In nft_dynset_init(), dynset_expr->ops is checked against set->exprs[i]->ops at (0) and set->exprs[i] may be NULL here. if set->num_exprs == 1, which means set->exprs[1] is NULL, and i == 1, the check at (1) will be passed and set->exprs[1] will be accessed, causing a kernel crash. Refer: https://github.com/torvalds/linux/commit/3701cd390fd731ee7ae8b8006246c8db82c72bea
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2253633]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2950 https://access.redhat.com/errata/RHSA-2024:2950
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3138 https://access.redhat.com/errata/RHSA-2024:3138