[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2021-46933":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T02:53:27.892Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":17,"related":18,"reserved_at":9,"published_at":19,"modified_at":20,"state":9,"summary":21,"references_raw":23,"kevs":30,"epss":9,"epss_history":31,"metrics":32,"affected":39},"DEBIAN-CVE-2021-46933","In the Linux kernel, the following vulnerability has been resolved:  usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.  ffs_data_clear is indirectly called from both ffs_fs_kill_sb and ffs_ep0_release, so it ends up being called twice when userland closes ep0 and then unmounts f_fs. If userland provided an eventfd along with function's USB descriptors, it ends up calling eventfd_ctx_put as many times, causing a refcount underflow. NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.  Also, set epfiles to NULL right after de-allocating it, for readability.  For completeness, ffs_data_clear actually ends up being called thrice, the last call being before the whole ffs structure gets freed, so when this specific sequence happens there is a second underflow happening (but not being reported):  /sys/kernel/debug/tracing# modprobe usb_f_fs /sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter /sys/kernel/debug/tracing# echo function > current_tracer /sys/kernel/debug/tracing# echo 1 > tracing_on (setup gadget, run and kill function userland process, teardown gadget) /sys/kernel/debug/tracing# echo 0 > tracing_on /sys/kernel/debug/tracing# cat trace  smartcard-openp-436     [000] .....  1946.208786: ffs_data_clear \u003C-ffs_data_closed  smartcard-openp-431     [000] .....  1946.279147: ffs_data_clear \u003C-ffs_data_closed  smartcard-openp-431     [000] .n...  1946.905512: ffs_data_clear \u003C-ffs_data_put  Warning output corresponding to above trace: [ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c [ 1946.293094] refcount_t: underflow; use-after-free. [ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E) [ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G         C OE     5.15.0-1-rpi #1  Debian 5.15.3-1 [ 1946.417950] Hardware name: BCM2835 [ 1946.425442] Backtrace: [ 1946.432048] [\u003Cc08d60a0>] (dump_backtrace) from [\u003Cc08d62ec>] (show_stack+0x20/0x24) [ 1946.448226]  r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c [ 1946.458412] [\u003Cc08d62cc>] (show_stack) from [\u003Cc08d9ae0>] (dump_stack+0x28/0x30) [ 1946.470380] [\u003Cc08d9ab8>] (dump_stack) from [\u003Cc0123500>] (__warn+0xe8/0x154) [ 1946.482067]  r5:c04a948c r4:c0a71dc8 [ 1946.490184] [\u003Cc0123418>] (__warn) from [\u003Cc08d6948>] (warn_slowpath_fmt+0xa0/0xe4) [ 1946.506758]  r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04 [ 1946.517070] [\u003Cc08d68ac>] (warn_slowpath_fmt) from [\u003Cc04a948c>] (refcount_warn_saturate+0x110/0x15c) [ 1946.535309]  r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0 [ 1946.546708] [\u003Cc04a937c>] (refcount_warn_saturate) from [\u003Cc0380134>] (eventfd_ctx_put+0x48/0x74) [ 1946.564476] [\u003Cc03800ec>] (eventfd_ctx_put) from [\u003Cbf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs]) [ 1946.582664]  r5:c3b84c00 r4:c2695b00 [ 1946.590668] [\u003Cbf546418>] (ffs_data_clear [usb_f_fs]) from [\u003Cbf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs]) [ 1946.609608]  r5:bf54d014 r4:c2695b00 [ 1946.617522] [\u003Cbf547c24>] (ffs_data_closed [usb_f_fs]) from [\u003Cbf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs]) [ 1946.636217]  r7:c0dfcb ---truncated---",null,[],[],[],[14],{"_key":15},"CVE-2021-46933",[],[],[],"2024-02-27T10:15:07.807Z","2026-04-28T20:23:14.709555Z",{"cisa_kev":22,"cisa_ransomware":22,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[24],{"url":25,"sources":26,"tags":28},"https://security-tracker.debian.org/tracker/CVE-2021-46933",[27],"osv_debian",[29],"Advisory",[],[],[33],{"source":27,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":34,"cvss_v4_0":9},{"baseScore":35,"baseSeverity":9,"vectorString":36,"impactScore":37,"exploitabilityScore":38},5.5,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",6,4.6,[40],{"ecosystem":41,"name":42,"vendor":43,"product":42,"cpe_part":9,"purl_type":44,"purl_namespace":43,"purl_name":42,"source":9,"versions":45},"Debian","linux","debian","deb",[46,52,55,56],{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":50,"version_end_type":51,"fixed_in":9},"lt5_10_92_1",true,"ecosystem","5.10.92-1","excluding",{"version":53,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":54,"version_end_type":51,"fixed_in":9},"lt5_15_15_1","5.15.15-1",{"version":53,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":54,"version_end_type":51,"fixed_in":9},{"version":53,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":54,"version_end_type":51,"fixed_in":9}]