CVE-2021-47127: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ice: track AF_XDP ZC enabled queues in bitmap Commit c7a219048e45 ("ice: Remove xsk_buff_pool from VSI structure") silently introduced a regression and broke the Tx side of AF_XDP in copy mode. xsk_pool on ice_ring is set only based on the existence of the XDP prog on the VSI which in turn picks ice_clean_tx_irq_zc to be executed. That is not something that should happen for copy mode as it should use the regular data path ice_clean_tx_irq. This results in a following splat when xdpsock is run in txonly or l2fwd scenarios in copy mode: <snip> [ 106.050195] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 106.057269] #PF: supervisor read access in kernel mode [ 106.062493] #PF: error_code(0x0000) - not-present page [ 106.067709] PGD 0 P4D 0 [ 106.070293] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 106.074721] CPU: 61 PID: 0 Comm: swapper/61 Not tainted 5.12.0-rc2+ #45 [ 106.081436] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [ 106.092027] RIP: 0010:xp_raw_get_dma+0x36/0x50 [ 106.096551] Code: 74 14 48 b8 ff ff ff ff ff ff 00 00 48 21 f0 48 c1 ee 30 48 01 c6 48 8b 87 90 00 00 00 48 89 f2 81 e6 ff 0f 00 00 48 c1 ea 0c <48> 8b 04 d0 48 83 e0 fe 48 01 f0 c3 66 66 2e 0f 1f 84 00 00 00 00 [ 106.115588] RSP: 0018:ffffc9000d694e50 EFLAGS: 00010206 [ 106.120893] RAX: 0000000000000000 RBX: ffff88984b8c8a00 RCX: ffff889852581800 [ 106.128137] RDX: 0000000000000006 RSI: 0000000000000000 RDI: ffff88984cd8b800 [ 106.135383] RBP: ffff888123b50001 R08: ffff889896800000 R09: 0000000000000800 [ 106.142628] R10: 0000000000000000 R11: ffffffff826060c0 R12: 00000000000000ff [ 106.149872] R13: 0000000000000000 R14: 0000000000000040 R15: ffff888123b50018 [ 106.157117] FS: 0000000000000000(0000) GS:ffff8897e0f40000(0000) knlGS:0000000000000000 [ 106.165332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 106.171163] CR2: 0000000000000030 CR3: 000000000560a004 CR4: 00000000007706e0 [ 106.178408] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 106.185653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 106.192898] PKRU: 55555554 [ 106.195653] Call Trace: [ 106.198143] <IRQ> [ 106.200196] ice_clean_tx_irq_zc+0x183/0x2a0 [ice] [ 106.205087] ice_napi_poll+0x3e/0x590 [ice] [ 106.209356] __napi_poll+0x2a/0x160 [ 106.212911] net_rx_action+0xd6/0x200 [ 106.216634] __do_softirq+0xbf/0x29b [ 106.220274] irq_exit_rcu+0x88/0xc0 [ 106.223819] common_interrupt+0x7b/0xa0 [ 106.227719] </IRQ> [ 106.229857] asm_common_interrupt+0x1e/0x40 </snip> Fix this by introducing the bitmap of queues that are zero-copy enabled, where each bit, corresponding to a queue id that xsk pool is being configured on, will be set/cleared within ice_xsk_pool_{en,dis}able and checked within ice_xsk_pool(). The latter is a function used for deciding which napi poll routine is executed. Idea is being taken from our other drivers such as i40e and ixgbe.
AI Analysis
Technical Summary
CVE-2021-47127 is a vulnerability in the Linux kernel affecting the 'ice' network driver, which is used for Intel Ethernet controllers. The issue stems from a regression introduced by commit c7a219048e45 that mishandled the tracking of AF_XDP zero-copy (ZC) enabled queues in a bitmap. Specifically, the driver incorrectly sets the xsk_pool on the ice_ring based solely on the presence of an XDP program on the VSI (Virtual Station Interface), which triggers the zero-copy TX cleanup routine (ice_clean_tx_irq_zc). However, in copy mode, this zero-copy cleanup should not be invoked; instead, the regular data path cleanup (ice_clean_tx_irq) should be used. This logic flaw leads to a NULL pointer dereference when running xdpsock in txonly or l2fwd scenarios in copy mode, causing a kernel crash (kernel oops) and potential denial of service. The root cause is the lack of proper tracking of which queues have zero-copy enabled, which is resolved by introducing a bitmap to track these queues and conditionally execute the correct TX cleanup routine. The fix aligns with approaches used in other Intel drivers like i40e and ixgbe. This vulnerability affects Linux kernel versions containing the problematic commit and can cause system instability or crashes when AF_XDP sockets are used in copy mode with the ice driver.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems using Intel Ethernet hardware supported by the ice driver and running Linux kernels with the vulnerable commit. The impact is a potential denial of service due to kernel crashes triggered by malformed or specific AF_XDP socket usage in copy mode. This can disrupt network services, degrade system availability, and impact critical infrastructure relying on high-performance packet processing, such as telecom providers, cloud service operators, and data centers. Since AF_XDP is used for high-speed packet processing in user space, environments leveraging this for network acceleration or custom packet handling are particularly at risk. The vulnerability does not appear to allow privilege escalation or remote code execution directly but can cause system instability and service interruptions. European organizations with Linux-based network infrastructure, especially those using Intel NICs with the ice driver and employing AF_XDP for packet processing, should consider this a significant reliability and availability concern.
Mitigation Recommendations
Organizations should ensure their Linux kernels are updated to versions that include the fix for CVE-2021-47127. Specifically, they should apply patches that introduce the bitmap tracking of zero-copy enabled queues in the ice driver to prevent the NULL pointer dereference. Kernel upgrades should be tested in staging environments to verify stability, especially in systems utilizing AF_XDP sockets in copy mode. If immediate patching is not feasible, disabling or avoiding the use of AF_XDP in copy mode on affected systems can mitigate the risk of triggering the vulnerability. Network administrators should monitor kernel logs for oops or crashes related to the ice driver and AF_XDP usage. Additionally, reviewing and limiting the use of experimental or less common packet processing modes (like AF_XDP copy mode) can reduce exposure. Coordination with hardware vendors and Linux distribution maintainers for timely updates is critical. Implementing robust kernel crash recovery and failover mechanisms will also help maintain service continuity in case of exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47127: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ice: track AF_XDP ZC enabled queues in bitmap Commit c7a219048e45 ("ice: Remove xsk_buff_pool from VSI structure") silently introduced a regression and broke the Tx side of AF_XDP in copy mode. xsk_pool on ice_ring is set only based on the existence of the XDP prog on the VSI which in turn picks ice_clean_tx_irq_zc to be executed. That is not something that should happen for copy mode as it should use the regular data path ice_clean_tx_irq. This results in a following splat when xdpsock is run in txonly or l2fwd scenarios in copy mode: <snip> [ 106.050195] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 106.057269] #PF: supervisor read access in kernel mode [ 106.062493] #PF: error_code(0x0000) - not-present page [ 106.067709] PGD 0 P4D 0 [ 106.070293] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 106.074721] CPU: 61 PID: 0 Comm: swapper/61 Not tainted 5.12.0-rc2+ #45 [ 106.081436] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [ 106.092027] RIP: 0010:xp_raw_get_dma+0x36/0x50 [ 106.096551] Code: 74 14 48 b8 ff ff ff ff ff ff 00 00 48 21 f0 48 c1 ee 30 48 01 c6 48 8b 87 90 00 00 00 48 89 f2 81 e6 ff 0f 00 00 48 c1 ea 0c <48> 8b 04 d0 48 83 e0 fe 48 01 f0 c3 66 66 2e 0f 1f 84 00 00 00 00 [ 106.115588] RSP: 0018:ffffc9000d694e50 EFLAGS: 00010206 [ 106.120893] RAX: 0000000000000000 RBX: ffff88984b8c8a00 RCX: ffff889852581800 [ 106.128137] RDX: 0000000000000006 RSI: 0000000000000000 RDI: ffff88984cd8b800 [ 106.135383] RBP: ffff888123b50001 R08: ffff889896800000 R09: 0000000000000800 [ 106.142628] R10: 0000000000000000 R11: ffffffff826060c0 R12: 00000000000000ff [ 106.149872] R13: 0000000000000000 R14: 0000000000000040 R15: ffff888123b50018 [ 106.157117] FS: 0000000000000000(0000) GS:ffff8897e0f40000(0000) knlGS:0000000000000000 [ 106.165332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 106.171163] CR2: 0000000000000030 CR3: 000000000560a004 CR4: 00000000007706e0 [ 106.178408] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 106.185653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 106.192898] PKRU: 55555554 [ 106.195653] Call Trace: [ 106.198143] <IRQ> [ 106.200196] ice_clean_tx_irq_zc+0x183/0x2a0 [ice] [ 106.205087] ice_napi_poll+0x3e/0x590 [ice] [ 106.209356] __napi_poll+0x2a/0x160 [ 106.212911] net_rx_action+0xd6/0x200 [ 106.216634] __do_softirq+0xbf/0x29b [ 106.220274] irq_exit_rcu+0x88/0xc0 [ 106.223819] common_interrupt+0x7b/0xa0 [ 106.227719] </IRQ> [ 106.229857] asm_common_interrupt+0x1e/0x40 </snip> Fix this by introducing the bitmap of queues that are zero-copy enabled, where each bit, corresponding to a queue id that xsk pool is being configured on, will be set/cleared within ice_xsk_pool_{en,dis}able and checked within ice_xsk_pool(). The latter is a function used for deciding which napi poll routine is executed. Idea is being taken from our other drivers such as i40e and ixgbe.
AI-Powered Analysis
Technical Analysis
CVE-2021-47127 is a vulnerability in the Linux kernel affecting the 'ice' network driver, which is used for Intel Ethernet controllers. The issue stems from a regression introduced by commit c7a219048e45 that mishandled the tracking of AF_XDP zero-copy (ZC) enabled queues in a bitmap. Specifically, the driver incorrectly sets the xsk_pool on the ice_ring based solely on the presence of an XDP program on the VSI (Virtual Station Interface), which triggers the zero-copy TX cleanup routine (ice_clean_tx_irq_zc). However, in copy mode, this zero-copy cleanup should not be invoked; instead, the regular data path cleanup (ice_clean_tx_irq) should be used. This logic flaw leads to a NULL pointer dereference when running xdpsock in txonly or l2fwd scenarios in copy mode, causing a kernel crash (kernel oops) and potential denial of service. The root cause is the lack of proper tracking of which queues have zero-copy enabled, which is resolved by introducing a bitmap to track these queues and conditionally execute the correct TX cleanup routine. The fix aligns with approaches used in other Intel drivers like i40e and ixgbe. This vulnerability affects Linux kernel versions containing the problematic commit and can cause system instability or crashes when AF_XDP sockets are used in copy mode with the ice driver.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems using Intel Ethernet hardware supported by the ice driver and running Linux kernels with the vulnerable commit. The impact is a potential denial of service due to kernel crashes triggered by malformed or specific AF_XDP socket usage in copy mode. This can disrupt network services, degrade system availability, and impact critical infrastructure relying on high-performance packet processing, such as telecom providers, cloud service operators, and data centers. Since AF_XDP is used for high-speed packet processing in user space, environments leveraging this for network acceleration or custom packet handling are particularly at risk. The vulnerability does not appear to allow privilege escalation or remote code execution directly but can cause system instability and service interruptions. European organizations with Linux-based network infrastructure, especially those using Intel NICs with the ice driver and employing AF_XDP for packet processing, should consider this a significant reliability and availability concern.
Mitigation Recommendations
Organizations should ensure their Linux kernels are updated to versions that include the fix for CVE-2021-47127. Specifically, they should apply patches that introduce the bitmap tracking of zero-copy enabled queues in the ice driver to prevent the NULL pointer dereference. Kernel upgrades should be tested in staging environments to verify stability, especially in systems utilizing AF_XDP sockets in copy mode. If immediate patching is not feasible, disabling or avoiding the use of AF_XDP in copy mode on affected systems can mitigate the risk of triggering the vulnerability. Network administrators should monitor kernel logs for oops or crashes related to the ice driver and AF_XDP usage. Additionally, reviewing and limiting the use of experimental or less common packet processing modes (like AF_XDP copy mode) can reduce exposure. Coordination with hardware vendors and Linux distribution maintainers for timely updates is critical. Implementing robust kernel crash recovery and failover mechanisms will also help maintain service continuity in case of exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-04T18:12:48.839Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9df6
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 10:12:22 PM
Last updated: 8/8/2025, 10:41:33 AM
Views: 16
Related Threats
CVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57702: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57701: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.