CVE-2021-47189: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory ordering between normal and ordered work functions Ordered work functions aren't guaranteed to be handled by the same thread which executed the normal work functions. The only way execution between normal/ordered functions is synchronized is via the WORK_DONE_BIT, unfortunately the used bitops don't guarantee any ordering whatsoever. This manifested as seemingly inexplicable crashes on ARM64, where async_chunk::inode is seen as non-null in async_cow_submit which causes submit_compressed_extents to be called and crash occurs because async_chunk::inode suddenly became NULL. The call trace was similar to: pc : submit_compressed_extents+0x38/0x3d0 lr : async_cow_submit+0x50/0xd0 sp : ffff800015d4bc20 <registers omitted for brevity> Call trace: submit_compressed_extents+0x38/0x3d0 async_cow_submit+0x50/0xd0 run_ordered_work+0xc8/0x280 btrfs_work_helper+0x98/0x250 process_one_work+0x1f0/0x4ac worker_thread+0x188/0x504 kthread+0x110/0x114 ret_from_fork+0x10/0x18 Fix this by adding respective barrier calls which ensure that all accesses preceding setting of WORK_DONE_BIT are strictly ordered before setting the flag. At the same time add a read barrier after reading of WORK_DONE_BIT in run_ordered_work which ensures all subsequent loads would be strictly ordered after reading the bit. This in turn ensures are all accesses before WORK_DONE_BIT are going to be strictly ordered before any access that can occur in ordered_func.
AI Analysis
Technical Summary
CVE-2021-47189 is a medium-severity vulnerability in the Linux kernel affecting the Btrfs filesystem implementation. The issue arises from improper memory ordering between normal and ordered work functions within the Btrfs asynchronous operations. Specifically, the synchronization mechanism relies on the WORK_DONE_BIT flag, but the bit operations used do not guarantee proper memory ordering. This can lead to race conditions where asynchronous chunk inode pointers become invalid (NULL) unexpectedly during compressed extent submission, causing kernel crashes. The problem is particularly observed on ARM64 architectures, where the asynchronous chunk inode pointer is seen as non-null initially but becomes NULL during execution, triggering a crash in the submit_compressed_extents function. The vulnerability is rooted in the lack of memory barriers around the setting and reading of the WORK_DONE_BIT, which allows out-of-order execution of memory accesses. The fix involves adding appropriate memory barrier calls before setting the WORK_DONE_BIT and after reading it to ensure strict ordering of memory operations. This prevents the race condition and stabilizes the asynchronous work execution flow in Btrfs. The vulnerability requires local privileges (PR:L) but no user interaction and can be exploited remotely over the network (AV:N), impacting confidentiality, integrity, and availability to a limited extent. The CVSS 3.1 score is 6.3, reflecting a medium severity level.
Potential Impact
For European organizations, this vulnerability can lead to system instability and potential denial of service due to kernel crashes on systems running vulnerable Linux kernel versions with Btrfs enabled, especially on ARM64 hardware. Organizations relying on Btrfs for critical storage, such as data centers, cloud providers, and enterprises using ARM64 servers or devices, may experience unexpected downtime or data access interruptions. Although the vulnerability requires local privileges, it could be exploited by an attacker who has gained limited access to escalate impact, potentially affecting confidentiality and integrity of data stored on Btrfs volumes. The disruption caused by kernel crashes can impact availability of services, leading to operational and financial consequences. Given the widespread use of Linux in European infrastructure, including government, finance, and telecommunications sectors, the vulnerability poses a moderate risk. However, the lack of known exploits in the wild reduces immediate threat urgency. Organizations using ARM64 architectures should be particularly vigilant as the issue is more pronounced on these platforms.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2021-47189. Specifically, they should ensure that all systems running Btrfs, especially on ARM64 hardware, are upgraded to the fixed kernel releases. System administrators should audit their environments to identify vulnerable kernel versions and Btrfs usage. In environments where immediate patching is not feasible, organizations can consider temporarily disabling Btrfs or limiting access to systems with Btrfs volumes to trusted users only, reducing the risk of local exploitation. Additionally, implementing strict access controls and monitoring for unusual kernel crashes or system instability can help detect exploitation attempts. For ARM64 systems, testing kernel updates in staging environments before production deployment is recommended to ensure stability. Organizations should also maintain regular backups of critical data stored on Btrfs volumes to mitigate potential data loss from crashes. Finally, integrating this vulnerability into vulnerability management and patching workflows will ensure timely remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland
CVE-2021-47189: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory ordering between normal and ordered work functions Ordered work functions aren't guaranteed to be handled by the same thread which executed the normal work functions. The only way execution between normal/ordered functions is synchronized is via the WORK_DONE_BIT, unfortunately the used bitops don't guarantee any ordering whatsoever. This manifested as seemingly inexplicable crashes on ARM64, where async_chunk::inode is seen as non-null in async_cow_submit which causes submit_compressed_extents to be called and crash occurs because async_chunk::inode suddenly became NULL. The call trace was similar to: pc : submit_compressed_extents+0x38/0x3d0 lr : async_cow_submit+0x50/0xd0 sp : ffff800015d4bc20 <registers omitted for brevity> Call trace: submit_compressed_extents+0x38/0x3d0 async_cow_submit+0x50/0xd0 run_ordered_work+0xc8/0x280 btrfs_work_helper+0x98/0x250 process_one_work+0x1f0/0x4ac worker_thread+0x188/0x504 kthread+0x110/0x114 ret_from_fork+0x10/0x18 Fix this by adding respective barrier calls which ensure that all accesses preceding setting of WORK_DONE_BIT are strictly ordered before setting the flag. At the same time add a read barrier after reading of WORK_DONE_BIT in run_ordered_work which ensures all subsequent loads would be strictly ordered after reading the bit. This in turn ensures are all accesses before WORK_DONE_BIT are going to be strictly ordered before any access that can occur in ordered_func.
AI-Powered Analysis
Technical Analysis
CVE-2021-47189 is a medium-severity vulnerability in the Linux kernel affecting the Btrfs filesystem implementation. The issue arises from improper memory ordering between normal and ordered work functions within the Btrfs asynchronous operations. Specifically, the synchronization mechanism relies on the WORK_DONE_BIT flag, but the bit operations used do not guarantee proper memory ordering. This can lead to race conditions where asynchronous chunk inode pointers become invalid (NULL) unexpectedly during compressed extent submission, causing kernel crashes. The problem is particularly observed on ARM64 architectures, where the asynchronous chunk inode pointer is seen as non-null initially but becomes NULL during execution, triggering a crash in the submit_compressed_extents function. The vulnerability is rooted in the lack of memory barriers around the setting and reading of the WORK_DONE_BIT, which allows out-of-order execution of memory accesses. The fix involves adding appropriate memory barrier calls before setting the WORK_DONE_BIT and after reading it to ensure strict ordering of memory operations. This prevents the race condition and stabilizes the asynchronous work execution flow in Btrfs. The vulnerability requires local privileges (PR:L) but no user interaction and can be exploited remotely over the network (AV:N), impacting confidentiality, integrity, and availability to a limited extent. The CVSS 3.1 score is 6.3, reflecting a medium severity level.
Potential Impact
For European organizations, this vulnerability can lead to system instability and potential denial of service due to kernel crashes on systems running vulnerable Linux kernel versions with Btrfs enabled, especially on ARM64 hardware. Organizations relying on Btrfs for critical storage, such as data centers, cloud providers, and enterprises using ARM64 servers or devices, may experience unexpected downtime or data access interruptions. Although the vulnerability requires local privileges, it could be exploited by an attacker who has gained limited access to escalate impact, potentially affecting confidentiality and integrity of data stored on Btrfs volumes. The disruption caused by kernel crashes can impact availability of services, leading to operational and financial consequences. Given the widespread use of Linux in European infrastructure, including government, finance, and telecommunications sectors, the vulnerability poses a moderate risk. However, the lack of known exploits in the wild reduces immediate threat urgency. Organizations using ARM64 architectures should be particularly vigilant as the issue is more pronounced on these platforms.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2021-47189. Specifically, they should ensure that all systems running Btrfs, especially on ARM64 hardware, are upgraded to the fixed kernel releases. System administrators should audit their environments to identify vulnerable kernel versions and Btrfs usage. In environments where immediate patching is not feasible, organizations can consider temporarily disabling Btrfs or limiting access to systems with Btrfs volumes to trusted users only, reducing the risk of local exploitation. Additionally, implementing strict access controls and monitoring for unusual kernel crashes or system instability can help detect exploitation attempts. For ARM64 systems, testing kernel updates in staging environments before production deployment is recommended to ensure stability. Organizations should also maintain regular backups of critical data stored on Btrfs volumes to mitigate potential data loss from crashes. Finally, integrating this vulnerability into vulnerability management and patching workflows will ensure timely remediation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-25T09:12:14.113Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbe9ff5
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 5:51:27 PM
Last updated: 8/16/2025, 5:28:52 AM
Views: 13
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.