VDB

CISA-2021-47555

CISA-2021-47555 PUBLISHED CVSS 4.4 MEDIUM

Reported by Linux · Published May 24, 2024

In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix underflow for the real_dev refcnt Inject error before dev_hold(real_dev) in register_vlan_dev(), and execute the following testcase: ip link add dev dummy1 type dummy ip link add name dummy1.100 link dummy1 type vlan id 100 ip link del dev dummy1 When the dummy netdevice is removed, we will get a WARNING as following: ======================================================================= refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 2 PID: 0 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 and an endless loop of: ======================================================================= unregister_netdevice: waiting for dummy1 to become free. Usage count = -1073741824 That is because dev_put(real_dev) in vlan_dev_free() be called without dev_hold(real_dev) in register_vlan_dev(). It makes the refcnt of real_dev underflow. Move the dev_hold(real_dev) to vlan_dev_init() which is the call-back of ndo_init(). That makes dev_hold() and dev_put() for vlan's real_dev symmetrical.

Risk Scores

CVSS 3.1
4.4
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Affected Products

VendorProductVersions
LinuxLinux700602b662d7eaa816b1a3cb0abe7a85de358fd4, e04a7a84bb77f9cdf4475340fe931389bc72331c, 21032425c36ff85f16e72ca92193a8c401e4acd5
LinuxLinux5.4.160, 5.10.80, 5.15.3
LinuxLinux*, e04a7a84bb77f9cdf4475340fe931389bc72331c, 21032425c36ff85f16e72ca92193a8c401e4acd5
linuxlinux_kernel5.15.3, 5.14.19, 5.4.160

Timeline

  • May 24, 2024 CVE Published
  • May 4, 2025 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›