{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2021-47139", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-03-04T18:12:48.841Z", "datePublished": "2024-03-25T09:07:38.216Z", "dateUpdated": "2026-05-11T13:48:48.353Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T13:48:48.353Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: put off calling register_netdev() until client initialize complete\n\nCurrently, the netdevice is registered before client initializing\ncomplete. So there is a timewindow between netdevice available\nand usable. In this case, if user try to change the channel number\nor ring param, it may cause the hns3_set_rx_cpu_rmap() being called\ntwice, and report bug.\n\n[47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0\n[47199.430340] hns3 0000:35:00.0 eth1: already uninitialized\n[47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1\n[47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1\n[47200.163524] ------------[ cut here ]------------\n[47200.171674] kernel BUG at lib/cpu_rmap.c:142!\n[47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge]\n[47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G O 5.11.0-rc3+ #1\n[47200.215601] Hardware name: , xxxxxx 02/04/2021\n[47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)\n[47200.230188] pc : cpu_rmap_add+0x38/0x40\n[47200.237472] lr : irq_cpu_rmap_add+0x84/0x140\n[47200.243291] sp : ffff800010e93a30\n[47200.247295] x29: ffff800010e93a30 x28: ffff082100584880\n[47200.254155] x27: 0000000000000000 x26: 0000000000000000\n[47200.260712] x25: 0000000000000000 x24: 0000000000000004\n[47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0\n[47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680\n[47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0\n[47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0\n[47200.293456] x15: fffffc2082990600 x14: dead000000000122\n[47200.300059] x13: ffffffffffffffff x12: 000000000000003e\n[47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000\n[47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700\n[47200.319682] x7 : 0000000000000000 x6 : 000000000000003f\n[47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20\n[47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80\n[47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004\n[47200.346058] Call trace:\n[47200.349324] cpu_rmap_add+0x38/0x40\n[47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3]\n[47200.362294] hns3_reset_notify_init_enet+0x1cc/0x340 [hns3]\n[47200.370049] hns3_change_channels+0x40/0xb0 [hns3]\n[47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3]\n[47200.383353] ethtool_set_channels+0x140/0x250\n[47200.389772] dev_ethtool+0x714/0x23d0\n[47200.394440] dev_ioctl+0x4cc/0x640\n[47200.399277] sock_do_ioctl+0x100/0x2a0\n[47200.404574] sock_ioctl+0x28c/0x470\n[47200.409079] __arm64_sys_ioctl+0xb4/0x100\n[47200.415217] el0_svc_common.constprop.0+0x84/0x210\n[47200.422088] do_el0_svc+0x28/0x34\n[47200.426387] el0_svc+0x28/0x70\n[47200.431308] el0_sync_handler+0x1a4/0x1b0\n[47200.436477] el0_sync+0x174/0x180\n[47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000)\n[47200.448869] ---[ end trace a01efe4ce42e5f34 ]---\n\nThe process is like below:\nexcuting hns3_client_init\n|\nregister_netdev()\n| hns3_set_channels()\n| |\nhns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet()\n| |\n| quit without calling function\n| hns3_free_rx_cpu_rmap for flag\n| HNS3_NIC_STATE_INITED is unset.\n| |\n| hns3_reset_notify_init_enet()\n| |\nset HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash\n\nFix it by calling register_netdev() at the end of function\nhns3_client_init()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/hisilicon/hns3/hns3_enet.c"], "versions": [{"version": "08a100689d4baf296d6898c687ea8d005da8d234", "lessThan": "a663c1e418a3b5b8e8edfad4bc8e7278c312d6fc", "status": "affected", "versionType": "git"}, {"version": "08a100689d4baf296d6898c687ea8d005da8d234", "lessThan": "0921a0620b5077796fddffb22a8e6bc635a4bb50", "status": "affected", "versionType": "git"}, {"version": "08a100689d4baf296d6898c687ea8d005da8d234", "lessThan": "a289a7e5c1d49b7d47df9913c1cc81fb48fab613", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/hisilicon/hns3/hns3_enet.c"], "versions": [{"version": "5.6", "status": "affected"}, {"version": "0", "lessThan": "5.6", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.42", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.12.9", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "5.10.42"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "5.12.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "5.13"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a663c1e418a3b5b8e8edfad4bc8e7278c312d6fc"}, {"url": "https://git.kernel.org/stable/c/0921a0620b5077796fddffb22a8e6bc635a4bb50"}, {"url": "https://git.kernel.org/stable/c/a289a7e5c1d49b7d47df9913c1cc81fb48fab613"}], "title": "net: hns3: put off calling register_netdev() until client initialize complete", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47139", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-01T19:39:46.000821Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:15:16.732Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:24:39.957Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/a663c1e418a3b5b8e8edfad4bc8e7278c312d6fc", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0921a0620b5077796fddffb22a8e6bc635a4bb50", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a289a7e5c1d49b7d47df9913c1cc81fb48fab613", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47139", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-03-04T18:12:48.841Z", "datePublished": "2024-03-25T09:07:38.216Z", "dateUpdated": "2024-06-04T17:15:16.732Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:02:47.654Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: put off calling register_netdev() until client initialize complete\n\nCurrently, the netdevice is registered before client initializing\ncomplete. So there is a timewindow between netdevice available\nand usable. In this case, if user try to change the channel number\nor ring param, it may cause the hns3_set_rx_cpu_rmap() being called\ntwice, and report bug.\n\n[47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0\n[47199.430340] hns3 0000:35:00.0 eth1: already uninitialized\n[47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1\n[47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1\n[47200.163524] ------------[ cut here ]------------\n[47200.171674] kernel BUG at lib/cpu_rmap.c:142!\n[47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge]\n[47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G O 5.11.0-rc3+ #1\n[47200.215601] Hardware name: , xxxxxx 02/04/2021\n[47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)\n[47200.230188] pc : cpu_rmap_add+0x38/0x40\n[47200.237472] lr : irq_cpu_rmap_add+0x84/0x140\n[47200.243291] sp : ffff800010e93a30\n[47200.247295] x29: ffff800010e93a30 x28: ffff082100584880\n[47200.254155] x27: 0000000000000000 x26: 0000000000000000\n[47200.260712] x25: 0000000000000000 x24: 0000000000000004\n[47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0\n[47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680\n[47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0\n[47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0\n[47200.293456] x15: fffffc2082990600 x14: dead000000000122\n[47200.300059] x13: ffffffffffffffff x12: 000000000000003e\n[47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000\n[47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700\n[47200.319682] x7 : 0000000000000000 x6 : 000000000000003f\n[47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20\n[47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80\n[47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004\n[47200.346058] Call trace:\n[47200.349324] cpu_rmap_add+0x38/0x40\n[47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3]\n[47200.362294] hns3_reset_notify_init_enet+0x1cc/0x340 [hns3]\n[47200.370049] hns3_change_channels+0x40/0xb0 [hns3]\n[47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3]\n[47200.383353] ethtool_set_channels+0x140/0x250\n[47200.389772] dev_ethtool+0x714/0x23d0\n[47200.394440] dev_ioctl+0x4cc/0x640\n[47200.399277] sock_do_ioctl+0x100/0x2a0\n[47200.404574] sock_ioctl+0x28c/0x470\n[47200.409079] __arm64_sys_ioctl+0xb4/0x100\n[47200.415217] el0_svc_common.constprop.0+0x84/0x210\n[47200.422088] do_el0_svc+0x28/0x34\n[47200.426387] el0_svc+0x28/0x70\n[47200.431308] el0_sync_handler+0x1a4/0x1b0\n[47200.436477] el0_sync+0x174/0x180\n[47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000)\n[47200.448869] ---[ end trace a01efe4ce42e5f34 ]---\n\nThe process is like below:\nexcuting hns3_client_init\n|\nregister_netdev()\n| hns3_set_channels()\n| |\nhns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet()\n| |\n| quit without calling function\n| hns3_free_rx_cpu_rmap for flag\n| HNS3_NIC_STATE_INITED is unset.\n| |\n| hns3_reset_notify_init_enet()\n| |\nset HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash\n\nFix it by calling register_netdev() at the end of function\nhns3_client_init()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/hisilicon/hns3/hns3_enet.c"], "versions": [{"version": "08a100689d4b", "lessThan": "a663c1e418a3", "status": "affected", "versionType": "git"}, {"version": "08a100689d4b", "lessThan": "0921a0620b50", "status": "affected", "versionType": "git"}, {"version": "08a100689d4b", "lessThan": "a289a7e5c1d4", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/hisilicon/hns3/hns3_enet.c"], "versions": [{"version": "5.6", "status": "affected"}, {"version": "0", "lessThan": "5.6", "status": "unaffected", "versionType": "custom"}, {"version": "5.10.42", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.12.9", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/a663c1e418a3b5b8e8edfad4bc8e7278c312d6fc"}, {"url": "https://git.kernel.org/stable/c/0921a0620b5077796fddffb22a8e6bc635a4bb50"}, {"url": "https://git.kernel.org/stable/c/a289a7e5c1d49b7d47df9913c1cc81fb48fab613"}], "title": "net: hns3: put off calling register_netdev() until client initialize complete", "x_generator": {"engine": "bippy-a5840b7849dd"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47139", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-01T19:39:46.000821Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:20.830Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3E2EC44-45C1-4B05-8C62-77FF73DE23CA", "versionEndExcluding": "5.10.42", "versionStartIncluding": "5.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C8A1D02-81A7-44E5-ACFD-CC6A6694F930", "versionEndExcluding": "5.12.9", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*", "matchCriteriaId": "0CBAD0FC-C281-4666-AB2F-F8E6E1165DF7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*", "matchCriteriaId": "96AC23B2-D46A-49D9-8203-8E1BEDCA8532", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*", "matchCriteriaId": "DA610E30-717C-4700-9F77-A3C9244F3BFD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: put off calling register_netdev() until client initialize complete\n\nCurrently, the netdevice is registered before client initializing\ncomplete. So there is a timewindow between netdevice available\nand usable. In this case, if user try to change the channel number\nor ring param, it may cause the hns3_set_rx_cpu_rmap() being called\ntwice, and report bug.\n\n[47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0\n[47199.430340] hns3 0000:35:00.0 eth1: already uninitialized\n[47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1\n[47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1\n[47200.163524] ------------[ cut here ]------------\n[47200.171674] kernel BUG at lib/cpu_rmap.c:142!\n[47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge]\n[47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G O 5.11.0-rc3+ #1\n[47200.215601] Hardware name: , xxxxxx 02/04/2021\n[47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)\n[47200.230188] pc : cpu_rmap_add+0x38/0x40\n[47200.237472] lr : irq_cpu_rmap_add+0x84/0x140\n[47200.243291] sp : ffff800010e93a30\n[47200.247295] x29: ffff800010e93a30 x28: ffff082100584880\n[47200.254155] x27: 0000000000000000 x26: 0000000000000000\n[47200.260712] x25: 0000000000000000 x24: 0000000000000004\n[47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0\n[47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680\n[47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0\n[47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0\n[47200.293456] x15: fffffc2082990600 x14: dead000000000122\n[47200.300059] x13: ffffffffffffffff x12: 000000000000003e\n[47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000\n[47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700\n[47200.319682] x7 : 0000000000000000 x6 : 000000000000003f\n[47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20\n[47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80\n[47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004\n[47200.346058] Call trace:\n[47200.349324] cpu_rmap_add+0x38/0x40\n[47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3]\n[47200.362294] hns3_reset_notify_init_enet+0x1cc/0x340 [hns3]\n[47200.370049] hns3_change_channels+0x40/0xb0 [hns3]\n[47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3]\n[47200.383353] ethtool_set_channels+0x140/0x250\n[47200.389772] dev_ethtool+0x714/0x23d0\n[47200.394440] dev_ioctl+0x4cc/0x640\n[47200.399277] sock_do_ioctl+0x100/0x2a0\n[47200.404574] sock_ioctl+0x28c/0x470\n[47200.409079] __arm64_sys_ioctl+0xb4/0x100\n[47200.415217] el0_svc_common.constprop.0+0x84/0x210\n[47200.422088] do_el0_svc+0x28/0x34\n[47200.426387] el0_svc+0x28/0x70\n[47200.431308] el0_sync_handler+0x1a4/0x1b0\n[47200.436477] el0_sync+0x174/0x180\n[47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000)\n[47200.448869] ---[ end trace a01efe4ce42e5f34 ]---\n\nThe process is like below:\nexcuting hns3_client_init\n|\nregister_netdev()\n| hns3_set_channels()\n| |\nhns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet()\n| |\n| quit without calling function\n| hns3_free_rx_cpu_rmap for flag\n| HNS3_NIC_STATE_INITED is unset.\n| |\n| hns3_reset_notify_init_enet()\n| |\nset HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash\n\nFix it by calling register_netdev() at the end of function\nhns3_client_init()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: hns3: posponga la llamada a Register_netdev() hasta que se complete la inicializaci\u00f3n del cliente. Actualmente, el netdevice se registra antes de que se complete la inicializaci\u00f3n del cliente. Por lo tanto, existe una ventana de tiempo entre el dispositivo de red disponible y utilizable. En este caso, si el usuario intenta cambiar el n\u00famero de canal o el par\u00e1metro de timbre, puede provocar que se llame dos veces a hns3_set_rx_cpu_rmap() y se informe del error. [47199.416502] hns3 0000:35:00.0 eth1: configurar canales: tqp_num=1, rxfh=0 [47199.430340] hns3 0000:35:00.0 eth1: ya no inicializado [47199.438554] hns3 0000:35:00.0 : rss cambia de 4 a 1 [47199.511854] hns3 0000:35:00.0: Canales cambiados, rss_size de 4 a 1, tqps de 4 a 1 [47200.163524] ------------[ cortar aqu\u00ed ]------- ----- \u00a1ERROR del kernel [47200.171674] en lib/cpu_rmap.c:142! [47200.177847] Error interno: Ups - ERROR: 0 [#1] SMP PREEMPT [47200.185259] M\u00f3dulos vinculados en: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv68 0_mii(O) [\u00faltima descarga: HCLGE] [47200.205912] CPU: 1 PID: 8260 Comm: EthTool Tainted: Go 5.11.0 -RC3 + #1 [47200.215601] Nombre de hardware:, xxxxxx 02/04/2021 [47200.223052] Pstate: 60400009 (NZCV + PAN + PANEFI. -TCO BTYPE=--) [47200.230188] pc: cpu_rmap_add+0x38/0x40 [47200.237472] lr: irq_cpu_rmap_add+0x84/0x140 [47200.243291] sp: ffff800010e93a30 [47200.247 295] x29: ffff800010e93a30 x28: ffff082100584880 [47200.254155] x27: 0000000000000000 x26: 0000000000000000 [47200.260712] x25: 0000000000000000 x24: 0000000000000004 [47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0 [ 47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680 [47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0 [47200.286944] x17: 0 000000000000000 x16: ffffb43debe4a0d0 [47200.293456] x15 : ffffc2082990600 x14: muerto000000000122 [47200.300059] x13: ffffffffffffffff x12: 000000000000003e [47200.306606] x11: ffff0820815b8080 x10: ffff53e4 11988000 [47200.313171] x9: 00000000000000000 x8: ffff0820e2bc1700 [47200.319682] x7: 00000000000000000 x6: 000000000000003f [47200.32617 0] x5: 0000000000000040 x4: ffff800010e93a20 [47200.332656] x3: 0000000000000004 x2: ffff0820c970ec80 [47200.339168] x1: ffff0820e2bc1680 x0: 00000000000000004 [47200.346058] Rastreo de llamadas: [4720 0.349324] cpu_rmap_add+0x38/0x40 [47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3] [47200.362294] hns3_reset_notify_init_enet+0x1cc/ 0x340 [hns3] [47200.370049] hns3_change_channels+0x40/0xb0 [hns3] [47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3] [47200.383353] ethtool_set_channels+0x140/0x250 [ 47200.389772] dev_ethtool+0x714/0x23d0 [47200.394440] dev_ioctl+0x4cc/0x640 [47200.399277] sock_do_ioctl+0x100/0x2a0 [47200.404574] sock_ioctl+0x28c/0x470 [47200.409079] __arm64_sys_ioctl+0xb4/0x100 [47200.415217] el0_svc _common.constprop.0+0x84/0x210 [47200.422088] do_el0_svc+0x28/0x34 [47200.426387] el0_svc+0x28 /0x70 [47200.431308] el0_sync_handler+0x1a4/0x1b0 [47200.436477] el0_sync+0x174/0x180 [47200.441562] C\u00f3digo: 11000405 79000c45 f8247861 d65f03c0 (d4210 000) [47200.448869] ---[ end trace a01efe4ce42e5f34 ]--- El proceso es el siguiente: ejecutando hns3_client_init | registrarse_netdev() | hns3_set_channels() | | hns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet() | | | salir sin llamar a la funci\u00f3n | hns3_free_rx_cpu_rmap para bandera | HNS3_NIC_STATE_INITED no est\u00e1 configurado. | | | hns3_reset_notify_init_enet() | | set HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash Solucionarlo llamando a Register_netdev() al final de la funci\u00f3n hns3_client_init()."}], "id": "CVE-2021-47139", "lastModified": "2025-03-13T21:09:36.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-25T09:15:08.603", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0921a0620b5077796fddffb22a8e6bc635a4bb50"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a289a7e5c1d49b7d47df9913c1cc81fb48fab613"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a663c1e418a3b5b8e8edfad4bc8e7278c312d6fc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0921a0620b5077796fddffb22a8e6bc635a4bb50"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a289a7e5c1d49b7d47df9913c1cc81fb48fab613"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a663c1e418a3b5b8e8edfad4bc8e7278c312d6fc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-908"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net: hns3: put off calling register_netdev() until client initialize complete", "id": "2271483", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2271483"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-99", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet: hns3: put off calling register_netdev() until client initialize complete\nCurrently, the netdevice is registered before client initializing\ncomplete. So there is a timewindow between netdevice available\nand usable. In this case, if user try to change the channel number\nor ring param, it may cause the hns3_set_rx_cpu_rmap() being called\ntwice, and report bug.\n[47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0\n[47199.430340] hns3 0000:35:00.0 eth1: already uninitialized\n[47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1\n[47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1\n[47200.163524] ------------[ cut here ]------------\n[47200.171674] kernel BUG at lib/cpu_rmap.c:142!\n[47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge]\n[47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G O 5.11.0-rc3+ #1\n[47200.215601] Hardware name: , xxxxxx 02/04/2021\n[47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)\n[47200.230188] pc : cpu_rmap_add+0x38/0x40\n[47200.237472] lr : irq_cpu_rmap_add+0x84/0x140\n[47200.243291] sp : ffff800010e93a30\n[47200.247295] x29: ffff800010e93a30 x28: ffff082100584880\n[47200.254155] x27: 0000000000000000 x26: 0000000000000000\n[47200.260712] x25: 0000000000000000 x24: 0000000000000004\n[47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0\n[47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680\n[47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0\n[47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0\n[47200.293456] x15: fffffc2082990600 x14: dead000000000122\n[47200.300059] x13: ffffffffffffffff x12: 000000000000003e\n[47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000\n[47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700\n[47200.319682] x7 : 0000000000000000 x6 : 000000000000003f\n[47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20\n[47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80\n[47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004\n[47200.346058] Call trace:\n[47200.349324] cpu_rmap_add+0x38/0x40\n[47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3]\n[47200.362294] hns3_reset_notify_init_enet+0x1cc/0x340 [hns3]\n[47200.370049] hns3_change_channels+0x40/0xb0 [hns3]\n[47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3]\n[47200.383353] ethtool_set_channels+0x140/0x250\n[47200.389772] dev_ethtool+0x714/0x23d0\n[47200.394440] dev_ioctl+0x4cc/0x640\n[47200.399277] sock_do_ioctl+0x100/0x2a0\n[47200.404574] sock_ioctl+0x28c/0x470\n[47200.409079] __arm64_sys_ioctl+0xb4/0x100\n[47200.415217] el0_svc_common.constprop.0+0x84/0x210\n[47200.422088] do_el0_svc+0x28/0x34\n[47200.426387] el0_svc+0x28/0x70\n[47200.431308] el0_sync_handler+0x1a4/0x1b0\n[47200.436477] el0_sync+0x174/0x180\n[47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000)\n[47200.448869] ---[ end trace a01efe4ce42e5f34 ]---\nThe process is like below:\nexcuting hns3_client_init\n|\nregister_netdev()\n| hns3_set_channels()\n| |\nhns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet()\n| |\n| quit without calling function\n| hns3_free_rx_cpu_rmap for flag\n| HNS3_NIC_STATE_INITED is unset.\n| |\n| hns3_reset_notify_init_enet()\n| |\nset HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash\nFix it by calling register_netdev() at the end of function\nhns3_client_init().", "A flaw was found in the Linux Kernel's netdevice, which is registered before client initializing is complete. If a window of time between netdevice is available and usable, and a user tries to change the channel number or ring param, it may cause the hns3_set_rx_cpu_rmap() to be called twice."], "name": "CVE-2021-47139", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47139\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47139\nhttps://lore.kernel.org/linux-cve-announce/2024032557-CVE-2021-47139-994d@gregkh/T"], "threat_severity": "Moderate"}

{}