cve-2021-47139
Vulnerability from cvelistv5
Published
2024-03-25 09:07
Modified
2024-11-04 12:00
Severity ?
Summary
net: hns3: put off calling register_netdev() until client initialize complete
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47139",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-01T19:39:46.000821Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:15:16.732Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:24:39.957Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a663c1e418a3b5b8e8edfad4bc8e7278c312d6fc"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0921a0620b5077796fddffb22a8e6bc635a4bb50"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a289a7e5c1d49b7d47df9913c1cc81fb48fab613"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/hisilicon/hns3/hns3_enet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a663c1e418a3",
              "status": "affected",
              "version": "08a100689d4b",
              "versionType": "git"
            },
            {
              "lessThan": "0921a0620b50",
              "status": "affected",
              "version": "08a100689d4b",
              "versionType": "git"
            },
            {
              "lessThan": "a289a7e5c1d4",
              "status": "affected",
              "version": "08a100689d4b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/hisilicon/hns3/hns3_enet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.12.*",
              "status": "unaffected",
              "version": "5.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: put off calling register_netdev() until client initialize complete\n\nCurrently, the netdevice is registered before client initializing\ncomplete. So there is a timewindow between netdevice available\nand usable. In this case, if user try to change the channel number\nor ring param, it may cause the hns3_set_rx_cpu_rmap() being called\ntwice, and report bug.\n\n[47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0\n[47199.430340] hns3 0000:35:00.0 eth1: already uninitialized\n[47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1\n[47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1\n[47200.163524] ------------[ cut here ]------------\n[47200.171674] kernel BUG at lib/cpu_rmap.c:142!\n[47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge]\n[47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G           O      5.11.0-rc3+ #1\n[47200.215601] Hardware name:  , xxxxxx 02/04/2021\n[47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)\n[47200.230188] pc : cpu_rmap_add+0x38/0x40\n[47200.237472] lr : irq_cpu_rmap_add+0x84/0x140\n[47200.243291] sp : ffff800010e93a30\n[47200.247295] x29: ffff800010e93a30 x28: ffff082100584880\n[47200.254155] x27: 0000000000000000 x26: 0000000000000000\n[47200.260712] x25: 0000000000000000 x24: 0000000000000004\n[47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0\n[47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680\n[47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0\n[47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0\n[47200.293456] x15: fffffc2082990600 x14: dead000000000122\n[47200.300059] x13: ffffffffffffffff x12: 000000000000003e\n[47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000\n[47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700\n[47200.319682] x7 : 0000000000000000 x6 : 000000000000003f\n[47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20\n[47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80\n[47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004\n[47200.346058] Call trace:\n[47200.349324]  cpu_rmap_add+0x38/0x40\n[47200.354300]  hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3]\n[47200.362294]  hns3_reset_notify_init_enet+0x1cc/0x340 [hns3]\n[47200.370049]  hns3_change_channels+0x40/0xb0 [hns3]\n[47200.376770]  hns3_set_channels+0x12c/0x2a0 [hns3]\n[47200.383353]  ethtool_set_channels+0x140/0x250\n[47200.389772]  dev_ethtool+0x714/0x23d0\n[47200.394440]  dev_ioctl+0x4cc/0x640\n[47200.399277]  sock_do_ioctl+0x100/0x2a0\n[47200.404574]  sock_ioctl+0x28c/0x470\n[47200.409079]  __arm64_sys_ioctl+0xb4/0x100\n[47200.415217]  el0_svc_common.constprop.0+0x84/0x210\n[47200.422088]  do_el0_svc+0x28/0x34\n[47200.426387]  el0_svc+0x28/0x70\n[47200.431308]  el0_sync_handler+0x1a4/0x1b0\n[47200.436477]  el0_sync+0x174/0x180\n[47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000)\n[47200.448869] ---[ end trace a01efe4ce42e5f34 ]---\n\nThe process is like below:\nexcuting hns3_client_init\n|\nregister_netdev()\n|                           hns3_set_channels()\n|                           |\nhns3_set_rx_cpu_rmap()      hns3_reset_notify_uninit_enet()\n|                               |\n|                            quit without calling function\n|                            hns3_free_rx_cpu_rmap for flag\n|                            HNS3_NIC_STATE_INITED is unset.\n|                           |\n|                           hns3_reset_notify_init_enet()\n|                               |\nset HNS3_NIC_STATE_INITED    call hns3_set_rx_cpu_rmap()-- crash\n\nFix it by calling register_netdev() at the end of function\nhns3_client_init()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T12:00:14.335Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a663c1e418a3b5b8e8edfad4bc8e7278c312d6fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/0921a0620b5077796fddffb22a8e6bc635a4bb50"
        },
        {
          "url": "https://git.kernel.org/stable/c/a289a7e5c1d49b7d47df9913c1cc81fb48fab613"
        }
      ],
      "title": "net: hns3: put off calling register_netdev() until client initialize complete",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47139",
    "datePublished": "2024-03-25T09:07:38.216Z",
    "dateReserved": "2024-03-04T18:12:48.841Z",
    "dateUpdated": "2024-11-04T12:00:14.335Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47139\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-03-25T09:15:08.603\",\"lastModified\":\"2024-03-25T13:47:14.087\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: hns3: put off calling register_netdev() until client initialize complete\\n\\nCurrently, the netdevice is registered before client initializing\\ncomplete. So there is a timewindow between netdevice available\\nand usable. In this case, if user try to change the channel number\\nor ring param, it may cause the hns3_set_rx_cpu_rmap() being called\\ntwice, and report bug.\\n\\n[47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0\\n[47199.430340] hns3 0000:35:00.0 eth1: already uninitialized\\n[47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1\\n[47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1\\n[47200.163524] ------------[ cut here ]------------\\n[47200.171674] kernel BUG at lib/cpu_rmap.c:142!\\n[47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\\n[47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge]\\n[47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G           O      5.11.0-rc3+ #1\\n[47200.215601] Hardware name:  , xxxxxx 02/04/2021\\n[47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)\\n[47200.230188] pc : cpu_rmap_add+0x38/0x40\\n[47200.237472] lr : irq_cpu_rmap_add+0x84/0x140\\n[47200.243291] sp : ffff800010e93a30\\n[47200.247295] x29: ffff800010e93a30 x28: ffff082100584880\\n[47200.254155] x27: 0000000000000000 x26: 0000000000000000\\n[47200.260712] x25: 0000000000000000 x24: 0000000000000004\\n[47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0\\n[47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680\\n[47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0\\n[47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0\\n[47200.293456] x15: fffffc2082990600 x14: dead000000000122\\n[47200.300059] x13: ffffffffffffffff x12: 000000000000003e\\n[47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000\\n[47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700\\n[47200.319682] x7 : 0000000000000000 x6 : 000000000000003f\\n[47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20\\n[47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80\\n[47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004\\n[47200.346058] Call trace:\\n[47200.349324]  cpu_rmap_add+0x38/0x40\\n[47200.354300]  hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3]\\n[47200.362294]  hns3_reset_notify_init_enet+0x1cc/0x340 [hns3]\\n[47200.370049]  hns3_change_channels+0x40/0xb0 [hns3]\\n[47200.376770]  hns3_set_channels+0x12c/0x2a0 [hns3]\\n[47200.383353]  ethtool_set_channels+0x140/0x250\\n[47200.389772]  dev_ethtool+0x714/0x23d0\\n[47200.394440]  dev_ioctl+0x4cc/0x640\\n[47200.399277]  sock_do_ioctl+0x100/0x2a0\\n[47200.404574]  sock_ioctl+0x28c/0x470\\n[47200.409079]  __arm64_sys_ioctl+0xb4/0x100\\n[47200.415217]  el0_svc_common.constprop.0+0x84/0x210\\n[47200.422088]  do_el0_svc+0x28/0x34\\n[47200.426387]  el0_svc+0x28/0x70\\n[47200.431308]  el0_sync_handler+0x1a4/0x1b0\\n[47200.436477]  el0_sync+0x174/0x180\\n[47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000)\\n[47200.448869] ---[ end trace a01efe4ce42e5f34 ]---\\n\\nThe process is like below:\\nexcuting hns3_client_init\\n|\\nregister_netdev()\\n|                           hns3_set_channels()\\n|                           |\\nhns3_set_rx_cpu_rmap()      hns3_reset_notify_uninit_enet()\\n|                               |\\n|                            quit without calling function\\n|                            hns3_free_rx_cpu_rmap for flag\\n|                            HNS3_NIC_STATE_INITED is unset.\\n|                           |\\n|                           hns3_reset_notify_init_enet()\\n|                               |\\nset HNS3_NIC_STATE_INITED    call hns3_set_rx_cpu_rmap()-- crash\\n\\nFix it by calling register_netdev() at the end of function\\nhns3_client_init().\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: hns3: posponga la llamada a Register_netdev() hasta que se complete la inicializaci\u00f3n del cliente. Actualmente, el netdevice se registra antes de que se complete la inicializaci\u00f3n del cliente. Por lo tanto, existe una ventana de tiempo entre el dispositivo de red disponible y utilizable. En este caso, si el usuario intenta cambiar el n\u00famero de canal o el par\u00e1metro de timbre, puede provocar que se llame dos veces a hns3_set_rx_cpu_rmap() y se informe del error. [47199.416502] hns3 0000:35:00.0 eth1: configurar canales: tqp_num=1, rxfh=0 [47199.430340] hns3 0000:35:00.0 eth1: ya no inicializado [47199.438554] hns3 0000:35:00.0 : rss cambia de 4 a 1 [47199.511854] hns3 0000:35:00.0: Canales cambiados, rss_size de 4 a 1, tqps de 4 a 1 [47200.163524] ------------[ cortar aqu\u00ed ]------- ----- \u00a1ERROR del kernel [47200.171674] en lib/cpu_rmap.c:142! [47200.177847] Error interno: Ups - ERROR: 0 [#1] SMP PREEMPT [47200.185259] M\u00f3dulos vinculados en: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv68 0_mii(O) [\u00faltima descarga: HCLGE] [47200.205912] CPU: 1 PID: 8260 Comm: EthTool Tainted: Go 5.11.0 -RC3 + #1 [47200.215601] Nombre de hardware:, xxxxxx 02/04/2021 [47200.223052] Pstate: 60400009 (NZCV + PAN + PANEFI. -TCO BTYPE=--) [47200.230188] pc: cpu_rmap_add+0x38/0x40 [47200.237472] lr: irq_cpu_rmap_add+0x84/0x140 [47200.243291] sp: ffff800010e93a30 [47200.247 295] x29: ffff800010e93a30 x28: ffff082100584880 [47200.254155] x27: 0000000000000000 x26: 0000000000000000 [47200.260712] x25: 0000000000000000 x24: 0000000000000004 [47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0 [ 47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680 [47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0 [47200.286944] x17: 0 000000000000000 x16: ffffb43debe4a0d0 [47200.293456] x15 : ffffc2082990600 x14: muerto000000000122 [47200.300059] x13: ffffffffffffffff x12: 000000000000003e [47200.306606] x11: ffff0820815b8080 x10: ffff53e4 11988000 [47200.313171] x9: 00000000000000000 x8: ffff0820e2bc1700 [47200.319682] x7: 00000000000000000 x6: 000000000000003f [47200.32617 0] x5: 0000000000000040 x4: ffff800010e93a20 [47200.332656] x3: 0000000000000004 x2: ffff0820c970ec80 [47200.339168] x1: ffff0820e2bc1680 x0: 00000000000000004 [47200.346058] Rastreo de llamadas: [4720 0.349324] cpu_rmap_add+0x38/0x40 [47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3] [47200.362294] hns3_reset_notify_init_enet+0x1cc/ 0x340 [hns3] [47200.370049] hns3_change_channels+0x40/0xb0 [hns3] [47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3] [47200.383353] ethtool_set_channels+0x140/0x250 [ 47200.389772] dev_ethtool+0x714/0x23d0 [47200.394440] dev_ioctl+0x4cc/0x640 [47200.399277] sock_do_ioctl+0x100/0x2a0 [47200.404574] sock_ioctl+0x28c/0x470 [47200.409079] __arm64_sys_ioctl+0xb4/0x100 [47200.415217] el0_svc _common.constprop.0+0x84/0x210 [47200.422088] do_el0_svc+0x28/0x34 [47200.426387] el0_svc+0x28 /0x70 [47200.431308] el0_sync_handler+0x1a4/0x1b0 [47200.436477] el0_sync+0x174/0x180 [47200.441562] C\u00f3digo: 11000405 79000c45 f8247861 d65f03c0 (d4210 000) [47200.448869] ---[ end trace a01efe4ce42e5f34 ]--- El proceso es el siguiente: ejecutando hns3_client_init | registrarse_netdev() | hns3_set_channels() | | hns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet() | | | salir sin llamar a la funci\u00f3n | hns3_free_rx_cpu_rmap para bandera | HNS3_NIC_STATE_INITED no est\u00e1 configurado. | | | hns3_reset_notify_init_enet() | | set HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash Solucionarlo llamando a Register_netdev() al final de la funci\u00f3n hns3_client_init().\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0921a0620b5077796fddffb22a8e6bc635a4bb50\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a289a7e5c1d49b7d47df9913c1cc81fb48fab613\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a663c1e418a3b5b8e8edfad4bc8e7278c312d6fc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.