CVE-2021-47197: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove() Prior to this patch in case mlx5_core_destroy_cq() failed it proceeds to rest of destroy operations. mlx5_core_destroy_cq() could be called again by user and cause additional call of mlx5_debug_cq_remove(). cq->dbg was not nullify in previous call and cause the crash. Fix it by nullify cq->dbg pointer after removal. Also proceed to destroy operations only if FW return 0 for MLX5_CMD_OP_DESTROY_CQ command. general protection fault, probably for non-canonical address 0x2000300004058: 0000 [#1] SMP PTI CPU: 5 PID: 1228 Comm: python Not tainted 5.15.0-rc5_for_upstream_min_debug_2021_10_14_11_06 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:lockref_get+0x1/0x60 Code: 5d e9 53 ff ff ff 48 8d 7f 70 e8 0a 2e 48 00 c7 85 d0 00 00 00 02 00 00 00 c6 45 70 00 fb 5d c3 c3 cc cc cc cc cc cc cc cc 53 <48> 8b 17 48 89 fb 85 d2 75 3d 48 89 d0 bf 64 00 00 00 48 89 c1 48 RSP: 0018:ffff888137dd7a38 EFLAGS: 00010206 RAX: 0000000000000000 RBX: ffff888107d5f458 RCX: 00000000fffffffe RDX: 000000000002c2b0 RSI: ffffffff8155e2e0 RDI: 0002000300004058 RBP: ffff888137dd7a88 R08: 0002000300004058 R09: ffff8881144a9f88 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881141d4000 R13: ffff888137dd7c68 R14: ffff888137dd7d58 R15: ffff888137dd7cc0 FS: 00007f4644f2a4c0(0000) GS:ffff8887a2d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b4500f4380 CR3: 0000000114f7a003 CR4: 0000000000170ea0 Call Trace: simple_recursive_removal+0x33/0x2e0 ? debugfs_remove+0x60/0x60 debugfs_remove+0x40/0x60 mlx5_debug_cq_remove+0x32/0x70 [mlx5_core] mlx5_core_destroy_cq+0x41/0x1d0 [mlx5_core] devx_obj_cleanup+0x151/0x330 [mlx5_ib] ? __pollwait+0xd0/0xd0 ? xas_load+0x5/0x70 ? xa_load+0x62/0xa0 destroy_hw_idr_uobject+0x20/0x80 [ib_uverbs] uverbs_destroy_uobject+0x3b/0x360 [ib_uverbs] uobj_destroy+0x54/0xa0 [ib_uverbs] ib_uverbs_cmd_verbs+0xaf2/0x1160 [ib_uverbs] ? uverbs_finalize_object+0xd0/0xd0 [ib_uverbs] ib_uverbs_ioctl+0xc4/0x1b0 [ib_uverbs] __x64_sys_ioctl+0x3e4/0x8e0
AI Analysis
Technical Summary
CVE-2021-47197 is a vulnerability in the Linux kernel specifically affecting the Mellanox mlx5_core driver, which is responsible for managing certain network hardware components, particularly those related to Mellanox network interface cards (NICs). The issue arises in the handling of completion queues (CQ) within the mlx5_debug_cq_remove() function. Prior to the patch, if the mlx5_core_destroy_cq() function failed during the destruction of a CQ, the code would continue with subsequent destroy operations without properly nullifying the cq->dbg pointer. This improper handling allowed for a scenario where mlx5_core_destroy_cq() could be called again by a user, leading to an additional call to mlx5_debug_cq_remove() with a stale cq->dbg pointer. This results in a use-after-free or null pointer dereference condition, causing a kernel crash (general protection fault) and potentially leading to a denial of service (DoS) on the affected system. The vulnerability is rooted in the mlx5_core driver's failure to check the firmware return status for the MLX5_CMD_OP_DESTROY_CQ command before proceeding with destroy operations. The fix involves nullifying the cq->dbg pointer immediately after its removal and ensuring that destroy operations only proceed if the firmware returns success (0) for the destroy command. The vulnerability was identified in Linux kernel versions prior to the patch and is triggered by specific sequences of user-space interactions with the mlx5 driver, such as through the ib_uverbs interface used for Infiniband verbs. This vulnerability can cause system instability and crashes, particularly in environments using Mellanox NICs with affected Linux kernel versions. The crash logs indicate a general protection fault due to invalid memory access, which can disrupt network operations and potentially impact services relying on these network interfaces. While no known exploits are reported in the wild, the vulnerability could be leveraged by a local attacker with the ability to interact with the mlx5 driver to cause denial of service or potentially escalate privileges through kernel crashes and recovery mechanisms.
Potential Impact
For European organizations, especially those operating data centers, cloud infrastructure, or high-performance computing environments that utilize Mellanox network hardware and Linux-based systems, this vulnerability poses a risk of service disruption due to kernel crashes. The impact includes potential denial of service conditions affecting network connectivity and availability of critical applications. Organizations relying on Infiniband or RDMA technologies for low-latency, high-throughput networking are particularly vulnerable. Disruptions could affect financial institutions, research centers, telecommunications providers, and cloud service operators across Europe. Additionally, the instability could lead to increased operational costs due to downtime and recovery efforts. Although no direct evidence of exploitation exists, the vulnerability's nature means that attackers with local access could intentionally trigger crashes, impacting system reliability and potentially leading to broader security concerns if combined with other vulnerabilities.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions to incorporate the fix that nullifies the cq->dbg pointer and properly checks firmware return codes during CQ destruction. Specifically, updating to the latest stable kernel releases that include this patch is critical. For environments where immediate patching is not feasible, organizations should restrict access to interfaces that can invoke mlx5_core_destroy_cq(), such as limiting user-space permissions for ib_uverbs and related device files. Monitoring kernel logs for signs of mlx5 driver crashes or general protection faults can help detect attempted exploitation or instability. Network administrators should also verify firmware versions on Mellanox devices and update them if necessary to ensure compatibility with patched drivers. Implementing strict access controls and isolating critical systems using Mellanox hardware can reduce the attack surface. Finally, organizations should engage with their hardware vendors and Linux distribution maintainers to receive timely updates and advisories.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Switzerland, Italy
CVE-2021-47197: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove() Prior to this patch in case mlx5_core_destroy_cq() failed it proceeds to rest of destroy operations. mlx5_core_destroy_cq() could be called again by user and cause additional call of mlx5_debug_cq_remove(). cq->dbg was not nullify in previous call and cause the crash. Fix it by nullify cq->dbg pointer after removal. Also proceed to destroy operations only if FW return 0 for MLX5_CMD_OP_DESTROY_CQ command. general protection fault, probably for non-canonical address 0x2000300004058: 0000 [#1] SMP PTI CPU: 5 PID: 1228 Comm: python Not tainted 5.15.0-rc5_for_upstream_min_debug_2021_10_14_11_06 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:lockref_get+0x1/0x60 Code: 5d e9 53 ff ff ff 48 8d 7f 70 e8 0a 2e 48 00 c7 85 d0 00 00 00 02 00 00 00 c6 45 70 00 fb 5d c3 c3 cc cc cc cc cc cc cc cc 53 <48> 8b 17 48 89 fb 85 d2 75 3d 48 89 d0 bf 64 00 00 00 48 89 c1 48 RSP: 0018:ffff888137dd7a38 EFLAGS: 00010206 RAX: 0000000000000000 RBX: ffff888107d5f458 RCX: 00000000fffffffe RDX: 000000000002c2b0 RSI: ffffffff8155e2e0 RDI: 0002000300004058 RBP: ffff888137dd7a88 R08: 0002000300004058 R09: ffff8881144a9f88 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881141d4000 R13: ffff888137dd7c68 R14: ffff888137dd7d58 R15: ffff888137dd7cc0 FS: 00007f4644f2a4c0(0000) GS:ffff8887a2d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b4500f4380 CR3: 0000000114f7a003 CR4: 0000000000170ea0 Call Trace: simple_recursive_removal+0x33/0x2e0 ? debugfs_remove+0x60/0x60 debugfs_remove+0x40/0x60 mlx5_debug_cq_remove+0x32/0x70 [mlx5_core] mlx5_core_destroy_cq+0x41/0x1d0 [mlx5_core] devx_obj_cleanup+0x151/0x330 [mlx5_ib] ? __pollwait+0xd0/0xd0 ? xas_load+0x5/0x70 ? xa_load+0x62/0xa0 destroy_hw_idr_uobject+0x20/0x80 [ib_uverbs] uverbs_destroy_uobject+0x3b/0x360 [ib_uverbs] uobj_destroy+0x54/0xa0 [ib_uverbs] ib_uverbs_cmd_verbs+0xaf2/0x1160 [ib_uverbs] ? uverbs_finalize_object+0xd0/0xd0 [ib_uverbs] ib_uverbs_ioctl+0xc4/0x1b0 [ib_uverbs] __x64_sys_ioctl+0x3e4/0x8e0
AI-Powered Analysis
Technical Analysis
CVE-2021-47197 is a vulnerability in the Linux kernel specifically affecting the Mellanox mlx5_core driver, which is responsible for managing certain network hardware components, particularly those related to Mellanox network interface cards (NICs). The issue arises in the handling of completion queues (CQ) within the mlx5_debug_cq_remove() function. Prior to the patch, if the mlx5_core_destroy_cq() function failed during the destruction of a CQ, the code would continue with subsequent destroy operations without properly nullifying the cq->dbg pointer. This improper handling allowed for a scenario where mlx5_core_destroy_cq() could be called again by a user, leading to an additional call to mlx5_debug_cq_remove() with a stale cq->dbg pointer. This results in a use-after-free or null pointer dereference condition, causing a kernel crash (general protection fault) and potentially leading to a denial of service (DoS) on the affected system. The vulnerability is rooted in the mlx5_core driver's failure to check the firmware return status for the MLX5_CMD_OP_DESTROY_CQ command before proceeding with destroy operations. The fix involves nullifying the cq->dbg pointer immediately after its removal and ensuring that destroy operations only proceed if the firmware returns success (0) for the destroy command. The vulnerability was identified in Linux kernel versions prior to the patch and is triggered by specific sequences of user-space interactions with the mlx5 driver, such as through the ib_uverbs interface used for Infiniband verbs. This vulnerability can cause system instability and crashes, particularly in environments using Mellanox NICs with affected Linux kernel versions. The crash logs indicate a general protection fault due to invalid memory access, which can disrupt network operations and potentially impact services relying on these network interfaces. While no known exploits are reported in the wild, the vulnerability could be leveraged by a local attacker with the ability to interact with the mlx5 driver to cause denial of service or potentially escalate privileges through kernel crashes and recovery mechanisms.
Potential Impact
For European organizations, especially those operating data centers, cloud infrastructure, or high-performance computing environments that utilize Mellanox network hardware and Linux-based systems, this vulnerability poses a risk of service disruption due to kernel crashes. The impact includes potential denial of service conditions affecting network connectivity and availability of critical applications. Organizations relying on Infiniband or RDMA technologies for low-latency, high-throughput networking are particularly vulnerable. Disruptions could affect financial institutions, research centers, telecommunications providers, and cloud service operators across Europe. Additionally, the instability could lead to increased operational costs due to downtime and recovery efforts. Although no direct evidence of exploitation exists, the vulnerability's nature means that attackers with local access could intentionally trigger crashes, impacting system reliability and potentially leading to broader security concerns if combined with other vulnerabilities.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions to incorporate the fix that nullifies the cq->dbg pointer and properly checks firmware return codes during CQ destruction. Specifically, updating to the latest stable kernel releases that include this patch is critical. For environments where immediate patching is not feasible, organizations should restrict access to interfaces that can invoke mlx5_core_destroy_cq(), such as limiting user-space permissions for ib_uverbs and related device files. Monitoring kernel logs for signs of mlx5 driver crashes or general protection faults can help detect attempted exploitation or instability. Network administrators should also verify firmware versions on Mellanox devices and update them if necessary to ensure compatibility with patched drivers. Implementing strict access controls and isolating critical systems using Mellanox hardware can reduce the attack surface. Finally, organizations should engage with their hardware vendors and Linux distribution maintainers to receive timely updates and advisories.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-25T09:12:14.116Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde094
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 4:56:58 AM
Last updated: 8/12/2025, 6:44:32 PM
Views: 16
Related Threats
CVE-2025-9097: Improper Export of Android Application Components in Euro Information CIC banque et compte en ligne App
MediumCVE-2025-9096: Cross Site Scripting in ExpressGateway express-gateway
MediumCVE-2025-9095: Cross Site Scripting in ExpressGateway express-gateway
MediumCVE-2025-7342: CWE-798 Use of Hard-coded Credentials in Kubernetes Image Builder
HighCVE-2025-9094: Improper Neutralization of Special Elements Used in a Template Engine in ThingsBoard
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.