CVE-2021-47090 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically within the hardware poison handling code (mm/hwpoison). The issue arises in the function get_any_page() when it is retried after a failure. The vulnerability was reported by Hulk Robot, who observed a kernel panic triggered in put_page_testzero() during tests involving the madvise() system call with the MADV_SOFT_OFFLINE flag. The root cause is that the MF_COUNT_INCREASED flag, which indicates an increased reference count on a memory page, is not cleared before retrying get_any_page(). Consequently, the reference count is not properly incremented on the second attempt, leading to a mismatch between the flag state and the actual reference count. This inconsistency causes a VM_BUG_ON_PAGE assertion failure when the page reference count is zero, resulting in a kernel BUG and system panic. The panic trace shows the failure occurring in release_pages(), which is part of the page freeing and memory unmapping process. This bug can cause system instability and crashes when applications invoke madvise() with MADV_SOFT_OFFLINE, a feature used to mark pages as offline for hardware error handling. The vulnerability affects Linux kernel versions prior to the patch that clears MF_COUNT_INCREASED before retrying get_any_page(). No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability is technical and low-level, impacting kernel memory management and page reference counting mechanisms.

For European organizations, the impact of CVE-2021-47090 primarily involves system stability and availability risks. Servers and infrastructure running vulnerable Linux kernel versions may experience unexpected kernel panics and crashes when workloads or applications use madvise() with MADV_SOFT_OFFLINE, potentially leading to downtime and service interruptions. This can affect critical systems such as cloud infrastructure, data centers, and enterprise servers that rely on Linux for stability and performance. Although the vulnerability does not directly expose confidentiality or integrity risks, the denial of service caused by kernel panics can disrupt business operations, especially in environments requiring high availability. Organizations using Linux kernels with hardware error handling features or memory poisoning mechanisms are more likely to encounter this issue. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to accidental or triggered crashes. In regulated industries or sectors with strict uptime requirements, such as finance, healthcare, and telecommunications, this vulnerability could have operational and compliance implications if not addressed promptly.

To mitigate CVE-2021-47090, European organizations should: 1) Apply the official Linux kernel patches that clear the MF_COUNT_INCREASED flag before retrying get_any_page(), ensuring the reference count handling is correct. This patch is critical and should be prioritized in kernel updates. 2) Identify and inventory all systems running affected Linux kernel versions, especially those using memory poisoning or madvise() with MADV_SOFT_OFFLINE. 3) Test kernel updates in staging environments to verify stability and compatibility before production deployment. 4) Monitor system logs for kernel panics or BUG_ON_PAGE errors related to memory management, which may indicate attempts to trigger this vulnerability. 5) Limit or audit the use of madvise() with MADV_SOFT_OFFLINE in applications if possible, as a temporary workaround to reduce exposure. 6) Maintain robust backup and recovery procedures to minimize downtime impact from potential crashes. 7) Engage with Linux distribution vendors for timely security updates and advisories related to this vulnerability. These steps go beyond generic advice by focusing on kernel patching, targeted monitoring, and operational controls specific to the vulnerability's triggering conditions.