{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-48644", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-25T13:44:28.316Z", "datePublished": "2024-04-28T13:00:07.584Z", "dateUpdated": "2025-05-04T08:20:22.221Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:20:22.221Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: avoid disabling offload when it was never enabled\n\nIn an incredibly strange API design decision, qdisc->destroy() gets\ncalled even if qdisc->init() never succeeded, not exclusively since\ncommit 87b60cfacf9f (\"net_sched: fix error recovery at qdisc creation\"),\nbut apparently also earlier (in the case of qdisc_create_dflt()).\n\nThe taprio qdisc does not fully acknowledge this when it attempts full\noffload, because it starts off with q->flags = TAPRIO_FLAGS_INVALID in\ntaprio_init(), then it replaces q->flags with TCA_TAPRIO_ATTR_FLAGS\nparsed from netlink (in taprio_change(), tail called from taprio_init()).\n\nBut in taprio_destroy(), we call taprio_disable_offload(), and this\ndetermines what to do based on FULL_OFFLOAD_IS_ENABLED(q->flags).\n\nBut looking at the implementation of FULL_OFFLOAD_IS_ENABLED()\n(a bitwise check of bit 1 in q->flags), it is invalid to call this macro\non q->flags when it contains TAPRIO_FLAGS_INVALID, because that is set\nto U32_MAX, and therefore FULL_OFFLOAD_IS_ENABLED() will return true on\nan invalid set of flags.\n\nAs a result, it is possible to crash the kernel if user space forces an\nerror between setting q->flags = TAPRIO_FLAGS_INVALID, and the calling\nof taprio_enable_offload(). This is because drivers do not expect the\noffload to be disabled when it was never enabled.\n\nThe error that we force here is to attach taprio as a non-root qdisc,\nbut instead as child of an mqprio root qdisc:\n\n$ tc qdisc add dev swp0 root handle 1: \\\n\tmqprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\n$ tc qdisc replace dev swp0 parent 1:1 \\\n\ttaprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\n\tsched-entry S 0x7f 990000 sched-entry S 0x80 100000 \\\n\tflags 0x0 clockid CLOCK_TAI\nUnable to handle kernel paging request at virtual address fffffffffffffff8\n[fffffffffffffff8] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nCall trace:\n taprio_dump+0x27c/0x310\n vsc9959_port_setup_tc+0x1f4/0x460\n felix_port_setup_tc+0x24/0x3c\n dsa_slave_setup_tc+0x54/0x27c\n taprio_disable_offload.isra.0+0x58/0xe0\n taprio_destroy+0x80/0x104\n qdisc_create+0x240/0x470\n tc_modify_qdisc+0x1fc/0x6b0\n rtnetlink_rcv_msg+0x12c/0x390\n netlink_rcv_skb+0x5c/0x130\n rtnetlink_rcv+0x1c/0x2c\n\nFix this by keeping track of the operations we made, and undo the\noffload only if we actually did it.\n\nI've added \"bool offloaded\" inside a 4 byte hole between \"int clockid\"\nand \"atomic64_t picos_per_byte\". Now the first cache line looks like\nbelow:\n\n$ pahole -C taprio_sched net/sched/sch_taprio.o\nstruct taprio_sched {\n struct Qdisc * * qdiscs; /* 0 8 */\n struct Qdisc * root; /* 8 8 */\n u32 flags; /* 16 4 */\n enum tk_offsets tk_offset; /* 20 4 */\n int clockid; /* 24 4 */\n bool offloaded; /* 28 1 */\n\n /* XXX 3 bytes hole, try to pack */\n\n atomic64_t picos_per_byte; /* 32 0 */\n\n /* XXX 8 bytes hole, try to pack */\n\n spinlock_t current_entry_lock; /* 40 0 */\n\n /* XXX 8 bytes hole, try to pack */\n\n struct sched_entry * current_entry; /* 48 8 */\n struct sched_gate_list * oper_sched; /* 56 8 */\n /* --- cacheline 1 boundary (64 bytes) --- */"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/sch_taprio.c"], "versions": [{"version": "9c66d15646760eb8982242b4531c4d4fd36118fd", "lessThan": "d12a1eb07003e597077329767c6aa86a7e972c76", "status": "affected", "versionType": "git"}, {"version": "9c66d15646760eb8982242b4531c4d4fd36118fd", "lessThan": "586def6ebed195f3594a4884f7c5334d0e1ad1bb", "status": "affected", "versionType": "git"}, {"version": "9c66d15646760eb8982242b4531c4d4fd36118fd", "lessThan": "f58e43184226e5e9662088ccf1389e424a3a4cbd", "status": "affected", "versionType": "git"}, {"version": "9c66d15646760eb8982242b4531c4d4fd36118fd", "lessThan": "c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323", "status": "affected", "versionType": "git"}, {"version": "9c66d15646760eb8982242b4531c4d4fd36118fd", "lessThan": "db46e3a88a09c5cf7e505664d01da7238cd56c92", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/sch_taprio.c"], "versions": [{"version": "5.4", "status": "affected"}, {"version": "0", "lessThan": "5.4", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.215", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.146", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.71", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19.12", "lessThanOrEqual": "5.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "5.4.215"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "5.10.146"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "5.15.71"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "5.19.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "6.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76"}, {"url": "https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb"}, {"url": "https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd"}, {"url": "https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323"}, {"url": "https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92"}], "title": "net/sched: taprio: avoid disabling offload when it was never enabled", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:17:55.454Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48644", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:46:17.630673Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:11.100Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:17:55.454Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48644", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:46:17.630673Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:15.095Z"}}], "cna": {"title": "net/sched: taprio: avoid disabling offload when it was never enabled", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "9c66d15646760eb8982242b4531c4d4fd36118fd", "lessThan": "d12a1eb07003e597077329767c6aa86a7e972c76", "versionType": "git"}, {"status": "affected", "version": "9c66d15646760eb8982242b4531c4d4fd36118fd", "lessThan": "586def6ebed195f3594a4884f7c5334d0e1ad1bb", "versionType": "git"}, {"status": "affected", "version": "9c66d15646760eb8982242b4531c4d4fd36118fd", "lessThan": "f58e43184226e5e9662088ccf1389e424a3a4cbd", "versionType": "git"}, {"status": "affected", "version": "9c66d15646760eb8982242b4531c4d4fd36118fd", "lessThan": "c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323", "versionType": "git"}, {"status": "affected", "version": "9c66d15646760eb8982242b4531c4d4fd36118fd", "lessThan": "db46e3a88a09c5cf7e505664d01da7238cd56c92", "versionType": "git"}], "programFiles": ["net/sched/sch_taprio.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.4"}, {"status": "unaffected", "version": "0", "lessThan": "5.4", "versionType": "semver"}, {"status": "unaffected", "version": "5.4.215", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.146", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.71", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.19.12", "versionType": "semver", "lessThanOrEqual": "5.19.*"}, {"status": "unaffected", "version": "6.0", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/sched/sch_taprio.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76"}, {"url": "https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb"}, {"url": "https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd"}, {"url": "https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323"}, {"url": "https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: avoid disabling offload when it was never enabled\n\nIn an incredibly strange API design decision, qdisc->destroy() gets\ncalled even if qdisc->init() never succeeded, not exclusively since\ncommit 87b60cfacf9f (\"net_sched: fix error recovery at qdisc creation\"),\nbut apparently also earlier (in the case of qdisc_create_dflt()).\n\nThe taprio qdisc does not fully acknowledge this when it attempts full\noffload, because it starts off with q->flags = TAPRIO_FLAGS_INVALID in\ntaprio_init(), then it replaces q->flags with TCA_TAPRIO_ATTR_FLAGS\nparsed from netlink (in taprio_change(), tail called from taprio_init()).\n\nBut in taprio_destroy(), we call taprio_disable_offload(), and this\ndetermines what to do based on FULL_OFFLOAD_IS_ENABLED(q->flags).\n\nBut looking at the implementation of FULL_OFFLOAD_IS_ENABLED()\n(a bitwise check of bit 1 in q->flags), it is invalid to call this macro\non q->flags when it contains TAPRIO_FLAGS_INVALID, because that is set\nto U32_MAX, and therefore FULL_OFFLOAD_IS_ENABLED() will return true on\nan invalid set of flags.\n\nAs a result, it is possible to crash the kernel if user space forces an\nerror between setting q->flags = TAPRIO_FLAGS_INVALID, and the calling\nof taprio_enable_offload(). This is because drivers do not expect the\noffload to be disabled when it was never enabled.\n\nThe error that we force here is to attach taprio as a non-root qdisc,\nbut instead as child of an mqprio root qdisc:\n\n$ tc qdisc add dev swp0 root handle 1: \\\n\tmqprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\n$ tc qdisc replace dev swp0 parent 1:1 \\\n\ttaprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\n\tsched-entry S 0x7f 990000 sched-entry S 0x80 100000 \\\n\tflags 0x0 clockid CLOCK_TAI\nUnable to handle kernel paging request at virtual address fffffffffffffff8\n[fffffffffffffff8] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nCall trace:\n taprio_dump+0x27c/0x310\n vsc9959_port_setup_tc+0x1f4/0x460\n felix_port_setup_tc+0x24/0x3c\n dsa_slave_setup_tc+0x54/0x27c\n taprio_disable_offload.isra.0+0x58/0xe0\n taprio_destroy+0x80/0x104\n qdisc_create+0x240/0x470\n tc_modify_qdisc+0x1fc/0x6b0\n rtnetlink_rcv_msg+0x12c/0x390\n netlink_rcv_skb+0x5c/0x130\n rtnetlink_rcv+0x1c/0x2c\n\nFix this by keeping track of the operations we made, and undo the\noffload only if we actually did it.\n\nI've added \"bool offloaded\" inside a 4 byte hole between \"int clockid\"\nand \"atomic64_t picos_per_byte\". Now the first cache line looks like\nbelow:\n\n$ pahole -C taprio_sched net/sched/sch_taprio.o\nstruct taprio_sched {\n struct Qdisc * * qdiscs; /* 0 8 */\n struct Qdisc * root; /* 8 8 */\n u32 flags; /* 16 4 */\n enum tk_offsets tk_offset; /* 20 4 */\n int clockid; /* 24 4 */\n bool offloaded; /* 28 1 */\n\n /* XXX 3 bytes hole, try to pack */\n\n atomic64_t picos_per_byte; /* 32 0 */\n\n /* XXX 8 bytes hole, try to pack */\n\n spinlock_t current_entry_lock; /* 40 0 */\n\n /* XXX 8 bytes hole, try to pack */\n\n struct sched_entry * current_entry; /* 48 8 */\n struct sched_gate_list * oper_sched; /* 56 8 */\n /* --- cacheline 1 boundary (64 bytes) --- */"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.215", "versionStartIncluding": "5.4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.146", "versionStartIncluding": "5.4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.71", "versionStartIncluding": "5.4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.19.12", "versionStartIncluding": "5.4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.0", "versionStartIncluding": "5.4"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:20:22.221Z"}}}, "cveMetadata": {"cveId": "CVE-2022-48644", "state": "PUBLISHED", "dateUpdated": "2025-05-04T08:20:22.221Z", "dateReserved": "2024-02-25T13:44:28.316Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-28T13:00:07.584Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2E55C802-5C45-4F58-858E-BA6E376D2D4E", "versionEndExcluding": "5.4.215", "versionStartIncluding": "5.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A9C1CF48-9C3A-4236-8546-BD32D742BFB7", "versionEndExcluding": "5.10.146", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "080C1827-D257-4D5A-9071-779EF7F5EF0B", "versionEndExcluding": "5.15.71", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "03B0F56B-C5CC-4E81-BB51-D07D569DE4CA", "versionEndExcluding": "5.19.12", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "E8BD11A3-8643-49B6-BADE-5029A0117325", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "5F0AD220-F6A9-4012-8636-155F1B841FAD", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "A46498B3-78E1-4623-AAE1-94D29A42BE4E", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "F8446E87-F5F6-41CA-8201-BAE0F0CA6DD9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "8E5FB72F-67CE-43CC-83FE-541604D98182", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "3A0A7397-F5F8-4753-82DC-9A11288E696D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: avoid disabling offload when it was never enabled\n\nIn an incredibly strange API design decision, qdisc->destroy() gets\ncalled even if qdisc->init() never succeeded, not exclusively since\ncommit 87b60cfacf9f (\"net_sched: fix error recovery at qdisc creation\"),\nbut apparently also earlier (in the case of qdisc_create_dflt()).\n\nThe taprio qdisc does not fully acknowledge this when it attempts full\noffload, because it starts off with q->flags = TAPRIO_FLAGS_INVALID in\ntaprio_init(), then it replaces q->flags with TCA_TAPRIO_ATTR_FLAGS\nparsed from netlink (in taprio_change(), tail called from taprio_init()).\n\nBut in taprio_destroy(), we call taprio_disable_offload(), and this\ndetermines what to do based on FULL_OFFLOAD_IS_ENABLED(q->flags).\n\nBut looking at the implementation of FULL_OFFLOAD_IS_ENABLED()\n(a bitwise check of bit 1 in q->flags), it is invalid to call this macro\non q->flags when it contains TAPRIO_FLAGS_INVALID, because that is set\nto U32_MAX, and therefore FULL_OFFLOAD_IS_ENABLED() will return true on\nan invalid set of flags.\n\nAs a result, it is possible to crash the kernel if user space forces an\nerror between setting q->flags = TAPRIO_FLAGS_INVALID, and the calling\nof taprio_enable_offload(). This is because drivers do not expect the\noffload to be disabled when it was never enabled.\n\nThe error that we force here is to attach taprio as a non-root qdisc,\nbut instead as child of an mqprio root qdisc:\n\n$ tc qdisc add dev swp0 root handle 1: \\\n\tmqprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\n$ tc qdisc replace dev swp0 parent 1:1 \\\n\ttaprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\n\tsched-entry S 0x7f 990000 sched-entry S 0x80 100000 \\\n\tflags 0x0 clockid CLOCK_TAI\nUnable to handle kernel paging request at virtual address fffffffffffffff8\n[fffffffffffffff8] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nCall trace:\n taprio_dump+0x27c/0x310\n vsc9959_port_setup_tc+0x1f4/0x460\n felix_port_setup_tc+0x24/0x3c\n dsa_slave_setup_tc+0x54/0x27c\n taprio_disable_offload.isra.0+0x58/0xe0\n taprio_destroy+0x80/0x104\n qdisc_create+0x240/0x470\n tc_modify_qdisc+0x1fc/0x6b0\n rtnetlink_rcv_msg+0x12c/0x390\n netlink_rcv_skb+0x5c/0x130\n rtnetlink_rcv+0x1c/0x2c\n\nFix this by keeping track of the operations we made, and undo the\noffload only if we actually did it.\n\nI've added \"bool offloaded\" inside a 4 byte hole between \"int clockid\"\nand \"atomic64_t picos_per_byte\". Now the first cache line looks like\nbelow:\n\n$ pahole -C taprio_sched net/sched/sch_taprio.o\nstruct taprio_sched {\n struct Qdisc * * qdiscs; /* 0 8 */\n struct Qdisc * root; /* 8 8 */\n u32 flags; /* 16 4 */\n enum tk_offsets tk_offset; /* 20 4 */\n int clockid; /* 24 4 */\n bool offloaded; /* 28 1 */\n\n /* XXX 3 bytes hole, try to pack */\n\n atomic64_t picos_per_byte; /* 32 0 */\n\n /* XXX 8 bytes hole, try to pack */\n\n spinlock_t current_entry_lock; /* 40 0 */\n\n /* XXX 8 bytes hole, try to pack */\n\n struct sched_entry * current_entry; /* 48 8 */\n struct sched_gate_list * oper_sched; /* 56 8 */\n /* --- cacheline 1 boundary (64 bytes) --- */"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: taprio: evita deshabilitar la descarga cuando nunca estuvo habilitada. En una decisi\u00f3n de dise\u00f1o de API incre\u00edblemente extra\u00f1a, se llama a qdisc->destroy() incluso si qdisc->init() nunca tuvo \u00e9xito, no exclusivamente desde el commit 87b60cfacf9f (\"net_sched: corregir recuperaci\u00f3n de error en la creaci\u00f3n de qdisc\"), sino aparentemente tambi\u00e9n antes (en el caso de qdisc_create_dflt()). La qdisc taprio no reconoce completamente esto cuando intenta una descarga completa, porque comienza con q->flags = TAPRIO_FLAGS_INVALID en taprio_init(), luego reemplaza q->flags con TCA_TAPRIO_ATTR_FLAGS analizado desde netlink (en taprio_change(), cola llamada de taprio_init()). Pero en taprio_destroy(), llamamos a taprio_disable_offload(), y esto determina qu\u00e9 hacer en funci\u00f3n de FULL_OFFLOAD_IS_ENABLED(q->flags). Pero al observar la implementaci\u00f3n de FULL_OFFLOAD_IS_ENABLED() (una verificaci\u00f3n bit a bit del bit 1 en q->flags), no es v\u00e1lido llamar a esta macro en q->flags cuando contiene TAPRIO_FLAGS_INVALID, porque est\u00e1 configurado en U32_MAX y, por lo tanto, FULL_OFFLOAD_IS_ENABLED () devolver\u00e1 verdadero en un conjunto de indicadores no v\u00e1lido. Como resultado, es posible bloquear el kernel si el espacio del usuario fuerza un error entre configurar q->flags = TAPRIO_FLAGS_INVALID y la llamada de taprio_enable_offload(). Esto se debe a que los conductores no esperan que se deshabilite la descarga cuando nunca estuvo habilitada. El error que forzamos aqu\u00ed es adjuntar taprio como una qdisc no ra\u00edz, sino como hija de una qdisc ra\u00edz mqprio: $ tc qdisc add dev swp0 root handle 1: \\ mqprio num_tc 8 map 0 1 2 3 4 5 6 7 \\ colas 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 $ tc qdisc reemplazar dev swp0 padre 1:1 \\ taprio num_tc 8 map 0 1 2 3 4 5 6 7 \\ colas 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 tiempo base 0 \\ entrada programada S 0x7f 990000 entrada programada S 0x80 100000 \\ banderas 0x0 clockid CLOCK_TAI No se puede para manejar la solicitud de paginaci\u00f3n del kernel en la direcci\u00f3n virtual ffffffffffffffff8 [ffffffffffffffff8] pgd=0000000000000000, p4d=0000000000000000 Error interno: Vaya: 96000004 [#1] Seguimiento de llamada SMP PREEMPT: taprio_dump+0x27c/0x310 vsc9959_port _setup_tc+0x1f4/0x460 felix_port_setup_tc+0x24/0x3c dsa_slave_setup_tc +0x54/0x27c taprio_disable_offload.isra.0+0x58/0xe0 taprio_destroy+0x80/0x104 qdisc_create+0x240/0x470 tc_modify_qdisc+0x1fc/0x6b0 rtnetlink_rcv_msg+0x12c/0x390 x5c/0x130 rtnetlink_rcv+0x1c/0x2c Solucione este problema manteniendo un registro de operaciones que hicimos, y deshacer la descarga solo si realmente lo hicimos. Agregu\u00e9 \"bool descargado\" dentro de un hueco de 4 bytes entre \"int clockid\" y \"atomic64_t picos_per_byte\". Ahora la primera l\u00ednea de cach\u00e9 se ve as\u00ed: $ pahole -C taprio_sched net/sched/sch_taprio.o struct taprio_sched { struct Qdisc * * qdiscs; /* 0 8 */ struct Qdisc * ra\u00edz; /* 8 8 */ u32 banderas; /* 16 4 */ enum tk_offsets tk_offset; /* 20 4 */ int relojid; /* 24 4 */ bool descargado; /* 28 1 */ /* XXX agujero de 3 bytes, intenta empaquetar */ atomic64_t picos_per_byte; /* 32 0 */ /* XXX agujero de 8 bytes, intenta empaquetar */ spinlock_t current_entry_lock; /* 40 0 */ /* XXX agujero de 8 bytes, intenta empaquetar */ struct sched_entry * current_entry; /* 48 8 */ struct sched_gate_list * oper_sched; /* 56 8 */ /* --- l\u00edmite de l\u00ednea de cach\u00e9 1 (64 bytes) --- */"}], "id": "CVE-2022-48644", "lastModified": "2025-09-19T14:57:19.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-28T13:15:07.087", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net/sched: taprio: avoid disabling offload when it was never enabled", "id": "2277819", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2277819"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "status": "draft"}, "cwe": "CWE-824", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: taprio: avoid disabling offload when it was never enabled\nIn an incredibly strange API design decision, qdisc->destroy() gets\ncalled even if qdisc->init() never succeeded, not exclusively since\ncommit 87b60cfacf9f (\"net_sched: fix error recovery at qdisc creation\"),\nbut apparently also earlier (in the case of qdisc_create_dflt()).\nThe taprio qdisc does not fully acknowledge this when it attempts full\noffload, because it starts off with q->flags = TAPRIO_FLAGS_INVALID in\ntaprio_init(), then it replaces q->flags with TCA_TAPRIO_ATTR_FLAGS\nparsed from netlink (in taprio_change(), tail called from taprio_init()).\nBut in taprio_destroy(), we call taprio_disable_offload(), and this\ndetermines what to do based on FULL_OFFLOAD_IS_ENABLED(q->flags).\nBut looking at the implementation of FULL_OFFLOAD_IS_ENABLED()\n(a bitwise check of bit 1 in q->flags), it is invalid to call this macro\non q->flags when it contains TAPRIO_FLAGS_INVALID, because that is set\nto U32_MAX, and therefore FULL_OFFLOAD_IS_ENABLED() will return true on\nan invalid set of flags.\nAs a result, it is possible to crash the kernel if user space forces an\nerror between setting q->flags = TAPRIO_FLAGS_INVALID, and the calling\nof taprio_enable_offload(). This is because drivers do not expect the\noffload to be disabled when it was never enabled.\nThe error that we force here is to attach taprio as a non-root qdisc,\nbut instead as child of an mqprio root qdisc:\n$ tc qdisc add dev swp0 root handle 1: \\\nmqprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\nqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\n$ tc qdisc replace dev swp0 parent 1:1 \\\ntaprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\nqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\nsched-entry S 0x7f 990000 sched-entry S 0x80 100000 \\\nflags 0x0 clockid CLOCK_TAI\nUnable to handle kernel paging request at virtual address fffffffffffffff8\n[fffffffffffffff8] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nCall trace:\ntaprio_dump+0x27c/0x310\nvsc9959_port_setup_tc+0x1f4/0x460\nfelix_port_setup_tc+0x24/0x3c\ndsa_slave_setup_tc+0x54/0x27c\ntaprio_disable_offload.isra.0+0x58/0xe0\ntaprio_destroy+0x80/0x104\nqdisc_create+0x240/0x470\ntc_modify_qdisc+0x1fc/0x6b0\nrtnetlink_rcv_msg+0x12c/0x390\nnetlink_rcv_skb+0x5c/0x130\nrtnetlink_rcv+0x1c/0x2c\nFix this by keeping track of the operations we made, and undo the\noffload only if we actually did it.\nI've added \"bool offloaded\" inside a 4 byte hole between \"int clockid\"\nand \"atomic64_t picos_per_byte\". Now the first cache line looks like\nbelow:\n$ pahole -C taprio_sched net/sched/sch_taprio.o\nstruct taprio_sched {\nstruct Qdisc * * qdiscs; /* 0 8 */\nstruct Qdisc * root; /* 8 8 */\nu32 flags; /* 16 4 */\nenum tk_offsets tk_offset; /* 20 4 */\nint clockid; /* 24 4 */\nbool offloaded; /* 28 1 */\n/* XXX 3 bytes hole, try to pack */\natomic64_t picos_per_byte; /* 32 0 */\n/* XXX 8 bytes hole, try to pack */\nspinlock_t current_entry_lock; /* 40 0 */\n/* XXX 8 bytes hole, try to pack */\nstruct sched_entry * current_entry; /* 48 8 */\nstruct sched_gate_list * oper_sched; /* 56 8 */\n/* --- cacheline 1 boundary (64 bytes) --- */", "A flaw was found in the Linux kernel\u2019s Time-Aware Priority Shaper (taprio) scheduler. The issue arises because the taprio scheduler attempts to disable hardware offload, even if it was never enabled, due to an unusual API design. This issue can result in improper handling and potential system instability."], "name": "CVE-2022-48644", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48644\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48644\nhttps://lore.kernel.org/linux-cve-announce/2024042856-CVE-2022-48644-757e@gregkh/T"], "statement": "The vulnerability has a CVSS v3 score of 6.1, reflecting the potential for local attackers to exploit and impact system availability. However, confidentiality and integrity are less affected by this issue. The vulnerability was resolved by modifying the kernel to ensure offload disabling only occurs when it was actually enabled.", "threat_severity": "Moderate"}

{"created": "2025-07-12T22:44:50.083129+00:00", "updated": "2025-07-12T22:44:50.083178+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}