{"id":"CVE-2021-47399","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup\n\nThe ixgbe driver currently generates a NULL pointer dereference with\nsome machine (online cpus \u003c 63). This is due to the fact that the\nmaximum value of num_xdp_queues is nr_cpu_ids. Code is in\n\"ixgbe_set_rss_queues\"\".\n\nHere's how the problem repeats itself:\nSome machine (online cpus \u003c 63), And user set num_queues to 63 through\nethtool. Code is in the \"ixgbe_set_channels\",\n\tadapter-\u003ering_feature[RING_F_FDIR].limit = count;\n\nIt becomes 63.\n\nWhen user use xdp, \"ixgbe_set_rss_queues\" will set queues num.\n\tadapter-\u003enum_rx_queues = rss_i;\n\tadapter-\u003enum_tx_queues = rss_i;\n\tadapter-\u003enum_xdp_queues = ixgbe_xdp_queues(adapter);\n\nAnd rss_i's value is from\n\tf = &adapter-\u003ering_feature[RING_F_FDIR];\n\trss_i = f-\u003eindices = f-\u003elimit;\n\nSo \"num_rx_queues\" \u003e \"num_xdp_queues\", when run to \"ixgbe_xdp_setup\",\n\tfor (i = 0; i \u003c adapter-\u003enum_rx_queues; i++)\n\t\tif (adapter-\u003exdp_ring[i]-\u003exsk_umem)\n\nIt leads to panic.\n\nCall trace:\n[exception RIP: ixgbe_xdp+368]\nRIP: ffffffffc02a76a0  RSP: ffff9fe16202f8d0  RFLAGS: 00010297\nRAX: 0000000000000000  RBX: 0000000000000020  RCX: 0000000000000000\nRDX: 0000000000000000  RSI: 000000000000001c  RDI: ffffffffa94ead90\nRBP: ffff92f8f24c0c18   R8: 0000000000000000   R9: 0000000000000000\nR10: ffff9fe16202f830  R11: 0000000000000000  R12: ffff92f8f24c0000\nR13: ffff9fe16202fc01  R14: 000000000000000a  R15: ffffffffc02a7530\nORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n 7 [ffff9fe16202f8f0] dev_xdp_install at ffffffffa89fbbcc\n 8 [ffff9fe16202f920] dev_change_xdp_fd at ffffffffa8a08808\n 9 [ffff9fe16202f960] do_setlink at ffffffffa8a20235\n10 [ffff9fe16202fa88] rtnl_setlink at ffffffffa8a20384\n11 [ffff9fe16202fc78] rtnetlink_rcv_msg at ffffffffa8a1a8dd\n12 [ffff9fe16202fcf0] netlink_rcv_skb at ffffffffa8a717eb\n13 [ffff9fe16202fd40] netlink_unicast at ffffffffa8a70f88\n14 [ffff9fe16202fd80] netlink_sendmsg at ffffffffa8a71319\n15 [ffff9fe16202fdf0] sock_sendmsg at ffffffffa89df290\n16 [ffff9fe16202fe08] __sys_sendto at ffffffffa89e19c8\n17 [ffff9fe16202ff30] __x64_sys_sendto at ffffffffa89e1a64\n18 [ffff9fe16202ff38] do_syscall_64 at ffffffffa84042b9\n19 [ffff9fe16202ff50] entry_SYSCALL_64_after_hwframe at ffffffffa8c0008c\n\nSo I fix ixgbe_max_channels so that it will not allow a setting of queues\nto be higher than the num_online_cpus(). And when run to ixgbe_xdp_setup,\ntake the smaller value of num_rx_queues and num_xdp_queues.","modified":"2026-03-15T22:43:12.752772Z","published":"2024-05-21T15:15:25.360Z","related":["SUSE-SU-2024:2008-1","SUSE-SU-2024:2010-1","SUSE-SU-2024:2011-1","SUSE-SU-2024:2019-1","SUSE-SU-2024:2183-1","SUSE-SU-2024:2185-1","SUSE-SU-2024:2189-1","SUSE-SU-2024:2190-1","SUSE-SU-2024:2892-1","SUSE-SU-2024:2901-1","SUSE-SU-2024:2940-1"],"references":[{"type":"FIX","url":"https://git.kernel.org/stable/c/20f6c4a31a525edd9ea6243712b868ba0e4e331e"},{"type":"FIX","url":"https://git.kernel.org/stable/c/2744341dd52e935344ca1b4bf189ba0d182a3e8e"},{"type":"FIX","url":"https://git.kernel.org/stable/c/513e605d7a9ce136886cb42ebb2c40e9a6eb6333"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47399.json","unresolved_ranges":[{"events":[{"introduced":"5.0"},{"fixed":"5.10.71"}]},{"events":[{"introduced":"5.11"},{"fixed":"5.14.10"}]},{"events":[{"introduced":"0"},{"last_affected":"5.15-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.15-rc2"}]},{"events":[{"introduced":"0"},{"last_affected":"5.15-rc3"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}