CVE-2021-47392

{"id": "CVE-2021-47392", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-21T15:15:24.553", "references": [{"url": "https://git.kernel.org/stable/c/3f4e68902d2e545033c80d7ad62fd9a439e573f4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ca465e1f1f9b38fe916a36f7d80c5d25f2337c81", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e56a5146ef8cb51cd7c9e748267dce7564448a35", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3f4e68902d2e545033c80d7ad62fd9a439e573f4", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/ca465e1f1f9b38fe916a36f7d80c5d25f2337c81", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/e56a5146ef8cb51cd7c9e748267dce7564448a35", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Fix listener leak in rdma_cma_listen_on_all() failure\n\nIf cma_listen_on_all() fails it leaves the per-device ID still on the\nlisten_list but the state is not set to RDMA_CM_ADDR_BOUND.\n\nWhen the cmid is eventually destroyed cma_cancel_listens() is not called\ndue to the wrong state, however the per-device IDs are still holding the\nrefcount preventing the ID from being destroyed, thus deadlocking:\n\n task:rping state:D stack: 0 pid:19605 ppid: 47036 flags:0x00000084\n Call Trace:\n __schedule+0x29a/0x780\n ? free_unref_page_commit+0x9b/0x110\n schedule+0x3c/0xa0\n schedule_timeout+0x215/0x2b0\n ? __flush_work+0x19e/0x1e0\n wait_for_completion+0x8d/0xf0\n _destroy_id+0x144/0x210 [rdma_cm]\n ucma_close_id+0x2b/0x40 [rdma_ucm]\n __destroy_id+0x93/0x2c0 [rdma_ucm]\n ? __xa_erase+0x4a/0xa0\n ucma_destroy_id+0x9a/0x120 [rdma_ucm]\n ucma_write+0xb8/0x130 [rdma_ucm]\n vfs_write+0xb4/0x250\n ksys_write+0xb5/0xd0\n ? syscall_trace_enter.isra.19+0x123/0x190\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nEnsure that cma_listen_on_all() atomically unwinds its action under the\nlock during error."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: RDMA/cma: corrige la fuga del oyente en el fallo de rdma_cma_listen_on_all(). Si cma_listen_on_all() falla, deja el ID por dispositivo todav\u00eda en la lista de escucha, pero el estado no est\u00e1 configurado en RDMA_CM_ADDR_BOUND. Cuando el cmid finalmente se destruye, no se llama a cma_cancel_listens() debido a un estado incorrecto; sin embargo, los ID por dispositivo a\u00fan mantienen el refcount evitando que el ID se destruya, lo que genera un punto muerto: tarea:rping estado:D pila: 0 pid: 19605 ppid: 47036 banderas: 0x00000084 Seguimiento de llamadas: __schedule+0x29a/0x780? free_unref_page_commit+0x9b/0x110 Schedule+0x3c/0xa0 Schedule_timeout+0x215/0x2b0? __flush_work+0x19e/0x1e0 wait_for_completion+0x8d/0xf0 _destroy_id+0x144/0x210 [rdma_cm] ucma_close_id+0x2b/0x40 [rdma_ucm] __destroy_id+0x93/0x2c0 [rdma_ucm] ? __xa_erase+0x4a/0xa0 ucma_destroy_id+0x9a/0x120 [rdma_ucm] ucma_write+0xb8/0x130 [rdma_ucm] vfs_write+0xb4/0x250 ksys_write+0xb5/0xd0 ? syscall_trace_enter.isra.19+0x123/0x190 do_syscall_64+0x33/0x40 Entry_SYSCALL_64_after_hwframe+0x44/0xa9 Aseg\u00farese de que cma_listen_on_all() desenrolle at\u00f3micamente su acci\u00f3n bajo el bloqueo durante el error."}], "lastModified": "2025-09-23T20:16:25.177", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "61FD4853-88D4-416E-BCAE-A2480A00F689", "versionEndExcluding": "5.10.71", "versionStartIncluding": "5.10.4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A437B0D-8305-4C72-B691-D26986A126CF", "versionEndExcluding": "5.14.10", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E46C74C6-B76B-4C94-A6A4-FD2FFF62D644"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "60134C3A-06E4-48C1-B04F-2903732A4E56"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0460DA88-8FE1-46A2-9DDA-1F1ABA552E71"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}