In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a NULL pointer dereference. Upstream patch & commit: https://lore.kernel.org/netfilter-devel/20220809163402.20227-1-fw@strlen.de/ https://github.com/torvalds/linux/commit/580077855a40741cf511766129702d97ff02f4d9
This issue was fixed upstream in version 6.0. The kernel packages as shipped in Red Hat Enterprise Linux 8 and 9 were previously updated to a version that contains the fix via the following errata: kernel in Red Hat Enterprise Linux 8 https://access.redhat.com/errata/RHSA-2023:2951 kernel-rt in Red Hat Enterprise Linux 8 https://access.redhat.com/errata/RHSA-2023:2736 kernel in Red Hat Enterprise Linux 9 https://access.redhat.com/errata/RHSA-2022:8267 kernel-rt in Red Hat Enterprise Linux 9 https://access.redhat.com/errata/RHSA-2022:7933
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:5628 https://access.redhat.com/errata/RHSA-2023:5628
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:5627 https://access.redhat.com/errata/RHSA-2023:5627
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:6813 https://access.redhat.com/errata/RHSA-2023:6813