{"id":"CVE-2021-47557","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_ets: don't peek at classes beyond 'nbands'\n\nwhen the number of DRR classes decreases, the round-robin active list can\ncontain elements that have already been freed in ets_qdisc_change(). As a\nconsequence, it's possible to see a NULL dereference crash, caused by the\nattempt to call cl-\u003eqdisc-\u003eops-\u003epeek(cl-\u003eqdisc) when cl-\u003eqdisc is NULL:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 910 Comm: mausezahn Not tainted 5.16.0-rc1+ #475\n Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014\n RIP: 0010:ets_qdisc_dequeue+0x129/0x2c0 [sch_ets]\n Code: c5 01 41 39 ad e4 02 00 00 0f 87 18 ff ff ff 49 8b 85 c0 02 00 00 49 39 c4 0f 84 ba 00 00 00 49 8b ad c0 02 00 00 48 8b 7d 10 \u003c48\u003e 8b 47 18 48 8b 40 38 0f ae e8 ff d0 48 89 c3 48 85 c0 0f 84 9d\n RSP: 0000:ffffbb36c0b5fdd8 EFLAGS: 00010287\n RAX: ffff956678efed30 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000002 RSI: ffffffff9b938dc9 RDI: 0000000000000000\n RBP: ffff956678efed30 R08: e2f3207fe360129c R09: 0000000000000000\n R10: 0000000000000001 R11: 0000000000000001 R12: ffff956678efeac0\n R13: ffff956678efe800 R14: ffff956611545000 R15: ffff95667ac8f100\n FS:  00007f2aa9120740(0000) GS:ffff95667b800000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000018 CR3: 000000011070c000 CR4: 0000000000350ee0\n Call Trace:\n  \u003cTASK\u003e\n  qdisc_peek_dequeued+0x29/0x70 [sch_ets]\n  tbf_dequeue+0x22/0x260 [sch_tbf]\n  __qdisc_run+0x7f/0x630\n  net_tx_action+0x290/0x4c0\n  __do_softirq+0xee/0x4f8\n  irq_exit_rcu+0xf4/0x130\n  sysvec_apic_timer_interrupt+0x52/0xc0\n  asm_sysvec_apic_timer_interrupt+0x12/0x20\n RIP: 0033:0x7f2aa7fc9ad4\n Code: b9 ff ff 48 8b 54 24 18 48 83 c4 08 48 89 ee 48 89 df 5b 5d e9 ed fc ff ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa \u003c53\u003e 48 83 ec 10 48 8b 05 10 64 33 00 48 8b 00 48 85 c0 0f 85 84 00\n RSP: 002b:00007ffe5d33fab8 EFLAGS: 00000202\n RAX: 0000000000000002 RBX: 0000561f72c31460 RCX: 0000561f72c31720\n RDX: 0000000000000002 RSI: 0000561f72c31722 RDI: 0000561f72c31720\n RBP: 000000000000002a R08: 00007ffe5d33fa40 R09: 0000000000000014\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000561f7187e380\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000561f72c31460\n  \u003c/TASK\u003e\n Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt intel_rapl_msr iTCO_vendor_support intel_rapl_common joydev virtio_balloon lpc_ich i2c_i801 i2c_smbus pcspkr ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel ahci libahci ghash_clmulni_intel serio_raw libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod\n CR2: 0000000000000018\n\nEnsuring that 'alist' was never zeroed [1] was not sufficient, we need to\nremove from the active list those elements that are no more SP nor DRR.\n\n[1] https://lore.kernel.org/netdev/60d274838bf09777f0371253416e8af71360bc08.1633609148.git.dcaratti@redhat.com/\n\nv3: fix race between ets_qdisc_change() and ets_qdisc_dequeue() delisting\n    DRR classes beyond 'nbands' in ets_qdisc_change() with the qdisc lock\n    acquired, thanks to Cong Wang.\n\nv2: when a NULL qdisc is found in the DRR active list, try to dequeue skb\n    from the next list item.","modified":"2026-04-03T13:14:51.202021Z","published":"2024-05-24T15:15:20.393Z","related":["SUSE-SU-2024:2008-1","SUSE-SU-2024:2010-1","SUSE-SU-2024:2019-1","SUSE-SU-2024:2185-1","SUSE-SU-2024:2190-1","SUSE-SU-2025:02264-1","SUSE-SU-2025:02321-1","SUSE-SU-2025:02322-1","SUSE-SU-2025:02537-1"],"references":[{"type":"FIX","url":"https://git.kernel.org/stable/c/de6d25924c2a8c2988c6a385990cafbe742061bf"},{"type":"FIX","url":"https://git.kernel.org/stable/c/e25bdbc7e951ae5728fee1f4c09485df113d013c"},{"type":"FIX","url":"https://git.kernel.org/stable/c/ae2659d2c670252759ee9c823c4e039c0e05a6f2"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"5.6"},{"fixed":"5.10.83"}]},{"events":[{"introduced":"5.11"},{"fixed":"5.15.6"}]},{"events":[{"introduced":"0"},{"last_affected":"5.16-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.16-rc2"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47557.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}