| The vulnerability CVE-2021-47306 is a Use-After-Free (UAF) bug in the Linux kernel's FDDI (Fiber Distributed Data Interface) driver. Specifically, it affects the `fza_probe` function in the `defza.c` file, which is responsible for probing and initializing TURBOchannel adapters. |
| |
| The issue arises because the `fp` variable, which is a netdev private data structure, is being used after it has been freed by the `free_netdev()` call. This can cause a UAF bug, leading to potential memory corruption and other security issues. |
| |
| To fix this vulnerability, the `free_netdev()` call needs to be moved after the error message, ensuring that the `fp` variable is no longer accessed after it has been freed. The fix was introduced in kernel versions 5.4.135, 5.10.53, 5.13.5, and 5.14, with corresponding commits. |
| |
| The Linux kernel CVE team recommends updating to the latest stable kernel version to address this vulnerability, as well as other bugfixes. Cherry-picking individual commits is not recommended or supported by the Linux kernel community. |
| |
