CVE-2021-47139: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: hns3: put off calling register_netdev() until client initialize complete Currently, the netdevice is registered before client initializing complete. So there is a timewindow between netdevice available and usable. In this case, if user try to change the channel number or ring param, it may cause the hns3_set_rx_cpu_rmap() being called twice, and report bug. [47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0 [47199.430340] hns3 0000:35:00.0 eth1: already uninitialized [47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1 [47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1 [47200.163524] ------------[ cut here ]------------ [47200.171674] kernel BUG at lib/cpu_rmap.c:142! [47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge] [47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G O 5.11.0-rc3+ #1 [47200.215601] Hardware name: , xxxxxx 02/04/2021 [47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--) [47200.230188] pc : cpu_rmap_add+0x38/0x40 [47200.237472] lr : irq_cpu_rmap_add+0x84/0x140 [47200.243291] sp : ffff800010e93a30 [47200.247295] x29: ffff800010e93a30 x28: ffff082100584880 [47200.254155] x27: 0000000000000000 x26: 0000000000000000 [47200.260712] x25: 0000000000000000 x24: 0000000000000004 [47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0 [47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680 [47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0 [47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0 [47200.293456] x15: fffffc2082990600 x14: dead000000000122 [47200.300059] x13: ffffffffffffffff x12: 000000000000003e [47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000 [47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700 [47200.319682] x7 : 0000000000000000 x6 : 000000000000003f [47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20 [47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80 [47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004 [47200.346058] Call trace: [47200.349324] cpu_rmap_add+0x38/0x40 [47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3] [47200.362294] hns3_reset_notify_init_enet+0x1cc/0x340 [hns3] [47200.370049] hns3_change_channels+0x40/0xb0 [hns3] [47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3] [47200.383353] ethtool_set_channels+0x140/0x250 [47200.389772] dev_ethtool+0x714/0x23d0 [47200.394440] dev_ioctl+0x4cc/0x640 [47200.399277] sock_do_ioctl+0x100/0x2a0 [47200.404574] sock_ioctl+0x28c/0x470 [47200.409079] __arm64_sys_ioctl+0xb4/0x100 [47200.415217] el0_svc_common.constprop.0+0x84/0x210 [47200.422088] do_el0_svc+0x28/0x34 [47200.426387] el0_svc+0x28/0x70 [47200.431308] el0_sync_handler+0x1a4/0x1b0 [47200.436477] el0_sync+0x174/0x180 [47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000) [47200.448869] ---[ end trace a01efe4ce42e5f34 ]--- The process is like below: excuting hns3_client_init | register_netdev() | hns3_set_channels() | | hns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet() | | | quit without calling function | hns3_free_rx_cpu_rmap for flag | HNS3_NIC_STATE_INITED is unset. | | | hns3_reset_notify_init_enet() | | set HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash Fix it by calling register_netdev() at the end of function hns3_client_init().
AI Analysis
Technical Summary
CVE-2021-47139 is a vulnerability identified in the Linux kernel's hns3 network driver, which is used primarily for managing certain Ethernet network devices, particularly those based on Huawei's HiSilicon network adapters. The issue arises due to the premature registration of the network device (netdevice) before the client initialization process is fully completed. Specifically, the function register_netdev() is called before the client initialization finishes, creating a timing window where the netdevice is available but not fully usable. During this window, if a user attempts to change network parameters such as the channel number or ring parameters, it can trigger the function hns3_set_rx_cpu_rmap() twice. This double invocation leads to a kernel BUG, causing an internal kernel error and a system crash (kernel panic). The root cause is that the network device's state flags are not properly set before the second call, leading to inconsistent internal state and memory handling errors. The vulnerability manifests as a kernel oops and BUG error trace, which can be triggered by standard network management tools like ethtool when adjusting channel settings. The fix involves deferring the call to register_netdev() until after the client initialization is fully complete, ensuring that the device is only registered when it is fully ready and initialized. This prevents the race condition and the subsequent double call to hns3_set_rx_cpu_rmap(), thereby eliminating the crash scenario. This vulnerability affects Linux kernel versions containing the hns3 driver with the described initialization sequence and is relevant to systems using affected Huawei network adapters. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2021-47139 can be significant in environments where affected Huawei HiSilicon network adapters are deployed, especially in data centers, telecommunications infrastructure, or enterprise networks relying on Linux-based systems. The vulnerability leads to kernel crashes, resulting in denial of service (DoS) conditions. This can disrupt network connectivity, degrade service availability, and potentially cause downtime for critical applications and services. Since the issue can be triggered by routine network configuration changes, even legitimate administrative actions could inadvertently cause system instability. The impact on confidentiality and integrity is minimal as the vulnerability does not directly allow code execution or privilege escalation; however, the availability impact is high due to system crashes. Organizations with high availability requirements or those operating critical infrastructure may face operational risks and potential financial losses due to service interruptions. Additionally, recovery from kernel panics may require manual intervention, increasing operational overhead. Given the reliance on Linux in many European industries, including finance, manufacturing, and public sector, the vulnerability poses a tangible risk where affected hardware is in use.
Mitigation Recommendations
To mitigate CVE-2021-47139, European organizations should: 1) Apply the vendor-supplied Linux kernel patches that defer the register_netdev() call until after client initialization completes. This is the definitive fix and should be prioritized. 2) Identify and inventory systems using Huawei HiSilicon network adapters with the hns3 driver to assess exposure. 3) Avoid changing network channel or ring parameters on affected systems until patches are applied, especially using tools like ethtool. 4) Implement monitoring for kernel oops or BUG messages related to hns3 to detect attempted exploitation or accidental triggers. 5) For critical systems, consider temporary network interface isolation or failover configurations to minimize impact during patch deployment. 6) Coordinate with hardware vendors and Linux distribution maintainers to ensure timely updates and backports for long-term support kernels. 7) Educate network administrators about the risk of triggering this vulnerability during routine network tuning operations. These steps go beyond generic advice by focusing on hardware-specific identification, operational controls around network parameter changes, and proactive monitoring for kernel stability issues related to hns3.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2021-47139: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: hns3: put off calling register_netdev() until client initialize complete Currently, the netdevice is registered before client initializing complete. So there is a timewindow between netdevice available and usable. In this case, if user try to change the channel number or ring param, it may cause the hns3_set_rx_cpu_rmap() being called twice, and report bug. [47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0 [47199.430340] hns3 0000:35:00.0 eth1: already uninitialized [47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1 [47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1 [47200.163524] ------------[ cut here ]------------ [47200.171674] kernel BUG at lib/cpu_rmap.c:142! [47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge] [47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G O 5.11.0-rc3+ #1 [47200.215601] Hardware name: , xxxxxx 02/04/2021 [47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--) [47200.230188] pc : cpu_rmap_add+0x38/0x40 [47200.237472] lr : irq_cpu_rmap_add+0x84/0x140 [47200.243291] sp : ffff800010e93a30 [47200.247295] x29: ffff800010e93a30 x28: ffff082100584880 [47200.254155] x27: 0000000000000000 x26: 0000000000000000 [47200.260712] x25: 0000000000000000 x24: 0000000000000004 [47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0 [47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680 [47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0 [47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0 [47200.293456] x15: fffffc2082990600 x14: dead000000000122 [47200.300059] x13: ffffffffffffffff x12: 000000000000003e [47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000 [47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700 [47200.319682] x7 : 0000000000000000 x6 : 000000000000003f [47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20 [47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80 [47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004 [47200.346058] Call trace: [47200.349324] cpu_rmap_add+0x38/0x40 [47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3] [47200.362294] hns3_reset_notify_init_enet+0x1cc/0x340 [hns3] [47200.370049] hns3_change_channels+0x40/0xb0 [hns3] [47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3] [47200.383353] ethtool_set_channels+0x140/0x250 [47200.389772] dev_ethtool+0x714/0x23d0 [47200.394440] dev_ioctl+0x4cc/0x640 [47200.399277] sock_do_ioctl+0x100/0x2a0 [47200.404574] sock_ioctl+0x28c/0x470 [47200.409079] __arm64_sys_ioctl+0xb4/0x100 [47200.415217] el0_svc_common.constprop.0+0x84/0x210 [47200.422088] do_el0_svc+0x28/0x34 [47200.426387] el0_svc+0x28/0x70 [47200.431308] el0_sync_handler+0x1a4/0x1b0 [47200.436477] el0_sync+0x174/0x180 [47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000) [47200.448869] ---[ end trace a01efe4ce42e5f34 ]--- The process is like below: excuting hns3_client_init | register_netdev() | hns3_set_channels() | | hns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet() | | | quit without calling function | hns3_free_rx_cpu_rmap for flag | HNS3_NIC_STATE_INITED is unset. | | | hns3_reset_notify_init_enet() | | set HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash Fix it by calling register_netdev() at the end of function hns3_client_init().
AI-Powered Analysis
Technical Analysis
CVE-2021-47139 is a vulnerability identified in the Linux kernel's hns3 network driver, which is used primarily for managing certain Ethernet network devices, particularly those based on Huawei's HiSilicon network adapters. The issue arises due to the premature registration of the network device (netdevice) before the client initialization process is fully completed. Specifically, the function register_netdev() is called before the client initialization finishes, creating a timing window where the netdevice is available but not fully usable. During this window, if a user attempts to change network parameters such as the channel number or ring parameters, it can trigger the function hns3_set_rx_cpu_rmap() twice. This double invocation leads to a kernel BUG, causing an internal kernel error and a system crash (kernel panic). The root cause is that the network device's state flags are not properly set before the second call, leading to inconsistent internal state and memory handling errors. The vulnerability manifests as a kernel oops and BUG error trace, which can be triggered by standard network management tools like ethtool when adjusting channel settings. The fix involves deferring the call to register_netdev() until after the client initialization is fully complete, ensuring that the device is only registered when it is fully ready and initialized. This prevents the race condition and the subsequent double call to hns3_set_rx_cpu_rmap(), thereby eliminating the crash scenario. This vulnerability affects Linux kernel versions containing the hns3 driver with the described initialization sequence and is relevant to systems using affected Huawei network adapters. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2021-47139 can be significant in environments where affected Huawei HiSilicon network adapters are deployed, especially in data centers, telecommunications infrastructure, or enterprise networks relying on Linux-based systems. The vulnerability leads to kernel crashes, resulting in denial of service (DoS) conditions. This can disrupt network connectivity, degrade service availability, and potentially cause downtime for critical applications and services. Since the issue can be triggered by routine network configuration changes, even legitimate administrative actions could inadvertently cause system instability. The impact on confidentiality and integrity is minimal as the vulnerability does not directly allow code execution or privilege escalation; however, the availability impact is high due to system crashes. Organizations with high availability requirements or those operating critical infrastructure may face operational risks and potential financial losses due to service interruptions. Additionally, recovery from kernel panics may require manual intervention, increasing operational overhead. Given the reliance on Linux in many European industries, including finance, manufacturing, and public sector, the vulnerability poses a tangible risk where affected hardware is in use.
Mitigation Recommendations
To mitigate CVE-2021-47139, European organizations should: 1) Apply the vendor-supplied Linux kernel patches that defer the register_netdev() call until after client initialization completes. This is the definitive fix and should be prioritized. 2) Identify and inventory systems using Huawei HiSilicon network adapters with the hns3 driver to assess exposure. 3) Avoid changing network channel or ring parameters on affected systems until patches are applied, especially using tools like ethtool. 4) Implement monitoring for kernel oops or BUG messages related to hns3 to detect attempted exploitation or accidental triggers. 5) For critical systems, consider temporary network interface isolation or failover configurations to minimize impact during patch deployment. 6) Coordinate with hardware vendors and Linux distribution maintainers to ensure timely updates and backports for long-term support kernels. 7) Educate network administrators about the risk of triggering this vulnerability during routine network tuning operations. These steps go beyond generic advice by focusing on hardware-specific identification, operational controls around network parameter changes, and proactive monitoring for kernel stability issues related to hns3.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-04T18:12:48.841Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9e66
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/26/2025, 7:50:28 PM
Last updated: 8/1/2025, 7:20:32 PM
Views: 13
Related Threats
CVE-2025-50610: n/a
HighCVE-2025-50609: n/a
HighCVE-2025-50608: n/a
HighCVE-2025-55194: CWE-248: Uncaught Exception in Part-DB Part-DB-server
MediumCVE-2025-55197: CWE-400: Uncontrolled Resource Consumption in py-pdf pypdf
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.