CVE-2021-47247
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
21/05/2024
Last modified:
14/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net/mlx5e: Fix use-after-free of encap entry in neigh update handler<br />
<br />
Function mlx5e_rep_neigh_update() wasn&#39;t updated to accommodate rtnl lock<br />
removal from TC filter update path and properly handle concurrent encap<br />
entry insertion/deletion which can lead to following use-after-free:<br />
<br />
[23827.464923] ==================================================================<br />
[23827.469446] BUG: KASAN: use-after-free in mlx5e_encap_take+0x72/0x140 [mlx5_core]<br />
[23827.470971] Read of size 4 at addr ffff8881d132228c by task kworker/u20:6/21635<br />
[23827.472251]<br />
[23827.472615] CPU: 9 PID: 21635 Comm: kworker/u20:6 Not tainted 5.13.0-rc3+ #5<br />
[23827.473788] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br />
[23827.475639] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core]<br />
[23827.476731] Call Trace:<br />
[23827.477260] dump_stack+0xbb/0x107<br />
[23827.477906] print_address_description.constprop.0+0x18/0x140<br />
[23827.478896] ? mlx5e_encap_take+0x72/0x140 [mlx5_core]<br />
[23827.479879] ? mlx5e_encap_take+0x72/0x140 [mlx5_core]<br />
[23827.480905] kasan_report.cold+0x7c/0xd8<br />
[23827.481701] ? mlx5e_encap_take+0x72/0x140 [mlx5_core]<br />
[23827.482744] kasan_check_range+0x145/0x1a0<br />
[23827.493112] mlx5e_encap_take+0x72/0x140 [mlx5_core]<br />
[23827.494054] ? mlx5e_tc_tun_encap_info_equal_generic+0x140/0x140 [mlx5_core]<br />
[23827.495296] mlx5e_rep_neigh_update+0x41e/0x5e0 [mlx5_core]<br />
[23827.496338] ? mlx5e_rep_neigh_entry_release+0xb80/0xb80 [mlx5_core]<br />
[23827.497486] ? read_word_at_a_time+0xe/0x20<br />
[23827.498250] ? strscpy+0xa0/0x2a0<br />
[23827.498889] process_one_work+0x8ac/0x14e0<br />
[23827.499638] ? lockdep_hardirqs_on_prepare+0x400/0x400<br />
[23827.500537] ? pwq_dec_nr_in_flight+0x2c0/0x2c0<br />
[23827.501359] ? rwlock_bug.part.0+0x90/0x90<br />
[23827.502116] worker_thread+0x53b/0x1220<br />
[23827.502831] ? process_one_work+0x14e0/0x14e0<br />
[23827.503627] kthread+0x328/0x3f0<br />
[23827.504254] ? _raw_spin_unlock_irq+0x24/0x40<br />
[23827.505065] ? __kthread_bind_mask+0x90/0x90<br />
[23827.505912] ret_from_fork+0x1f/0x30<br />
[23827.506621]<br />
[23827.506987] Allocated by task 28248:<br />
[23827.507694] kasan_save_stack+0x1b/0x40<br />
[23827.508476] __kasan_kmalloc+0x7c/0x90<br />
[23827.509197] mlx5e_attach_encap+0xde1/0x1d40 [mlx5_core]<br />
[23827.510194] mlx5e_tc_add_fdb_flow+0x397/0xc40 [mlx5_core]<br />
[23827.511218] __mlx5e_add_fdb_flow+0x519/0xb30 [mlx5_core]<br />
[23827.512234] mlx5e_configure_flower+0x191c/0x4870 [mlx5_core]<br />
[23827.513298] tc_setup_cb_add+0x1d5/0x420<br />
[23827.514023] fl_hw_replace_filter+0x382/0x6a0 [cls_flower]<br />
[23827.514975] fl_change+0x2ceb/0x4a51 [cls_flower]<br />
[23827.515821] tc_new_tfilter+0x89a/0x2070<br />
[23827.516548] rtnetlink_rcv_msg+0x644/0x8c0<br />
[23827.517300] netlink_rcv_skb+0x11d/0x340<br />
[23827.518021] netlink_unicast+0x42b/0x700<br />
[23827.518742] netlink_sendmsg+0x743/0xc20<br />
[23827.519467] sock_sendmsg+0xb2/0xe0<br />
[23827.520131] ____sys_sendmsg+0x590/0x770<br />
[23827.520851] ___sys_sendmsg+0xd8/0x160<br />
[23827.521552] __sys_sendmsg+0xb7/0x140<br />
[23827.522238] do_syscall_64+0x3a/0x70<br />
[23827.522907] entry_SYSCALL_64_after_hwframe+0x44/0xae<br />
[23827.523797]<br />
[23827.524163] Freed by task 25948:<br />
[23827.524780] kasan_save_stack+0x1b/0x40<br />
[23827.525488] kasan_set_track+0x1c/0x30<br />
[23827.526187] kasan_set_free_info+0x20/0x30<br />
[23827.526968] __kasan_slab_free+0xed/0x130<br />
[23827.527709] slab_free_freelist_hook+0xcf/0x1d0<br />
[23827.528528] kmem_cache_free_bulk+0x33a/0x6e0<br />
[23827.529317] kfree_rcu_work+0x55f/0xb70<br />
[23827.530024] process_one_work+0x8ac/0x14e0<br />
[23827.530770] worker_thread+0x53b/0x1220<br />
[23827.531480] kthread+0x328/0x3f0<br />
[23827.532114] ret_from_fork+0x1f/0x30<br />
[23827.532785]<br />
[23827.533147] Last potentially related work creation:<br />
[23827.534007] kasan_save_stack+0x1b/0x40<br />
[23827.534710] kasan_record_aux_stack+0xab/0xc0<br />
[23827.535492] kvfree_call_rcu+0x31/0x7b0<br />
[23827.536206] mlx5e_tc_del<br />
---truncated---
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.237 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.12.13 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.13:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.13:rc6:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0d1e7a7964ce6abb28883a3906bbc20fe0009f03
- https://git.kernel.org/stable/c/b6447b72aca571632e71bb73a797118d5ce46a93
- https://git.kernel.org/stable/c/fb1a3132ee1ac968316e45d21a48703a6db0b6c3
- https://git.kernel.org/stable/c/b6447b72aca571632e71bb73a797118d5ce46a93
- https://git.kernel.org/stable/c/fb1a3132ee1ac968316e45d21a48703a6db0b6c3
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html