CVE-2021-47558 in Linux
Summary
by MITRE • 05/24/2024
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: Disable Tx queues when reconfiguring the interface
The Tx queues were not disabled in situations where the driver needed to stop the interface to apply a new configuration. This could result in a kernel panic when doing any of the 3 following actions: * reconfiguring the number of queues (ethtool -L) * reconfiguring the size of the ring buffers (ethtool -G) * installing/removing an XDP program (ip l set dev ethX xdp)
Prevent the panic by making sure netif_tx_disable is called when stopping an interface.
Without this patch, the following kernel panic can be observed when doing any of the actions above:
Unable to handle kernel paging request at virtual address ffff80001238d040 [....]
Call trace: dwmac4_set_addr+0x8/0x10 dev_hard_start_xmit+0xe4/0x1ac sch_direct_xmit+0xe8/0x39c __dev_queue_xmit+0x3ec/0xaf0 dev_queue_xmit+0x14/0x20 [...]
[ end trace 0000000000000002 ]---
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/19/2025
The vulnerability CVE-2021-47558 affects the Linux kernel's stmmac network driver, specifically addressing a critical race condition that can lead to kernel panics during interface reconfiguration operations. This issue resides in the networking subsystem and represents a failure in proper queue management during driver state transitions. The flaw manifests when the driver attempts to reconfigure network interface parameters without adequately disabling transmit queues, creating a scenario where kernel memory access violations can occur. The stmmac driver, which supports Synopsys DesignWare Ethernet MAC controllers, is widely used in embedded systems and network appliances, making this vulnerability particularly impactful across various hardware platforms. The vulnerability directly relates to CWE-129, which addresses improper validation of array indices, and CWE-362, concerning concurrent execution using shared resources without proper synchronization mechanisms.
The technical implementation flaw occurs when the driver stops an interface to apply new configuration parameters but fails to call netif_tx_disable before proceeding with the reconfiguration process. This omission creates a race condition where transmit packets may still be queued or processed while the interface is being reconfigured, leading to invalid memory access patterns. The specific memory access violation occurs at virtual address ffff80001238d040, which suggests the kernel is attempting to access memory that has been freed or is otherwise invalid during the reconfiguration sequence. The call trace demonstrates the path through dwmac4_set_addr, dev_hard_start_xmit, and sch_direct_xmit functions, indicating that the issue propagates through the standard network packet processing pipeline. This behavior aligns with ATT&CK technique T1059.001, which involves command and scripting interpreter usage, as the vulnerability can be triggered through standard network management commands.
The operational impact of this vulnerability is severe, as it can cause complete system crashes when legitimate network reconfiguration operations are performed. System administrators executing routine maintenance tasks such as adjusting queue counts with ethtool -L, modifying ring buffer sizes with ethtool -G, or installing XDP programs through ip link set commands could inadvertently trigger the kernel panic. This makes the vulnerability particularly dangerous in production environments where network interfaces are frequently reconfigured or where XDP programs are deployed for performance optimization. The vulnerability affects systems using the stmmac driver across multiple kernel versions, with the patch specifically addressing the missing netif_tx_disable call during interface stopping operations. The panic occurs because the driver's transmit queue management logic does not properly synchronize with the interface state transitions, creating a scenario where packets are enqueued or dequeued while the underlying data structures are being modified. This represents a classic case of improper resource management and concurrent access control, where the driver fails to properly manage the lifecycle of transmit queues during configuration changes, leading to memory corruption and system instability.
The recommended mitigations for this vulnerability include applying the kernel patch that ensures netif_tx_disable is called before stopping the interface during reconfiguration operations. System administrators should update their kernels to versions containing this fix, particularly those running embedded systems or network appliances that utilize the stmmac driver. Organizations should also implement monitoring for unusual network interface reconfiguration patterns that might indicate exploitation attempts, as the vulnerability can be triggered through legitimate administrative commands. Additionally, security teams should consider implementing network segmentation and access controls to limit who can perform interface reconfiguration operations, reducing the attack surface for potential exploitation. The patch addresses the root cause by ensuring proper transmit queue shutdown before interface reconfiguration, preventing the race condition that leads to memory access violations and kernel panics. This mitigation aligns with security best practices for kernel-level vulnerability management and follows the principle of least privilege by ensuring proper resource state management during system operations.