CVE-2021-47419
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-47419
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47419.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-47419
- Related
- Published
- 2024-05-21T15:15:27Z
- Modified
- 2024-09-11T04:41:10.329245Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net/sched: schtaprio: properly cancel timer from tapriodestroy()
There is a comment in qdisc_create() about us not calling ops->reset() in some cases.
err_out4: /* * Any broken qdiscs that would require a ops->reset() here? * The qdisc was never in action so it shouldn't be necessary. */
As taprio sets a timer before actually receiving a packet, we need to cancel it from ops->destroy, just in case ops->reset has not been called.
syzbot reported:
ODEBUG: free active (active state 0) object type: hrtimer hint: advancesched+0x0/0x9a0 arch/x86/include/asm/atomic6464.h:22 WARNING: CPU: 0 PID: 8441 at lib/debugobjects.c:505 debugprintobject+0x16e/0x250 lib/debugobjects.c:505 Modules linked in: CPU: 0 PID: 8441 Comm: syz-executor813 Not tainted 5.14.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:debugprintobject+0x16e/0x250 lib/debugobjects.c:505 Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd e0 d3 e3 89 4c 89 ee 48 c7 c7 e0 c7 e3 89 e8 5b 86 11 05 <0f> 0b 83 05 85 03 92 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3 RSP: 0018:ffffc9000130f330 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 RDX: ffff88802baeb880 RSI: ffffffff815d87b5 RDI: fffff52000261e58 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815d25ee R11: 0000000000000000 R12: ffffffff898dd020 R13: ffffffff89e3ce20 R14: ffffffff81653630 R15: dffffc0000000000 FS: 0000000000f0d300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffb64b3e000 CR3: 0000000036557000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: debugchecknoobjfreed lib/debugobjects.c:987 [inline] debugchecknoobjfreed+0x301/0x420 lib/debugobjects.c:1018 slabfreehook mm/slub.c:1603 [inline] slabfreefreelisthook+0x171/0x240 mm/slub.c:1653 slabfree mm/slub.c:3213 [inline] kfree+0xe4/0x540 mm/slub.c:4267 qdisccreate+0xbcf/0x1320 net/sched/schapi.c:1299 tcmodifyqdisc+0x4c8/0x1a60 net/sched/schapi.c:1663 rtnetlinkrcvmsg+0x413/0xb80 net/core/rtnetlink.c:5571 netlinkrcvskb+0x153/0x420 net/netlink/afnetlink.c:2504 netlinkunicastkernel net/netlink/afnetlink.c:1314 [inline] netlinkunicast+0x533/0x7d0 net/netlink/afnetlink.c:1340 netlinksendmsg+0x86d/0xdb0 net/netlink/afnetlink.c:1929 socksendmsgnosec net/socket.c:704 [inline] socksendmsg+0xcf/0x120 net/socket.c:724 syssendmsg+0x6e8/0x810 net/socket.c:2403 _syssendmsg+0xf3/0x170 net/socket.c:2457 _syssendmsg+0xe5/0x1b0 net/socket.c:2486 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80
- References
-
- https://git.kernel.org/stable/c/3ec73ffeef54596c32aff0e73fe60971b9c8b866
- https://git.kernel.org/stable/c/7a1c1af341041221b3acb9d7036cc2b43e0efa75
- https://git.kernel.org/stable/c/a56d447f196fa9973c568f54c0d76d5391c3b0c0
- https://git.kernel.org/stable/c/c951c08a5996365aecbc5f1a9bddec3905e1ddfc
- https://security-tracker.debian.org/tracker/CVE-2021-47419
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source