CVE-2021-47419

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47419
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47419.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47419
Related
Published
2024-05-21T15:15:27Z
Modified
2024-11-01T16:45:38.615416Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: schtaprio: properly cancel timer from tapriodestroy()

There is a comment in qdisc_create() about us not calling ops->reset() in some cases.

err_out4: /* * Any broken qdiscs that would require a ops->reset() here? * The qdisc was never in action so it shouldn't be necessary. */

As taprio sets a timer before actually receiving a packet, we need to cancel it from ops->destroy, just in case ops->reset has not been called.

syzbot reported:

ODEBUG: free active (active state 0) object type: hrtimer hint: advancesched+0x0/0x9a0 arch/x86/include/asm/atomic6464.h:22 WARNING: CPU: 0 PID: 8441 at lib/debugobjects.c:505 debugprintobject+0x16e/0x250 lib/debugobjects.c:505 Modules linked in: CPU: 0 PID: 8441 Comm: syz-executor813 Not tainted 5.14.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:debugprintobject+0x16e/0x250 lib/debugobjects.c:505 Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd e0 d3 e3 89 4c 89 ee 48 c7 c7 e0 c7 e3 89 e8 5b 86 11 05 <0f> 0b 83 05 85 03 92 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3 RSP: 0018:ffffc9000130f330 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 RDX: ffff88802baeb880 RSI: ffffffff815d87b5 RDI: fffff52000261e58 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815d25ee R11: 0000000000000000 R12: ffffffff898dd020 R13: ffffffff89e3ce20 R14: ffffffff81653630 R15: dffffc0000000000 FS: 0000000000f0d300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffb64b3e000 CR3: 0000000036557000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: debugchecknoobjfreed lib/debugobjects.c:987 [inline] debugchecknoobjfreed+0x301/0x420 lib/debugobjects.c:1018 slabfreehook mm/slub.c:1603 [inline] slabfreefreelisthook+0x171/0x240 mm/slub.c:1653 slabfree mm/slub.c:3213 [inline] kfree+0xe4/0x540 mm/slub.c:4267 qdisccreate+0xbcf/0x1320 net/sched/schapi.c:1299 tcmodifyqdisc+0x4c8/0x1a60 net/sched/schapi.c:1663 rtnetlinkrcvmsg+0x413/0xb80 net/core/rtnetlink.c:5571 netlinkrcvskb+0x153/0x420 net/netlink/afnetlink.c:2504 netlinkunicastkernel net/netlink/afnetlink.c:1314 [inline] netlinkunicast+0x533/0x7d0 net/netlink/afnetlink.c:1340 netlinksendmsg+0x86d/0xdb0 net/netlink/afnetlink.c:1929 socksendmsgnosec net/socket.c:704 [inline] socksendmsg+0xcf/0x120 net/socket.c:724 syssendmsg+0x6e8/0x810 net/socket.c:2403 _syssendmsg+0xf3/0x170 net/socket.c:2457 _syssendmsg+0xe5/0x1b0 net/socket.c:2486 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.84-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}