| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: put off calling register_netdev() until client initialize complete\n\nCurrently, the netdevice is registered before client initializing\ncomplete. So there is a timewindow between netdevice available\nand usable. In this case, if user try to change the channel number\nor ring param, it may cause the hns3_set_rx_cpu_rmap() being called\ntwice, and report bug.\n\n[47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0\n[47199.430340] hns3 0000:35:00.0 eth1: already uninitialized\n[47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1\n[47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1\n[47200.163524] ------------[ cut here ]------------\n[47200.171674] kernel BUG at lib/cpu_rmap.c:142!\n[47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge]\n[47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G O 5.11.0-rc3+ #1\n[47200.215601] Hardware name: , xxxxxx 02/04/2021\n[47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)\n[47200.230188] pc : cpu_rmap_add+0x38/0x40\n[47200.237472] lr : irq_cpu_rmap_add+0x84/0x140\n[47200.243291] sp : ffff800010e93a30\n[47200.247295] x29: ffff800010e93a30 x28: ffff082100584880\n[47200.254155] x27: 0000000000000000 x26: 0000000000000000\n[47200.260712] x25: 0000000000000000 x24: 0000000000000004\n[47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0\n[47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680\n[47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0\n[47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0\n[47200.293456] x15: fffffc2082990600 x14: dead000000000122\n[47200.300059] x13: ffffffffffffffff x12: 000000000000003e\n[47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000\n[47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700\n[47200.319682] x7 : 0000000000000000 x6 : 000000000000003f\n[47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20\n[47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80\n[47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004\n[47200.346058] Call trace:\n[47200.349324] cpu_rmap_add+0x38/0x40\n[47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3]\n[47200.362294] hns3_reset_notify_init_enet+0x1cc/0x340 [hns3]\n[47200.370049] hns3_change_channels+0x40/0xb0 [hns3]\n[47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3]\n[47200.383353] ethtool_set_channels+0x140/0x250\n[47200.389772] dev_ethtool+0x714/0x23d0\n[47200.394440] dev_ioctl+0x4cc/0x640\n[47200.399277] sock_do_ioctl+0x100/0x2a0\n[47200.404574] sock_ioctl+0x28c/0x470\n[47200.409079] __arm64_sys_ioctl+0xb4/0x100\n[47200.415217] el0_svc_common.constprop.0+0x84/0x210\n[47200.422088] do_el0_svc+0x28/0x34\n[47200.426387] el0_svc+0x28/0x70\n[47200.431308] el0_sync_handler+0x1a4/0x1b0\n[47200.436477] el0_sync+0x174/0x180\n[47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000)\n[47200.448869] ---[ end trace a01efe4ce42e5f34 ]---\n\nThe process is like below:\nexcuting hns3_client_init\n|\nregister_netdev()\n| hns3_set_channels()\n| |\nhns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet()\n| |\n| quit without calling function\n| hns3_free_rx_cpu_rmap for flag\n| HNS3_NIC_STATE_INITED is unset.\n| |\n| hns3_reset_notify_init_enet()\n| |\nset HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash\n\nFix it by calling register_netdev() at the end of function\nhns3_client_init()." |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "drivers/net/ethernet/hisilicon/hns3/hns3_enet.c" |
| ], |
| "versions": [ |
| { |
| "version": "08a100689d4baf296d6898c687ea8d005da8d234", |
| "lessThan": "a663c1e418a3b5b8e8edfad4bc8e7278c312d6fc", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "08a100689d4baf296d6898c687ea8d005da8d234", |
| "lessThan": "0921a0620b5077796fddffb22a8e6bc635a4bb50", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "08a100689d4baf296d6898c687ea8d005da8d234", |
| "lessThan": "a289a7e5c1d49b7d47df9913c1cc81fb48fab613", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "drivers/net/ethernet/hisilicon/hns3/hns3_enet.c" |
| ], |
| "versions": [ |
| { |
| "version": "5.6", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "5.6", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.10.42", |
| "lessThanOrEqual": "5.10.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.12.9", |
| "lessThanOrEqual": "5.12.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.13", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.6", |
| "versionEndExcluding": "5.10.42" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.6", |
| "versionEndExcluding": "5.12.9" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.6", |
| "versionEndExcluding": "5.13" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/a663c1e418a3b5b8e8edfad4bc8e7278c312d6fc" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/0921a0620b5077796fddffb22a8e6bc635a4bb50" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/a289a7e5c1d49b7d47df9913c1cc81fb48fab613" |
| } |
| ], |
| "title": "net: hns3: put off calling register_netdev() until client initialize complete", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2021-47139", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
