CVE-2021-47589— igbvf: fix double free in `igbvf_probe`
Affected Version Matrix 18
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | d4e0fe01a38a073568aee541a0247fe734095979< ffe1695b678729edec04037e691007900a2b2beb | affected |
d4e0fe01a38a073568aee541a0247fe734095979< 79d9b092035dcdbe636b70433149df9cc6db1e49 | affected | ||
d4e0fe01a38a073568aee541a0247fe734095979< 8d0c927a9fb2b4065230936b77b54f857a3754fc | affected | ||
d4e0fe01a38a073568aee541a0247fe734095979< cc9b655bb84f1be283293dfea94dff9a31b106ac | affected | ||
d4e0fe01a38a073568aee541a0247fe734095979< 8addba6cab94ce01686ea2e80ed1530f9dc33a9a | affected | ||
d4e0fe01a38a073568aee541a0247fe734095979< 74a16e062b23332d8db017ff4a41e16279c44411 | affected | ||
d4e0fe01a38a073568aee541a0247fe734095979< 944b8be08131f5faf2cd2440aa1c24a39a163a54 | affected | ||
d4e0fe01a38a073568aee541a0247fe734095979< b6d335a60dc624c0d279333b22c737faa765b028 | affected | ||
| … +10 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-47589
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
igbvf: fix double free in `igbvf_probe`
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: igbvf: fix double free in `igbvf_probe` In `igbvf_probe`, if register_netdev() fails, the program will go to label err_hw_init, and then to label err_ioremap. In free_netdev() which is just below label err_ioremap, there is `list_for_each_entry_safe` and `netif_napi_del` which aims to delete all entries in `dev->napi_list`. The program has added an entry `adapter->rx_ring->napi` which is added by `netif_napi_add` in igbvf_alloc_queues(). However, adapter->rx_ring has been freed below label err_hw_init. So this a UAF. In terms of how to patch the problem, we can refer to igbvf_remove() and delete the entry before `adapter->rx_ring`. The KASAN logs are as follows: [ 35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450 [ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366 [ 35.128360] [ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14 [ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 35.131749] Call Trace: [ 35.132199] dump_stack_lvl+0x59/0x7b [ 35.132865] print_address_description+0x7c/0x3b0 [ 35.133707] ? free_netdev+0x1fd/0x450 [ 35.134378] __kasan_report+0x160/0x1c0 [ 35.135063] ? free_netdev+0x1fd/0x450 [ 35.135738] kasan_report+0x4b/0x70 [ 35.136367] free_netdev+0x1fd/0x450 [ 35.137006] igbvf_probe+0x121d/0x1a10 [igbvf] [ 35.137808] ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf] [ 35.138751] local_pci_probe+0x13c/0x1f0 [ 35.139461] pci_device_probe+0x37e/0x6c0 [ 35.165526] [ 35.165806] Allocated by task 366: [ 35.166414] ____kasan_kmalloc+0xc4/0xf0 [ 35.167117] foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf] [ 35.168078] igbvf_probe+0x9c5/0x1a10 [igbvf] [ 35.168866] local_pci_probe+0x13c/0x1f0 [ 35.169565] pci_device_probe+0x37e/0x6c0 [ 35.179713] [ 35.179993] Freed by task 366: [ 35.180539] kasan_set_track+0x4c/0x80 [ 35.181211] kasan_set_free_info+0x1f/0x40 [ 35.181942] ____kasan_slab_free+0x103/0x140 [ 35.182703] kfree+0xe3/0x250 [ 35.183239] igbvf_probe+0x1173/0x1a10 [igbvf] [ 35.184040] local_pci_probe+0x13c/0x1f0
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于双重释放。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2021-47589
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-47589
请登录查看更多情报信息。
Other References for CVE-2021-47589 (6)
Same Patch Batch · Linux · 2024-06-19 · 122 CVEs total
| CVE-2024-38612 | ipv6: sr: fix invalid unregister error path | |
| CVE-2021-47584 | iocost: Fix divide-by-zero on donation from low hweight cgroup | |
| CVE-2021-47582 | USB: core: Make do_proc_control() and do_proc_bulk() killable | |
| CVE-2021-47583 | media: mxl111sf: change mutex_init() location | |
| CVE-2021-47579 | ovl: fix warning in ovl_create_real() | |
| CVE-2021-47580 | scsi: scsi_debug: Fix type in min_t to avoid stack OOB | |
| CVE-2021-47578 | scsi: scsi_debug: Don't call kcalloc() if size arg is zero | |
| CVE-2021-47576 | scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() | |
| CVE-2021-47577 | io-wq: check for wq exit after adding new worker task_work | |
| CVE-2024-38617 | kunit/fortify: Fix mismatched kvalloc()/vfree() usage | |
| CVE-2024-38618 | ALSA: timer: Set lower bound of start tick time | |
| CVE-2024-38616 | wifi: carl9170: re-fix fortified-memset warning | |
| CVE-2024-38615 | cpufreq: exit() callback is optional | |
| CVE-2024-38614 | openrisc: traps: Don't send signals to kernel mode threads | |
| CVE-2024-38613 | m68k: Fix spinlock race in kernel thread creation | |
| CVE-2024-38611 | media: i2c: et8ek8: Don't strip remove function when driver is builtin | |
| CVE-2024-38603 | drivers/perf: hisi: hns3: Actually use devm_add_action_or_reset() | |
| CVE-2024-38601 | ring-buffer: Fix a race between readers and resize checks | |
| CVE-2024-38600 | ALSA: Fix deadlocks with kctl removals at disconnection | |
| CVE-2024-38602 | ax25: Fix reference count leak issues of ax25_dev |
Showing top 20 of 122 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-52907
media: rockchip: rkcif: fix off by one bugs - CVE-2026-52906
9p: fix access mode flags being ORed instead of replaced - CVE-2026-52905
mm/damon/core: disallow non-power of two min_region_sz on da - CVE-2026-52904
drm/nouveau: fix nvkm_device leak on aperture removal failur - CVE-2026-46332
greybus: gb-beagleplay: bound bootloader receive buffering
Same vendor: Linux
- CVE-2026-52907
media: rockchip: rkcif: fix off by one bugs - CVE-2026-52906
9p: fix access mode flags being ORed instead of replaced - CVE-2026-52905
mm/damon/core: disallow non-power of two min_region_sz on da - CVE-2026-52904
drm/nouveau: fix nvkm_device leak on aperture removal failur - CVE-2026-46332
greybus: gb-beagleplay: bound bootloader receive buffering
V. Comments for CVE-2021-47589
No comments yet