CVE-2021-47197

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47197
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47197.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47197
Related
Published
2024-04-10T19:15:47Z
Modified
2024-09-18T03:17:22.368876Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: nullify cq->dbg pointer in mlx5debugcq_remove()

Prior to this patch in case mlx5coredestroycq() failed it proceeds to rest of destroy operations. mlx5coredestroycq() could be called again by user and cause additional call of mlx5debugcq_remove(). cq->dbg was not nullify in previous call and cause the crash.

Fix it by nullify cq->dbg pointer after removal.

Also proceed to destroy operations only if FW return 0 for MLX5CMDOPDESTROYCQ command.

general protection fault, probably for non-canonical address 0x2000300004058: 0000 [#1] SMP PTI CPU: 5 PID: 1228 Comm: python Not tainted 5.15.0-rc5forupstreammindebug202110141106 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:lockrefget+0x1/0x60 Code: 5d e9 53 ff ff ff 48 8d 7f 70 e8 0a 2e 48 00 c7 85 d0 00 00 00 02 00 00 00 c6 45 70 00 fb 5d c3 c3 cc cc cc cc cc cc cc cc 53 <48> 8b 17 48 89 fb 85 d2 75 3d 48 89 d0 bf 64 00 00 00 48 89 c1 48 RSP: 0018:ffff888137dd7a38 EFLAGS: 00010206 RAX: 0000000000000000 RBX: ffff888107d5f458 RCX: 00000000fffffffe RDX: 000000000002c2b0 RSI: ffffffff8155e2e0 RDI: 0002000300004058 RBP: ffff888137dd7a88 R08: 0002000300004058 R09: ffff8881144a9f88 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881141d4000 R13: ffff888137dd7c68 R14: ffff888137dd7d58 R15: ffff888137dd7cc0 FS: 00007f4644f2a4c0(0000) GS:ffff8887a2d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b4500f4380 CR3: 0000000114f7a003 CR4: 0000000000170ea0 Call Trace: simplerecursiveremoval+0x33/0x2e0 ? debugfsremove+0x60/0x60 debugfsremove+0x40/0x60 mlx5debugcqremove+0x32/0x70 [mlx5core] mlx5coredestroycq+0x41/0x1d0 [mlx5core] devxobjcleanup+0x151/0x330 [mlx5ib] ? _pollwait+0xd0/0xd0 ? xasload+0x5/0x70 ? xaload+0x62/0xa0 destroyhwidruobject+0x20/0x80 [ibuverbs] uverbsdestroyuobject+0x3b/0x360 [ibuverbs] uobjdestroy+0x54/0xa0 [ibuverbs] ibuverbscmdverbs+0xaf2/0x1160 [ibuverbs] ? uverbsfinalizeobject+0xd0/0xd0 [ibuverbs] ibuverbsioctl+0xc4/0x1b0 [ibuverbs] _x64sysioctl+0x3e4/0x8e0

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.84-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}