000af60210\nx23: ffff8000094dfb78 x22: ffff8000090e3f00 x21: ffff0001080b7118\nx20: ffff80000aeb2430 x19: ffff800009e8f5e0 x18: 0000000000000000\nx17: 0000000000000002 x16: 00004d62e58be040 x15: 013590470523aff8\nx14: ffff8000090e1828 x13: 0000000001359047 x12: 00000000f5257d14\nx11: 0000000000040591 x10: 0000000066c1ffea x9 : ffff8000080d15e0\nx8 : ffff80000a1765a8 x7 : 0000000000000000 x6 : 0000000000000001\nx5 : ffff800009e8c000 x4 : ffff800009e8c760 x3 : 0000000000000000\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0001474ed040\nCall trace:\ndebug_print_object+0xb8/0x100\n__debug_check_no_obj_freed+0x1d0/0x25c\ndebug_check_no_obj_freed+0x24/0xa0\nkfree+0x11c/0x440\ncpufreq_dbs_governor_exit+0xa8/0xac\ncpufreq_exit_governor+0x44/0x90\ncpufreq_set_policy+0x29c/0x570\nstore_scaling_governor+0x110/0x154\nstore+0xb0/0xe0\nsysfs_kf_write+0x58/0x84\nkernfs_fop_write_iter+0x12c/0x1c0\nnew_sync_write+0xf0/0x18c\nvfs_write+0x1cc/0x220\nksys_write+0x74/0x100\n__arm64_sys_write+0x28/0x3c\ninvoke_syscall.constprop.0+0x58/0xf0\ndo_el0_svc+0x70/0x170\nel0_svc+0x54/0x190\nel0t_64_sync_handler+0xa4/0x130\nel0t_64_sync+0x1a0/0x1a4\nirq event stamp: 189006\nhardirqs last  enabled at (189005): [<ffff8000080849d0>] finish_task_switch.isra.0+0xe0/0x2c0\nhardirqs last disabled at (189006): [<ffff8000090667a4>] el1_dbg+0x24/0xa0\nsoftirqs last  enabled at (188966): [<ffff8000080106d0>] __do_softirq+0x4b0/0x6a0\nsoftirqs last disabled at (188957): [<ffff80000804a618>] __irq_exit_rcu+0x108/0x1a4\n[ rjw: Because can be freed by the gov_attr_set_put() in\ncpufreq_dbs_governor_exit() now, it is also necessary to put the\ninvocation of the governor ->exit() callback into the new\ncpufreq_dbs_data_release() function. ]", "A vulnerability was found in the Linux kernel's cpufreq subsystem. The `dbs_data` struct, which embeds a `kobject`, improperly attempts to free the struct using `kfree()` rather than through the proper `release()` method. This issue can lead to a use-after-free scenario, resulting in system instability, memory corruption, or potential arbitrary code execution." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-05-16T00:00:00Z",
    "advisory" : "RHSA-2023:2951",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-477.10.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49513\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49513\nhttps://lore.kernel.org/linux-cve-announce/2025022609-CVE-2022-49513-f147@gregkh/T" ],
  "name" : "CVE-2022-49513",
  "csaw" : false
}