CVE-2021-47197: net/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove()
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove()
Prior to this patch in case mlx5_core_destroy_cq() failed it proceeds
to rest of destroy operations. mlx5_core_destroy_cq() could be called again
by user and cause additional call of mlx5_debug_cq_remove().
cq->dbg was not nullify in previous call and cause the crash.
Fix it by nullify cq->dbg pointer after removal.
Also proceed to destroy operations only if FW return 0
for MLX5_CMD_OP_DESTROY_CQ command.
general protection fault, probably for non-canonical address 0x2000300004058: 0000 [#1] SMP PTI
CPU: 5 PID: 1228 Comm: python Not tainted 5.15.0-rc5_for_upstream_min_debug_2021_10_14_11_06 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:lockref_get+0x1/0x60
Code: 5d e9 53 ff ff ff 48 8d 7f 70 e8 0a 2e 48 00 c7 85 d0 00 00 00 02
00 00 00 c6 45 70 00 fb 5d c3 c3 cc cc cc cc cc cc cc cc 53 <48> 8b 17
48 89 fb 85 d2 75 3d 48 89 d0 bf 64 00 00 00 48 89 c1 48
RSP: 0018:ffff888137dd7a38 EFLAGS: 00010206
RAX: 0000000000000000 RBX: ffff888107d5f458 RCX: 00000000fffffffe
RDX: 000000000002c2b0 RSI: ffffffff8155e2e0 RDI: 0002000300004058
RBP: ffff888137dd7a88 R08: 0002000300004058 R09: ffff8881144a9f88
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881141d4000
R13: ffff888137dd7c68 R14: ffff888137dd7d58 R15: ffff888137dd7cc0
FS: 00007f4644f2a4c0(0000) GS:ffff8887a2d40000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b4500f4380 CR3: 0000000114f7a003 CR4: 0000000000170ea0
Call Trace:
simple_recursive_removal+0x33/0x2e0
? debugfs_remove+0x60/0x60
debugfs_remove+0x40/0x60
mlx5_debug_cq_remove+0x32/0x70 [mlx5_core]
mlx5_core_destroy_cq+0x41/0x1d0 [mlx5_core]
devx_obj_cleanup+0x151/0x330 [mlx5_ib]
? __pollwait+0xd0/0xd0
? xas_load+0x5/0x70
? xa_load+0x62/0xa0
destroy_hw_idr_uobject+0x20/0x80 [ib_uverbs]
uverbs_destroy_uobject+0x3b/0x360 [ib_uverbs]
uobj_destroy+0x54/0xa0 [ib_uverbs]
ib_uverbs_cmd_verbs+0xaf2/0x1160 [ib_uverbs]
? uverbs_finalize_object+0xd0/0xd0 [ib_uverbs]
ib_uverbs_ioctl+0xc4/0x1b0 [ib_uverbs]
__x64_sys_ioctl+0x3e4/0x8e0
Security readout for executives and security teams
Plain-English summary
CVE-2021-47197 is a Linux kernel crash issue in the mlx5 networking/RDMA driver cleanup path. If a completion queue destroy operation fails and cleanup is attempted again, a stale debugfs pointer can be reused and crash the kernel. Business impact is mainly availability on affected Linux hosts using this driver path.
Executive priority
Treat as a targeted availability risk, not a broad internet-facing emergency based on current evidence. Patch through normal kernel update channels, prioritizing production systems with mlx5/RDMA usage or workloads where host crashes have high operational impact.
Technical view
The bug is in mlx5_debug_cq_remove() and mlx5_core_destroy_cq(). The source says cq->dbg was not nullified after removal, so a later destroy call could remove the same debugfs object again and trigger a general protection fault. The fix nullifies cq->dbg and only continues destroy operations when firmware reports successful CQ destruction.
Likely exposure
Exposure appears limited to affected Linux kernels running mlx5-related networking/RDMA paths. The bundle lists Linux kernel versions including 5.15, 5.10.82, 5.15.5, and 5.16 as affected, but distro backports may change real-world status.
Exploitation context
The bundle does not report active exploitation, and KEV is false. The crash trace involves ib_uverbs ioctl activity and mlx5_ib cleanup, but the provided sources do not establish a practical exploit path, privilege requirement, or remote attack scenario.
Researcher notes
Evidence is source-limited. The CVE text gives a crash trace and fix rationale, but no CVSS, CWE, exploitability assessment, or attacker prerequisites. Analysis should focus on affected kernel lineage, distro backports, mlx5 driver use, and whether user-accessible RDMA/uverbs paths are enabled.
Mitigation direction
Update affected Linux kernels to vendor or distro builds containing the stable fixes.
Prioritize hosts using mlx5 networking, RDMA, or ib_uverbs functionality.
Check Linux vendor guidance for supported mitigations if patching is delayed.
Avoid direct wrangler or deployment assumptions; this is kernel maintenance work.
Validation and detection
Inventory running kernel versions against vendor security advisories and changelogs.
Check whether mlx5_core, mlx5_ib, or ib_uverbs are used on critical hosts.
Verify the kernel includes one of the referenced stable commits or an equivalent backport.
Confirm no unexplained kernel crashes match the mlx5/debugfs cleanup trace.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47197 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.