CVE-2021-47209: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Prevent dead task groups from regaining cfs_rq's Kevin is reporting crashes which point to a use-after-free of a cfs_rq in update_blocked_averages(). Initial debugging revealed that we've live cfs_rq's (on_list=1) in an about to be kfree()'d task group in free_fair_sched_group(). However, it was unclear how that can happen. His kernel config happened to lead to a layout of struct sched_entity that put the 'my_q' member directly into the middle of the object which makes it incidentally overlap with SLUB's freelist pointer. That, in combination with SLAB_FREELIST_HARDENED's freelist pointer mangling, leads to a reliable access violation in form of a #GP which made the UAF fail fast. Michal seems to have run into the same issue[1]. He already correctly diagnosed that commit a7b359fc6a37 ("sched/fair: Correctly insert cfs_rq's to list on unthrottle") is causing the preconditions for the UAF to happen by re-adding cfs_rq's also to task groups that have no more running tasks, i.e. also to dead ones. His analysis, however, misses the real root cause and it cannot be seen from the crash backtrace only, as the real offender is tg_unthrottle_up() getting called via sched_cfs_period_timer() via the timer interrupt at an inconvenient time. When unregister_fair_sched_group() unlinks all cfs_rq's from the dying task group, it doesn't protect itself from getting interrupted. If the timer interrupt triggers while we iterate over all CPUs or after unregister_fair_sched_group() has finished but prior to unlinking the task group, sched_cfs_period_timer() will execute and walk the list of task groups, trying to unthrottle cfs_rq's, i.e. re-add them to the dying task group. These will later -- in free_fair_sched_group() -- be kfree()'ed while still being linked, leading to the fireworks Kevin and Michal are seeing. To fix this race, ensure the dying task group gets unlinked first. However, simply switching the order of unregistering and unlinking the task group isn't sufficient, as concurrent RCU walkers might still see it, as can be seen below: CPU1: CPU2: : timer IRQ: : do_sched_cfs_period_timer(): : : : distribute_cfs_runtime(): : rcu_read_lock(); : : : unthrottle_cfs_rq(): sched_offline_group(): : : walk_tg_tree_from(…,tg_unthrottle_up,…): list_del_rcu(&tg->list); : (1) : list_for_each_entry_rcu(child, &parent->children, siblings) : : (2) list_del_rcu(&tg->siblings); : : tg_unthrottle_up(): unregister_fair_sched_group(): struct cfs_rq *cfs_rq = tg->cfs_rq[cpu_of(rq)]; : : list_del_leaf_cfs_rq(tg->cfs_rq[cpu]); : : : : if (!cfs_rq_is_decayed(cfs_rq) || cfs_rq->nr_running) (3) : list_add_leaf_cfs_rq(cfs_rq); : : : : : : : : : ---truncated---
AI Analysis
Technical Summary
CVE-2021-47209 is a use-after-free (UAF) vulnerability found in the Linux kernel's Completely Fair Scheduler (CFS) subsystem, specifically within the fair scheduling group management code. The flaw arises from a race condition during the unlinking and freeing of task groups (sched_groups) and their associated run queues (cfs_rq). When a task group is being unregistered and freed, the kernel fails to properly synchronize the removal of cfs_rq structures from internal lists before freeing them. Concurrent timer interrupts invoking sched_cfs_period_timer() can cause the kernel to re-add cfs_rq instances to task groups that are in the process of being freed (dead task groups). This leads to use-after-free conditions when free_fair_sched_group() attempts to free these still-linked cfs_rq structures. The vulnerability is exacerbated by the kernel's memory allocator (SLUB) freelist pointer mangling, which causes reliable access violations and kernel crashes (#GP faults) during exploitation attempts, effectively causing a fail-fast behavior. The root cause is a complex interaction between unregister_fair_sched_group(), which unlinks cfs_rq's without sufficient protection against concurrent timer interrupts, and the timer interrupt handler that walks task group lists to unthrottle cfs_rq's. The fix involves ensuring that dying task groups are unlinked and protected from concurrent access before freeing, including careful ordering of list deletions and synchronization to prevent RCU walkers from accessing freed structures. This vulnerability affects Linux kernel versions containing commit a7b359fc6a37faaf472125867c8dc5a068c90982 and likely related versions. No public exploits are known at this time, but the issue can cause kernel crashes and potentially be leveraged for privilege escalation or denial of service if exploited.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running vulnerable Linux kernel versions, especially servers and infrastructure components relying on fair scheduling for process management. Exploitation could lead to kernel crashes resulting in denial of service (DoS), impacting availability of critical services. In multi-tenant or shared environments such as cloud providers, this flaw could be leveraged by malicious actors to disrupt other tenants or escalate privileges by exploiting kernel memory corruption. Given Linux's widespread use across European enterprises, government agencies, and critical infrastructure, the impact could be broad, affecting data centers, cloud platforms, and embedded systems. The vulnerability's complexity and requirement for precise timing reduce the likelihood of widespread exploitation but do not eliminate the risk. Organizations handling sensitive data or providing essential services could face operational disruptions, reputational damage, and compliance issues if the vulnerability is exploited. Additionally, the lack of a public exploit does not guarantee safety; motivated attackers could develop exploits given the detailed technical information available.
Mitigation Recommendations
1. Apply Kernel Updates: Immediately update Linux systems to kernel versions where this vulnerability is patched. Monitor vendor advisories for backported fixes in enterprise distributions. 2. Kernel Configuration Review: Review kernel configurations to minimize exposure, such as disabling unnecessary scheduling features or modules if feasible. 3. Harden Interrupt Handling: Employ kernel hardening techniques that mitigate race conditions and improve interrupt handling synchronization. 4. Use Security Modules: Deploy Linux Security Modules (LSMs) like SELinux or AppArmor to limit the impact of potential kernel exploits. 5. Monitor System Logs: Implement monitoring for kernel oops, crashes, or unusual scheduler behavior that could indicate exploitation attempts. 6. Limit Privileged Access: Restrict access to systems and accounts capable of triggering or exploiting kernel scheduler operations. 7. Test Patches Thoroughly: Given the complexity of scheduler code, thoroughly test kernel updates in staging environments before production deployment to avoid regressions. 8. Employ RCU and Locking Best Practices: For organizations developing or maintaining custom kernel modules, ensure proper use of RCU and locking to prevent similar race conditions. 9. Incident Response Preparedness: Prepare for potential DoS incidents by having recovery procedures and backups in place for critical Linux systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2021-47209: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Prevent dead task groups from regaining cfs_rq's Kevin is reporting crashes which point to a use-after-free of a cfs_rq in update_blocked_averages(). Initial debugging revealed that we've live cfs_rq's (on_list=1) in an about to be kfree()'d task group in free_fair_sched_group(). However, it was unclear how that can happen. His kernel config happened to lead to a layout of struct sched_entity that put the 'my_q' member directly into the middle of the object which makes it incidentally overlap with SLUB's freelist pointer. That, in combination with SLAB_FREELIST_HARDENED's freelist pointer mangling, leads to a reliable access violation in form of a #GP which made the UAF fail fast. Michal seems to have run into the same issue[1]. He already correctly diagnosed that commit a7b359fc6a37 ("sched/fair: Correctly insert cfs_rq's to list on unthrottle") is causing the preconditions for the UAF to happen by re-adding cfs_rq's also to task groups that have no more running tasks, i.e. also to dead ones. His analysis, however, misses the real root cause and it cannot be seen from the crash backtrace only, as the real offender is tg_unthrottle_up() getting called via sched_cfs_period_timer() via the timer interrupt at an inconvenient time. When unregister_fair_sched_group() unlinks all cfs_rq's from the dying task group, it doesn't protect itself from getting interrupted. If the timer interrupt triggers while we iterate over all CPUs or after unregister_fair_sched_group() has finished but prior to unlinking the task group, sched_cfs_period_timer() will execute and walk the list of task groups, trying to unthrottle cfs_rq's, i.e. re-add them to the dying task group. These will later -- in free_fair_sched_group() -- be kfree()'ed while still being linked, leading to the fireworks Kevin and Michal are seeing. To fix this race, ensure the dying task group gets unlinked first. However, simply switching the order of unregistering and unlinking the task group isn't sufficient, as concurrent RCU walkers might still see it, as can be seen below: CPU1: CPU2: : timer IRQ: : do_sched_cfs_period_timer(): : : : distribute_cfs_runtime(): : rcu_read_lock(); : : : unthrottle_cfs_rq(): sched_offline_group(): : : walk_tg_tree_from(…,tg_unthrottle_up,…): list_del_rcu(&tg->list); : (1) : list_for_each_entry_rcu(child, &parent->children, siblings) : : (2) list_del_rcu(&tg->siblings); : : tg_unthrottle_up(): unregister_fair_sched_group(): struct cfs_rq *cfs_rq = tg->cfs_rq[cpu_of(rq)]; : : list_del_leaf_cfs_rq(tg->cfs_rq[cpu]); : : : : if (!cfs_rq_is_decayed(cfs_rq) || cfs_rq->nr_running) (3) : list_add_leaf_cfs_rq(cfs_rq); : : : : : : : : : ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2021-47209 is a use-after-free (UAF) vulnerability found in the Linux kernel's Completely Fair Scheduler (CFS) subsystem, specifically within the fair scheduling group management code. The flaw arises from a race condition during the unlinking and freeing of task groups (sched_groups) and their associated run queues (cfs_rq). When a task group is being unregistered and freed, the kernel fails to properly synchronize the removal of cfs_rq structures from internal lists before freeing them. Concurrent timer interrupts invoking sched_cfs_period_timer() can cause the kernel to re-add cfs_rq instances to task groups that are in the process of being freed (dead task groups). This leads to use-after-free conditions when free_fair_sched_group() attempts to free these still-linked cfs_rq structures. The vulnerability is exacerbated by the kernel's memory allocator (SLUB) freelist pointer mangling, which causes reliable access violations and kernel crashes (#GP faults) during exploitation attempts, effectively causing a fail-fast behavior. The root cause is a complex interaction between unregister_fair_sched_group(), which unlinks cfs_rq's without sufficient protection against concurrent timer interrupts, and the timer interrupt handler that walks task group lists to unthrottle cfs_rq's. The fix involves ensuring that dying task groups are unlinked and protected from concurrent access before freeing, including careful ordering of list deletions and synchronization to prevent RCU walkers from accessing freed structures. This vulnerability affects Linux kernel versions containing commit a7b359fc6a37faaf472125867c8dc5a068c90982 and likely related versions. No public exploits are known at this time, but the issue can cause kernel crashes and potentially be leveraged for privilege escalation or denial of service if exploited.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running vulnerable Linux kernel versions, especially servers and infrastructure components relying on fair scheduling for process management. Exploitation could lead to kernel crashes resulting in denial of service (DoS), impacting availability of critical services. In multi-tenant or shared environments such as cloud providers, this flaw could be leveraged by malicious actors to disrupt other tenants or escalate privileges by exploiting kernel memory corruption. Given Linux's widespread use across European enterprises, government agencies, and critical infrastructure, the impact could be broad, affecting data centers, cloud platforms, and embedded systems. The vulnerability's complexity and requirement for precise timing reduce the likelihood of widespread exploitation but do not eliminate the risk. Organizations handling sensitive data or providing essential services could face operational disruptions, reputational damage, and compliance issues if the vulnerability is exploited. Additionally, the lack of a public exploit does not guarantee safety; motivated attackers could develop exploits given the detailed technical information available.
Mitigation Recommendations
1. Apply Kernel Updates: Immediately update Linux systems to kernel versions where this vulnerability is patched. Monitor vendor advisories for backported fixes in enterprise distributions. 2. Kernel Configuration Review: Review kernel configurations to minimize exposure, such as disabling unnecessary scheduling features or modules if feasible. 3. Harden Interrupt Handling: Employ kernel hardening techniques that mitigate race conditions and improve interrupt handling synchronization. 4. Use Security Modules: Deploy Linux Security Modules (LSMs) like SELinux or AppArmor to limit the impact of potential kernel exploits. 5. Monitor System Logs: Implement monitoring for kernel oops, crashes, or unusual scheduler behavior that could indicate exploitation attempts. 6. Limit Privileged Access: Restrict access to systems and accounts capable of triggering or exploiting kernel scheduler operations. 7. Test Patches Thoroughly: Given the complexity of scheduler code, thoroughly test kernel updates in staging environments before production deployment to avoid regressions. 8. Employ RCU and Locking Best Practices: For organizations developing or maintaining custom kernel modules, ensure proper use of RCU and locking to prevent similar race conditions. 9. Incident Response Preparedness: Prepare for potential DoS incidents by having recovery procedures and backups in place for critical Linux systems.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-04-10T18:59:19.526Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea079
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 4:51:46 PM
Last updated: 8/14/2025, 8:58:21 PM
Views: 12
Related Threats
CVE-2025-8193
LowCVE-2025-9356: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9355: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-43761: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-24902: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.