CVE-2021-47130 is a medium-severity vulnerability in the Linux kernel's NVMe target (nvmet) subsystem related to peer-to-peer (p2p) memory management. The flaw occurs when the nvmet driver attempts to free a scatter-gather list (SGL) from a p2p memory pool that is empty, despite detecting a p2p device. Specifically, if a p2p device is found but the p2p memory pool is empty, the nvmet target erroneously tries to free the SGL from the p2p pool instead of the regular SGL pool. This incorrect memory free operation triggers a kernel BUG, causing a kernel crash (denoted by BUG() invocation) and resulting in a denial of service (DoS) condition. The crash occurs in the genalloc.c memory allocator component, as evidenced by kernel logs showing a BUG at gen_pool_free_owner. The issue arises in functions such as pci_free_p2pmem, pci_p2pmem_free_sgl, nvmet_req_free_sgls, and nvmet_rdma_release_rsp, which handle freeing of p2p memory and NVMe target RDMA responses. The vulnerability requires local privileges with high-level permissions (PR:H) and does not require user interaction. The attack vector is local (AV:L), and the impact is limited to availability (A:H), with no confidentiality or integrity impact. The vulnerability has a CVSS v3.1 base score of 4.4 (medium severity). No known exploits are reported in the wild. The flaw was addressed by modifying the nvmet driver to assign the p2p device for the request only if the memory was actually allocated from the p2p pool, preventing the invalid free and subsequent crash. This vulnerability affects Linux kernel versions containing the specified commit hashes prior to the fix. Since the Linux kernel is widely deployed across servers, desktops, and embedded systems, this bug could cause system instability or denial of service on affected systems running the vulnerable kernel versions with nvmet enabled and using p2p memory features.

For European organizations, the primary impact of CVE-2021-47130 is the potential for local denial of service on Linux systems running vulnerable kernel versions with the nvmet subsystem enabled and utilizing peer-to-peer memory. This could affect data centers, cloud providers, and enterprises relying on Linux-based storage servers or NVMe over Fabrics (NVMe-oF) deployments, especially those using RDMA or PCIe peer-to-peer memory features. While the vulnerability does not allow privilege escalation, data leakage, or integrity compromise, the induced kernel crash could disrupt critical storage services, leading to downtime and operational impact. Organizations with high availability requirements or those running high-performance computing clusters with NVMe targets may experience service interruptions. The requirement for local high privileges limits remote exploitation, but insider threats or compromised local accounts could trigger the crash. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to accidental or intentional crashes. European organizations with strict uptime SLAs and regulatory requirements for service continuity should prioritize patching to avoid availability disruptions.

1. Apply the official Linux kernel patches that address CVE-2021-47130 as soon as possible. Ensure kernel versions are updated to include the fix that correctly handles p2p memory freeing in the nvmet driver. 2. Audit and monitor systems running the nvmet subsystem and using peer-to-peer memory features to identify vulnerable kernel versions. 3. Restrict local access to trusted administrators only, minimizing the risk of local exploitation by unauthorized users. 4. For environments not requiring NVMe target or p2p memory features, consider disabling the nvmet module or related kernel options to reduce the attack surface. 5. Implement robust monitoring and alerting for kernel crashes and BUG() invocations to detect exploitation attempts or accidental triggers early. 6. Test kernel updates in staging environments to ensure compatibility and stability before deployment in production, especially in storage-critical systems. 7. Maintain up-to-date backups and disaster recovery plans to mitigate the impact of potential service disruptions caused by kernel crashes.