{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-47562","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-05-24T15:11:00.728Z","datePublished":"2024-05-24T15:12:50.733Z","dateUpdated":"2025-05-04T07:13:37.379Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:13:37.379Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix vsi->txq_map sizing\n\nThe approach of having XDP queue per CPU regardless of user's setting\nexposed a hidden bug that could occur in case when Rx queue count differ\nfrom Tx queue count. Currently vsi->txq_map's size is equal to the\ndoubled vsi->alloc_txq, which is not correct due to the fact that XDP\nrings were previously based on the Rx queue count. Below splat can be\nseen when ethtool -L is used and XDP rings are configured:\n\n[  682.875339] BUG: kernel NULL pointer dereference, address: 000000000000000f\n[  682.883403] #PF: supervisor read access in kernel mode\n[  682.889345] #PF: error_code(0x0000) - not-present page\n[  682.895289] PGD 0 P4D 0\n[  682.898218] Oops: 0000 [#1] PREEMPT SMP PTI\n[  682.903055] CPU: 42 PID: 2878 Comm: ethtool Tainted: G           OE     5.15.0-rc5+ #1\n[  682.912214] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016\n[  682.923380] RIP: 0010:devres_remove+0x44/0x130\n[  682.928527] Code: 49 89 f4 55 48 89 fd 4c 89 ff 53 48 83 ec 10 e8 92 b9 49 00 48 8b 9d a8 02 00 00 48 8d 8d a0 02 00 00 49 89 c2 48 39 cb 74 0f <4c> 3b 63 10 74 25 48 8b 5b 08 48 39 cb 75 f1 4c 89 ff 4c 89 d6 e8\n[  682.950237] RSP: 0018:ffffc90006a679f0 EFLAGS: 00010002\n[  682.956285] RAX: 0000000000000286 RBX: ffffffffffffffff RCX: ffff88908343a370\n[  682.964538] RDX: 0000000000000001 RSI: ffffffff81690d60 RDI: 0000000000000000\n[  682.972789] RBP: ffff88908343a0d0 R08: 0000000000000000 R09: 0000000000000000\n[  682.981040] R10: 0000000000000286 R11: 3fffffffffffffff R12: ffffffff81690d60\n[  682.989282] R13: ffffffff81690a00 R14: ffff8890819807a8 R15: ffff88908343a36c\n[  682.997535] FS:  00007f08c7bfa740(0000) GS:ffff88a03fd00000(0000) knlGS:0000000000000000\n[  683.006910] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  683.013557] CR2: 000000000000000f CR3: 0000001080a66003 CR4: 00000000003706e0\n[  683.021819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  683.030075] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  683.038336] Call Trace:\n[  683.041167]  devm_kfree+0x33/0x50\n[  683.045004]  ice_vsi_free_arrays+0x5e/0xc0 [ice]\n[  683.050380]  ice_vsi_rebuild+0x4c8/0x750 [ice]\n[  683.055543]  ice_vsi_recfg_qs+0x9a/0x110 [ice]\n[  683.060697]  ice_set_channels+0x14f/0x290 [ice]\n[  683.065962]  ethnl_set_channels+0x333/0x3f0\n[  683.070807]  genl_family_rcv_msg_doit+0xea/0x150\n[  683.076152]  genl_rcv_msg+0xde/0x1d0\n[  683.080289]  ? channels_prepare_data+0x60/0x60\n[  683.085432]  ? genl_get_cmd+0xd0/0xd0\n[  683.089667]  netlink_rcv_skb+0x50/0xf0\n[  683.094006]  genl_rcv+0x24/0x40\n[  683.097638]  netlink_unicast+0x239/0x340\n[  683.102177]  netlink_sendmsg+0x22e/0x470\n[  683.106717]  sock_sendmsg+0x5e/0x60\n[  683.110756]  __sys_sendto+0xee/0x150\n[  683.114894]  ? handle_mm_fault+0xd0/0x2a0\n[  683.119535]  ? do_user_addr_fault+0x1f3/0x690\n[  683.134173]  __x64_sys_sendto+0x25/0x30\n[  683.148231]  do_syscall_64+0x3b/0xc0\n[  683.161992]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFix this by taking into account the value that num_possible_cpus()\nyields in addition to vsi->alloc_txq instead of doubling the latter."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/ice/ice_lib.c"],"versions":[{"version":"efc2214b6047b6f5b4ca53151eba62521b9452d6","lessThan":"1eb5395add786613c7c5579d3947aa0b8f0ec241","status":"affected","versionType":"git"},{"version":"efc2214b6047b6f5b4ca53151eba62521b9452d6","lessThan":"992ba40a67638dfe2772b84dfc8168dc328d5c4c","status":"affected","versionType":"git"},{"version":"efc2214b6047b6f5b4ca53151eba62521b9452d6","lessThan":"792b2086584f25d84081a526beee80d103c2a913","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/ice/ice_lib.c"],"versions":[{"version":"5.5","status":"affected"},{"version":"0","lessThan":"5.5","status":"unaffected","versionType":"semver"},{"version":"5.10.83","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.6","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.83"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.15.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1eb5395add786613c7c5579d3947aa0b8f0ec241"},{"url":"https://git.kernel.org/stable/c/992ba40a67638dfe2772b84dfc8168dc328d5c4c"},{"url":"https://git.kernel.org/stable/c/792b2086584f25d84081a526beee80d103c2a913"}],"title":"ice: fix vsi->txq_map sizing","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2021-47562","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-05-24T17:03:56.784042Z"}}}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:14:36.415Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T05:39:59.826Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/1eb5395add786613c7c5579d3947aa0b8f0ec241","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/992ba40a67638dfe2772b84dfc8168dc328d5c4c","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/792b2086584f25d84081a526beee80d103c2a913","tags":["x_transferred"]}]}]}}