CVE-2021-47563

In the Linux kernel, the following vulnerability has been resolved:

ice: avoid bpf_prog refcount underflow

Ice driver has the routines for managing XDP resources that are shared between ndo_bpf op and VSI rebuild flow. The latter takes place for example when user changes queue count on an interface via ethtools set_channels().

There is an issue around the bpf_prog refcounting when VSI is being rebuilt - since ice_prepare_xdp_rings() is called with vsi->xdp_prog as an argument that is used later on by ice_vsi_assign_bpf_prog(), same bpf_prog pointers are swapped with each other. Then it is also interpreted as an old_prog which in turn causes us to call bpf_prog_put on it that will decrement its refcount.

Below splat can be interpreted in a way that due to zero refcount of a bpf_prog it is wiped out from the system while kernel still tries to refer to it:

[ 481.069429] BUG: unable to handle page fault for address: ffffc9000640f038 [ 481.077390] #PF: supervisor read access in kernel mode [ 481.083335] #PF: error_code(0x0000) - not-present page [ 481.089276] PGD 100000067 P4D 100000067 PUD 1001cb067 PMD 106d2b067 PTE 0 [ 481.097141] Oops: 0000 [#1] PREEMPT SMP PTI [ 481.101980] CPU: 12 PID: 3339 Comm: sudo Tainted: G OE 5.15.0-rc5+ #1 [ 481.110840] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016 [ 481.122021] RIP: 0010:dev_xdp_prog_id+0x25/0x40 [ 481.127265] Code: 80 00 00 00 00 0f 1f 44 00 00 89 f6 48 c1 e6 04 48 01 fe 48 8b 86 98 08 00 00 48 85 c0 74 13 48 8b 50 18 31 c0 48 85 d2 74 07 <48> 8b 42 38 8b 40 20 c3 48 8b 96 90 08 00 00 eb e8 66 2e 0f 1f 84 [ 481.148991] RSP: 0018:ffffc90007b63868 EFLAGS: 00010286 [ 481.155034] RAX: 0000000000000000 RBX: ffff889080824000 RCX: 0000000000000000 [ 481.163278] RDX: ffffc9000640f000 RSI: ffff889080824010 RDI: ffff889080824000 [ 481.171527] RBP: ffff888107af7d00 R08: 0000000000000000 R09: ffff88810db5f6e0 [ 481.179776] R10: 0000000000000000 R11: ffff8890885b9988 R12: ffff88810db5f4bc [ 481.188026] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 481.196276] FS: 00007f5466d5bec0(0000) GS:ffff88903fb00000(0000) knlGS:0000000000000000 [ 481.205633] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 481.212279] CR2: ffffc9000640f038 CR3: 000000014429c006 CR4: 00000000003706e0 [ 481.220530] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 481.228771] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 481.237029] Call Trace: [ 481.239856] rtnl_fill_ifinfo+0x768/0x12e0 [ 481.244602] rtnl_dump_ifinfo+0x525/0x650 [ 481.249246] ? __alloc_skb+0xa5/0x280 [ 481.253484] netlink_dump+0x168/0x3c0 [ 481.257725] netlink_recvmsg+0x21e/0x3e0 [ 481.262263] ____sys_recvmsg+0x87/0x170 [ 481.266707] ? __might_fault+0x20/0x30 [ 481.271046] ? _copy_from_user+0x66/0xa0 [ 481.275591] ? iovec_from_user+0xf6/0x1c0 [ 481.280226] ___sys_recvmsg+0x82/0x100 [ 481.284566] ? sock_sendmsg+0x5e/0x60 [ 481.288791] ? __sys_sendto+0xee/0x150 [ 481.293129] __sys_recvmsg+0x56/0xa0 [ 481.297267] do_syscall_64+0x3b/0xc0 [ 481.301395] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 481.307238] RIP: 0033:0x7f5466f39617 [ 481.311373] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb bd 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2f 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 [ 481.342944] RSP: 002b:00007ffedc7f4308 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 481.361783] RAX: ffffffffffffffda RBX: 00007ffedc7f5460 RCX: 00007f5466f39617 [ 481.380278] RDX: 0000000000000000 RSI: 00007ffedc7f5360 RDI: 0000000000000003 [ 481.398500] RBP: 00007ffedc7f53f0 R08: 0000000000000000 R09: 000055d556f04d50 [ 481.416463] R10: 0000000000000077 R11: 0000000000000246 R12: 00007ffedc7f5360 [ 481.434131] R13: 00007ffedc7f5350 R14: 00007ffedc7f5344 R15: 0000000000000e98 [ 481.451520] Modules linked in: ice —truncated—

Affected Software

Name	Vendor	Start Version	End Version
Linux_kernel	Linux	5.5 (including)	5.10.83 (excluding)
Linux_kernel	Linux	5.11 (including)	5.15.6 (excluding)
Linux_kernel	Linux	5.16-rc1 (including)	5.16-rc1 (including)
Linux_kernel	Linux	5.16-rc2 (including)	5.16-rc2 (including)
Linux	Ubuntu	upstream	*
Linux-allwinner-5.19	Ubuntu	jammy	*
Linux-allwinner-5.19	Ubuntu	upstream	*
Linux-aws	Ubuntu	upstream	*
Linux-aws-5.0	Ubuntu	esm-infra/bionic	*
Linux-aws-5.0	Ubuntu	upstream	*
Linux-aws-5.11	Ubuntu	esm-infra/focal	*
Linux-aws-5.11	Ubuntu	focal	*
Linux-aws-5.11	Ubuntu	upstream	*
Linux-aws-5.13	Ubuntu	esm-infra/focal	*
Linux-aws-5.13	Ubuntu	focal	*
Linux-aws-5.13	Ubuntu	upstream	*
Linux-aws-5.15	Ubuntu	upstream	*
Linux-aws-5.19	Ubuntu	jammy	*
Linux-aws-5.19	Ubuntu	upstream	*
Linux-aws-5.3	Ubuntu	esm-infra/bionic	*
Linux-aws-5.3	Ubuntu	upstream	*
Linux-aws-5.4	Ubuntu	upstream	*
Linux-aws-5.8	Ubuntu	esm-infra/focal	*
Linux-aws-5.8	Ubuntu	focal	*
Linux-aws-5.8	Ubuntu	upstream	*
Linux-aws-6.2	Ubuntu	jammy	*
Linux-aws-6.2	Ubuntu	upstream	*
Linux-aws-6.5	Ubuntu	upstream	*
Linux-aws-fips	Ubuntu	upstream	*
Linux-aws-hwe	Ubuntu	upstream	*
Linux-azure	Ubuntu	esm-infra/bionic	*
Linux-azure	Ubuntu	upstream	*
Linux-azure-4.15	Ubuntu	upstream	*
Linux-azure-5.11	Ubuntu	esm-infra/focal	*
Linux-azure-5.11	Ubuntu	focal	*
Linux-azure-5.11	Ubuntu	upstream	*
Linux-azure-5.13	Ubuntu	esm-infra/focal	*
Linux-azure-5.13	Ubuntu	focal	*
Linux-azure-5.13	Ubuntu	upstream	*
Linux-azure-5.15	Ubuntu	upstream	*
Linux-azure-5.19	Ubuntu	jammy	*
Linux-azure-5.19	Ubuntu	upstream	*
Linux-azure-5.3	Ubuntu	esm-infra/bionic	*
Linux-azure-5.3	Ubuntu	upstream	*
Linux-azure-5.4	Ubuntu	upstream	*
Linux-azure-5.8	Ubuntu	esm-infra/focal	*
Linux-azure-5.8	Ubuntu	focal	*
Linux-azure-5.8	Ubuntu	upstream	*
Linux-azure-6.2	Ubuntu	jammy	*
Linux-azure-6.2	Ubuntu	upstream	*
Linux-azure-6.5	Ubuntu	upstream	*
Linux-azure-edge	Ubuntu	esm-infra/bionic	*
Linux-azure-edge	Ubuntu	upstream	*
Linux-azure-fde	Ubuntu	esm-infra/focal	*
Linux-azure-fde	Ubuntu	focal	*
Linux-azure-fde	Ubuntu	upstream	*
Linux-azure-fde-5.15	Ubuntu	upstream	*
Linux-azure-fde-5.19	Ubuntu	jammy	*
Linux-azure-fde-5.19	Ubuntu	upstream	*
Linux-azure-fde-6.2	Ubuntu	jammy	*
Linux-azure-fde-6.2	Ubuntu	upstream	*
Linux-azure-fips	Ubuntu	upstream	*
Linux-bluefield	Ubuntu	upstream	*
Linux-fips	Ubuntu	upstream	*
Linux-gcp	Ubuntu	esm-infra/bionic	*
Linux-gcp	Ubuntu	upstream	*
Linux-gcp-4.15	Ubuntu	upstream	*
Linux-gcp-5.11	Ubuntu	esm-infra/focal	*
Linux-gcp-5.11	Ubuntu	focal	*
Linux-gcp-5.11	Ubuntu	upstream	*
Linux-gcp-5.13	Ubuntu	esm-infra/focal	*
Linux-gcp-5.13	Ubuntu	focal	*
Linux-gcp-5.13	Ubuntu	upstream	*
Linux-gcp-5.15	Ubuntu	upstream	*
Linux-gcp-5.19	Ubuntu	jammy	*
Linux-gcp-5.19	Ubuntu	upstream	*
Linux-gcp-5.3	Ubuntu	esm-infra/bionic	*
Linux-gcp-5.3	Ubuntu	upstream	*
Linux-gcp-5.4	Ubuntu	upstream	*
Linux-gcp-5.8	Ubuntu	esm-infra/focal	*
Linux-gcp-5.8	Ubuntu	focal	*
Linux-gcp-5.8	Ubuntu	upstream	*
Linux-gcp-6.2	Ubuntu	jammy	*
Linux-gcp-6.2	Ubuntu	upstream	*
Linux-gcp-6.5	Ubuntu	upstream	*
Linux-gcp-fips	Ubuntu	upstream	*
Linux-gke	Ubuntu	esm-infra/focal	*
Linux-gke	Ubuntu	focal	*
Linux-gke	Ubuntu	upstream	*
Linux-gke-4.15	Ubuntu	esm-infra/bionic	*
Linux-gke-4.15	Ubuntu	upstream	*
Linux-gke-5.15	Ubuntu	esm-infra/focal	*
Linux-gke-5.15	Ubuntu	focal	*
Linux-gke-5.15	Ubuntu	upstream	*
Linux-gke-5.4	Ubuntu	esm-infra/bionic	*
Linux-gke-5.4	Ubuntu	upstream	*
Linux-gkeop	Ubuntu	upstream	*
Linux-gkeop-5.15	Ubuntu	upstream	*
Linux-gkeop-5.4	Ubuntu	esm-infra/bionic	*
Linux-gkeop-5.4	Ubuntu	upstream	*
Linux-hwe	Ubuntu	esm-infra/bionic	*
Linux-hwe	Ubuntu	upstream	*
Linux-hwe-5.11	Ubuntu	esm-infra/focal	*
Linux-hwe-5.11	Ubuntu	focal	*
Linux-hwe-5.11	Ubuntu	upstream	*
Linux-hwe-5.13	Ubuntu	esm-infra/focal	*
Linux-hwe-5.13	Ubuntu	focal	*
Linux-hwe-5.13	Ubuntu	upstream	*
Linux-hwe-5.15	Ubuntu	upstream	*
Linux-hwe-5.19	Ubuntu	jammy	*
Linux-hwe-5.19	Ubuntu	upstream	*
Linux-hwe-5.4	Ubuntu	upstream	*
Linux-hwe-5.8	Ubuntu	esm-infra/focal	*
Linux-hwe-5.8	Ubuntu	focal	*
Linux-hwe-5.8	Ubuntu	upstream	*
Linux-hwe-6.2	Ubuntu	jammy	*
Linux-hwe-6.2	Ubuntu	upstream	*
Linux-hwe-6.5	Ubuntu	upstream	*
Linux-hwe-edge	Ubuntu	esm-infra/bionic	*
Linux-hwe-edge	Ubuntu	esm-infra/xenial	*
Linux-hwe-edge	Ubuntu	upstream	*
Linux-ibm	Ubuntu	mantic	*
Linux-ibm	Ubuntu	upstream	*
Linux-ibm-5.15	Ubuntu	upstream	*
Linux-ibm-5.4	Ubuntu	upstream	*
Linux-intel	Ubuntu	upstream	*
Linux-intel-5.13	Ubuntu	esm-infra/focal	*
Linux-intel-5.13	Ubuntu	focal	*
Linux-intel-5.13	Ubuntu	upstream	*
Linux-intel-iotg	Ubuntu	upstream	*
Linux-intel-iotg-5.15	Ubuntu	upstream	*
Linux-iot	Ubuntu	upstream	*
Linux-kvm	Ubuntu	upstream	*
Linux-laptop	Ubuntu	upstream	*
Linux-lowlatency	Ubuntu	upstream	*
Linux-lowlatency-hwe-5.15	Ubuntu	upstream	*
Linux-lowlatency-hwe-5.19	Ubuntu	jammy	*
Linux-lowlatency-hwe-5.19	Ubuntu	upstream	*
Linux-lowlatency-hwe-6.2	Ubuntu	jammy	*
Linux-lowlatency-hwe-6.2	Ubuntu	upstream	*
Linux-lowlatency-hwe-6.5	Ubuntu	upstream	*
Linux-lts-xenial	Ubuntu	upstream	*
Linux-nvidia	Ubuntu	upstream	*
Linux-nvidia-6.2	Ubuntu	jammy	*
Linux-nvidia-6.2	Ubuntu	upstream	*
Linux-nvidia-6.5	Ubuntu	upstream	*
Linux-nvidia-6.8	Ubuntu	upstream	*
Linux-nvidia-lowlatency	Ubuntu	upstream	*
Linux-oem	Ubuntu	esm-infra/bionic	*
Linux-oem	Ubuntu	upstream	*
Linux-oem-5.10	Ubuntu	esm-infra/focal	*
Linux-oem-5.10	Ubuntu	focal	*
Linux-oem-5.10	Ubuntu	upstream	*
Linux-oem-5.13	Ubuntu	esm-infra/focal	*
Linux-oem-5.13	Ubuntu	focal	*
Linux-oem-5.13	Ubuntu	upstream	*
Linux-oem-5.14	Ubuntu	esm-infra/focal	*
Linux-oem-5.14	Ubuntu	focal	*
Linux-oem-5.14	Ubuntu	upstream	*
Linux-oem-5.17	Ubuntu	jammy	*
Linux-oem-5.17	Ubuntu	upstream	*
Linux-oem-5.6	Ubuntu	esm-infra/focal	*
Linux-oem-5.6	Ubuntu	focal	*
Linux-oem-5.6	Ubuntu	upstream	*
Linux-oem-6.0	Ubuntu	jammy	*
Linux-oem-6.0	Ubuntu	upstream	*
Linux-oem-6.1	Ubuntu	jammy	*
Linux-oem-6.1	Ubuntu	upstream	*
Linux-oem-6.5	Ubuntu	upstream	*
Linux-oem-6.8	Ubuntu	upstream	*
Linux-oracle	Ubuntu	upstream	*
Linux-oracle-5.0	Ubuntu	esm-infra/bionic	*
Linux-oracle-5.0	Ubuntu	upstream	*
Linux-oracle-5.11	Ubuntu	esm-infra/focal	*
Linux-oracle-5.11	Ubuntu	focal	*
Linux-oracle-5.11	Ubuntu	upstream	*
Linux-oracle-5.13	Ubuntu	esm-infra/focal	*
Linux-oracle-5.13	Ubuntu	focal	*
Linux-oracle-5.13	Ubuntu	upstream	*
Linux-oracle-5.15	Ubuntu	upstream	*
Linux-oracle-5.3	Ubuntu	esm-infra/bionic	*
Linux-oracle-5.3	Ubuntu	upstream	*
Linux-oracle-5.4	Ubuntu	upstream	*
Linux-oracle-5.8	Ubuntu	esm-infra/focal	*
Linux-oracle-5.8	Ubuntu	focal	*
Linux-oracle-5.8	Ubuntu	upstream	*
Linux-oracle-6.5	Ubuntu	upstream	*
Linux-raspi	Ubuntu	upstream	*
Linux-raspi-5.4	Ubuntu	upstream	*
Linux-raspi2	Ubuntu	esm-infra/focal	*
Linux-raspi2	Ubuntu	focal	*
Linux-raspi2	Ubuntu	upstream	*
Linux-riscv	Ubuntu	esm-infra/focal	*
Linux-riscv	Ubuntu	focal	*
Linux-riscv	Ubuntu	jammy	*
Linux-riscv	Ubuntu	upstream	*
Linux-riscv-5.11	Ubuntu	esm-infra/focal	*
Linux-riscv-5.11	Ubuntu	focal	*
Linux-riscv-5.11	Ubuntu	upstream	*
Linux-riscv-5.15	Ubuntu	upstream	*
Linux-riscv-5.19	Ubuntu	jammy	*
Linux-riscv-5.19	Ubuntu	upstream	*
Linux-riscv-5.8	Ubuntu	esm-infra/focal	*
Linux-riscv-5.8	Ubuntu	focal	*
Linux-riscv-5.8	Ubuntu	upstream	*
Linux-riscv-6.5	Ubuntu	upstream	*
Linux-starfive	Ubuntu	upstream	*
Linux-starfive-5.19	Ubuntu	jammy	*
Linux-starfive-5.19	Ubuntu	upstream	*
Linux-starfive-6.2	Ubuntu	jammy	*
Linux-starfive-6.2	Ubuntu	upstream	*
Linux-starfive-6.5	Ubuntu	upstream	*
Linux-xilinx-zynqmp	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-47563
CWE	https://cwe.mitre.org/data/definitions/NVD-Other.html

Affected Software

References