CVE-2021-47562— ice: fix vsi->txq_map sizing
Affected Version Matrix 8
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | efc2214b6047b6f5b4ca53151eba62521b9452d6< 1eb5395add786613c7c5579d3947aa0b8f0ec241 | affected |
efc2214b6047b6f5b4ca53151eba62521b9452d6< 992ba40a67638dfe2772b84dfc8168dc328d5c4c | affected | ||
efc2214b6047b6f5b4ca53151eba62521b9452d6< 792b2086584f25d84081a526beee80d103c2a913 | affected | ||
5.5 | affected | ||
< 5.5 | unaffected | ||
5.10.83≤ 5.10.* | unaffected | ||
5.15.6≤ 5.15.* | unaffected | ||
5.16≤ * | unaffected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-47562
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ice: fix vsi->txq_map sizing
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ice: fix vsi->txq_map sizing The approach of having XDP queue per CPU regardless of user's setting exposed a hidden bug that could occur in case when Rx queue count differ from Tx queue count. Currently vsi->txq_map's size is equal to the doubled vsi->alloc_txq, which is not correct due to the fact that XDP rings were previously based on the Rx queue count. Below splat can be seen when ethtool -L is used and XDP rings are configured: [ 682.875339] BUG: kernel NULL pointer dereference, address: 000000000000000f [ 682.883403] #PF: supervisor read access in kernel mode [ 682.889345] #PF: error_code(0x0000) - not-present page [ 682.895289] PGD 0 P4D 0 [ 682.898218] Oops: 0000 [#1] PREEMPT SMP PTI [ 682.903055] CPU: 42 PID: 2878 Comm: ethtool Tainted: G OE 5.15.0-rc5+ #1 [ 682.912214] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016 [ 682.923380] RIP: 0010:devres_remove+0x44/0x130 [ 682.928527] Code: 49 89 f4 55 48 89 fd 4c 89 ff 53 48 83 ec 10 e8 92 b9 49 00 48 8b 9d a8 02 00 00 48 8d 8d a0 02 00 00 49 89 c2 48 39 cb 74 0f <4c> 3b 63 10 74 25 48 8b 5b 08 48 39 cb 75 f1 4c 89 ff 4c 89 d6 e8 [ 682.950237] RSP: 0018:ffffc90006a679f0 EFLAGS: 00010002 [ 682.956285] RAX: 0000000000000286 RBX: ffffffffffffffff RCX: ffff88908343a370 [ 682.964538] RDX: 0000000000000001 RSI: ffffffff81690d60 RDI: 0000000000000000 [ 682.972789] RBP: ffff88908343a0d0 R08: 0000000000000000 R09: 0000000000000000 [ 682.981040] R10: 0000000000000286 R11: 3fffffffffffffff R12: ffffffff81690d60 [ 682.989282] R13: ffffffff81690a00 R14: ffff8890819807a8 R15: ffff88908343a36c [ 682.997535] FS: 00007f08c7bfa740(0000) GS:ffff88a03fd00000(0000) knlGS:0000000000000000 [ 683.006910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 683.013557] CR2: 000000000000000f CR3: 0000001080a66003 CR4: 00000000003706e0 [ 683.021819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 683.030075] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 683.038336] Call Trace: [ 683.041167] devm_kfree+0x33/0x50 [ 683.045004] ice_vsi_free_arrays+0x5e/0xc0 [ice] [ 683.050380] ice_vsi_rebuild+0x4c8/0x750 [ice] [ 683.055543] ice_vsi_recfg_qs+0x9a/0x110 [ice] [ 683.060697] ice_set_channels+0x14f/0x290 [ice] [ 683.065962] ethnl_set_channels+0x333/0x3f0 [ 683.070807] genl_family_rcv_msg_doit+0xea/0x150 [ 683.076152] genl_rcv_msg+0xde/0x1d0 [ 683.080289] ? channels_prepare_data+0x60/0x60 [ 683.085432] ? genl_get_cmd+0xd0/0xd0 [ 683.089667] netlink_rcv_skb+0x50/0xf0 [ 683.094006] genl_rcv+0x24/0x40 [ 683.097638] netlink_unicast+0x239/0x340 [ 683.102177] netlink_sendmsg+0x22e/0x470 [ 683.106717] sock_sendmsg+0x5e/0x60 [ 683.110756] __sys_sendto+0xee/0x150 [ 683.114894] ? handle_mm_fault+0xd0/0x2a0 [ 683.119535] ? do_user_addr_fault+0x1f3/0x690 [ 683.134173] __x64_sys_sendto+0x25/0x30 [ 683.148231] do_syscall_64+0x3b/0xc0 [ 683.161992] entry_SYSCALL_64_after_hwframe+0x44/0xae Fix this by taking into account the value that num_possible_cpus() yields in addition to vsi->alloc_txq instead of doubling the latter.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于存在空指针取消引用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2021-47562
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-47562
请登录查看更多情报信息。
Same Patch Batch · Linux · 2024-05-24 · 73 CVEs total
| CVE-2021-47547 | net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound | |
| CVE-2021-47569 | io_uring: fail cancellation for EXITING tasks | |
| CVE-2021-47567 | powerpc/32: Fix hardlockup on vmap stack overflow | |
| CVE-2021-47555 | net: vlan: fix underflow for the real_dev refcnt | |
| CVE-2021-47553 | sched/scs: Reset task stack state in bringup_cpu() | |
| CVE-2021-47551 | drm/amd/amdkfd: Fix kernel panic when reset failed and been triggered again | |
| CVE-2021-47552 | blk-mq: cancel blk-mq dispatch work in both blk_cleanup_queue and disk_release() | |
| CVE-2021-47550 | drm/amd/amdgpu: fix potential memleak | |
| CVE-2021-47548 | ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst | |
| CVE-2021-47549 | sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl | |
| CVE-2021-47554 | vdpa_sim: avoid putting an uninitialized iova_domain | |
| CVE-2021-47546 | ipv6: fix memory leak in fib6_rule_suppress | |
| CVE-2021-47544 | tcp: fix page frag corruption on page fault | |
| CVE-2021-47542 | net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() | |
| CVE-2021-47541 | net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() | |
| CVE-2021-47540 | mt76: mt7915: fix NULL pointer dereference in mt7915_get_phy_mode | |
| CVE-2021-47539 | rxrpc: Fix rxrpc_peer leak in rxrpc_look_up_bundle() | |
| CVE-2021-47538 | rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() | |
| CVE-2021-47536 | net/smc: fix wrong list_del in smc_lgr_cleanup_early | |
| CVE-2021-47537 | octeontx2-af: Fix a memleak bug in rvu_mbox_init() |
Showing top 20 of 73 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43502
net/rds: handle zerocopy send cleanup before the message is - CVE-2026-43501
ipv6: rpl: reserve mac_len headroom when recompressed SRH gr - CVE-2026-43498
accel/ivpu: Disallow re-exporting imported GEM objects - CVE-2026-43499
rtmutex: Use waiter::task instead of current in remove_waite - CVE-2026-43497
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-aft
Same vendor: Linux
- CVE-2026-43502
net/rds: handle zerocopy send cleanup before the message is - CVE-2026-43501
ipv6: rpl: reserve mac_len headroom when recompressed SRH gr - CVE-2026-43498
accel/ivpu: Disallow re-exporting imported GEM objects - CVE-2026-43499
rtmutex: Use waiter::task instead of current in remove_waite - CVE-2026-43497
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-aft
V. Comments for CVE-2021-47562
No comments yet