{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-47563","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-05-24T15:11:00.728Z","datePublished":"2024-05-24T15:12:51.398Z","dateUpdated":"2025-05-04T07:13:38.447Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:13:38.447Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: avoid bpf_prog refcount underflow\n\nIce driver has the routines for managing XDP resources that are shared\nbetween ndo_bpf op and VSI rebuild flow. The latter takes place for\nexample when user changes queue count on an interface via ethtool's\nset_channels().\n\nThere is an issue around the bpf_prog refcounting when VSI is being\nrebuilt - since ice_prepare_xdp_rings() is called with vsi->xdp_prog as\nan argument that is used later on by ice_vsi_assign_bpf_prog(), same\nbpf_prog pointers are swapped with each other. Then it is also\ninterpreted as an 'old_prog' which in turn causes us to call\nbpf_prog_put on it that will decrement its refcount.\n\nBelow splat can be interpreted in a way that due to zero refcount of a\nbpf_prog it is wiped out from the system while kernel still tries to\nrefer to it:\n\n[  481.069429] BUG: unable to handle page fault for address: ffffc9000640f038\n[  481.077390] #PF: supervisor read access in kernel mode\n[  481.083335] #PF: error_code(0x0000) - not-present page\n[  481.089276] PGD 100000067 P4D 100000067 PUD 1001cb067 PMD 106d2b067 PTE 0\n[  481.097141] Oops: 0000 [#1] PREEMPT SMP PTI\n[  481.101980] CPU: 12 PID: 3339 Comm: sudo Tainted: G           OE     5.15.0-rc5+ #1\n[  481.110840] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016\n[  481.122021] RIP: 0010:dev_xdp_prog_id+0x25/0x40\n[  481.127265] Code: 80 00 00 00 00 0f 1f 44 00 00 89 f6 48 c1 e6 04 48 01 fe 48 8b 86 98 08 00 00 48 85 c0 74 13 48 8b 50 18 31 c0 48 85 d2 74 07 <48> 8b 42 38 8b 40 20 c3 48 8b 96 90 08 00 00 eb e8 66 2e 0f 1f 84\n[  481.148991] RSP: 0018:ffffc90007b63868 EFLAGS: 00010286\n[  481.155034] RAX: 0000000000000000 RBX: ffff889080824000 RCX: 0000000000000000\n[  481.163278] RDX: ffffc9000640f000 RSI: ffff889080824010 RDI: ffff889080824000\n[  481.171527] RBP: ffff888107af7d00 R08: 0000000000000000 R09: ffff88810db5f6e0\n[  481.179776] R10: 0000000000000000 R11: ffff8890885b9988 R12: ffff88810db5f4bc\n[  481.188026] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[  481.196276] FS:  00007f5466d5bec0(0000) GS:ffff88903fb00000(0000) knlGS:0000000000000000\n[  481.205633] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  481.212279] CR2: ffffc9000640f038 CR3: 000000014429c006 CR4: 00000000003706e0\n[  481.220530] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  481.228771] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  481.237029] Call Trace:\n[  481.239856]  rtnl_fill_ifinfo+0x768/0x12e0\n[  481.244602]  rtnl_dump_ifinfo+0x525/0x650\n[  481.249246]  ? __alloc_skb+0xa5/0x280\n[  481.253484]  netlink_dump+0x168/0x3c0\n[  481.257725]  netlink_recvmsg+0x21e/0x3e0\n[  481.262263]  ____sys_recvmsg+0x87/0x170\n[  481.266707]  ? __might_fault+0x20/0x30\n[  481.271046]  ? _copy_from_user+0x66/0xa0\n[  481.275591]  ? iovec_from_user+0xf6/0x1c0\n[  481.280226]  ___sys_recvmsg+0x82/0x100\n[  481.284566]  ? sock_sendmsg+0x5e/0x60\n[  481.288791]  ? __sys_sendto+0xee/0x150\n[  481.293129]  __sys_recvmsg+0x56/0xa0\n[  481.297267]  do_syscall_64+0x3b/0xc0\n[  481.301395]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[  481.307238] RIP: 0033:0x7f5466f39617\n[  481.311373] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb bd 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2f 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10\n[  481.342944] RSP: 002b:00007ffedc7f4308 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\n[  481.361783] RAX: ffffffffffffffda RBX: 00007ffedc7f5460 RCX: 00007f5466f39617\n[  481.380278] RDX: 0000000000000000 RSI: 00007ffedc7f5360 RDI: 0000000000000003\n[  481.398500] RBP: 00007ffedc7f53f0 R08: 0000000000000000 R09: 000055d556f04d50\n[  481.416463] R10: 0000000000000077 R11: 0000000000000246 R12: 00007ffedc7f5360\n[  481.434131] R13: 00007ffedc7f5350 R14: 00007ffedc7f5344 R15: 0000000000000e98\n[  481.451520] Modules linked in: ice\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/ice/ice_main.c"],"versions":[{"version":"efc2214b6047b6f5b4ca53151eba62521b9452d6","lessThan":"e65a8707b4cd756d26d246bb2b9fab06eebafac1","status":"affected","versionType":"git"},{"version":"efc2214b6047b6f5b4ca53151eba62521b9452d6","lessThan":"1f10b09ccc832698ef4624a6ab9a213b6ccbda76","status":"affected","versionType":"git"},{"version":"efc2214b6047b6f5b4ca53151eba62521b9452d6","lessThan":"f65ee535df775a13a1046c0a0b2d72db342f8a5b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/ice/ice_main.c"],"versions":[{"version":"5.5","status":"affected"},{"version":"0","lessThan":"5.5","status":"unaffected","versionType":"semver"},{"version":"5.10.83","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.6","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.83"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.15.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e65a8707b4cd756d26d246bb2b9fab06eebafac1"},{"url":"https://git.kernel.org/stable/c/1f10b09ccc832698ef4624a6ab9a213b6ccbda76"},{"url":"https://git.kernel.org/stable/c/f65ee535df775a13a1046c0a0b2d72db342f8a5b"}],"title":"ice: avoid bpf_prog refcount underflow","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-noinfo Not enough information"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-05-29T16:50:07.805074Z","id":"CVE-2021-47563","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-11-05T16:52:12.886Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T05:39:59.865Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/e65a8707b4cd756d26d246bb2b9fab06eebafac1","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/1f10b09ccc832698ef4624a6ab9a213b6ccbda76","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/f65ee535df775a13a1046c0a0b2d72db342f8a5b","tags":["x_transferred"]}]}]}}