CVE-2021-47402: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: sched: flower: protect fl_walk() with rcu Patch that refactored fl_walk() to use idr_for_each_entry_continue_ul() also removed rcu protection of individual filters which causes following use-after-free when filter is deleted concurrently. Fix fl_walk() to obtain rcu read lock while iterating and taking the filter reference and temporary release the lock while calling arg->fn() callback that can sleep. KASAN trace: [ 352.773640] ================================================================== [ 352.775041] BUG: KASAN: use-after-free in fl_walk+0x159/0x240 [cls_flower] [ 352.776304] Read of size 4 at addr ffff8881c8251480 by task tc/2987 [ 352.777862] CPU: 3 PID: 2987 Comm: tc Not tainted 5.15.0-rc2+ #2 [ 352.778980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 352.781022] Call Trace: [ 352.781573] dump_stack_lvl+0x46/0x5a [ 352.782332] print_address_description.constprop.0+0x1f/0x140 [ 352.783400] ? fl_walk+0x159/0x240 [cls_flower] [ 352.784292] ? fl_walk+0x159/0x240 [cls_flower] [ 352.785138] kasan_report.cold+0x83/0xdf [ 352.785851] ? fl_walk+0x159/0x240 [cls_flower] [ 352.786587] kasan_check_range+0x145/0x1a0 [ 352.787337] fl_walk+0x159/0x240 [cls_flower] [ 352.788163] ? fl_put+0x10/0x10 [cls_flower] [ 352.789007] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.790102] tcf_chain_dump+0x231/0x450 [ 352.790878] ? tcf_chain_tp_delete_empty+0x170/0x170 [ 352.791833] ? __might_sleep+0x2e/0xc0 [ 352.792594] ? tfilter_notify+0x170/0x170 [ 352.793400] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.794477] tc_dump_tfilter+0x385/0x4b0 [ 352.795262] ? tc_new_tfilter+0x1180/0x1180 [ 352.796103] ? __mod_node_page_state+0x1f/0xc0 [ 352.796974] ? __build_skb_around+0x10e/0x130 [ 352.797826] netlink_dump+0x2c0/0x560 [ 352.798563] ? netlink_getsockopt+0x430/0x430 [ 352.799433] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.800542] __netlink_dump_start+0x356/0x440 [ 352.801397] rtnetlink_rcv_msg+0x3ff/0x550 [ 352.802190] ? tc_new_tfilter+0x1180/0x1180 [ 352.802872] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 352.803668] ? tc_new_tfilter+0x1180/0x1180 [ 352.804344] ? _copy_from_iter_nocache+0x800/0x800 [ 352.805202] ? kasan_set_track+0x1c/0x30 [ 352.805900] netlink_rcv_skb+0xc6/0x1f0 [ 352.806587] ? rht_deferred_worker+0x6b0/0x6b0 [ 352.807455] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 352.808324] ? netlink_ack+0x4d0/0x4d0 [ 352.809086] ? netlink_deliver_tap+0x62/0x3d0 [ 352.809951] netlink_unicast+0x353/0x480 [ 352.810744] ? netlink_attachskb+0x430/0x430 [ 352.811586] ? __alloc_skb+0xd7/0x200 [ 352.812349] netlink_sendmsg+0x396/0x680 [ 352.813132] ? netlink_unicast+0x480/0x480 [ 352.813952] ? __import_iovec+0x192/0x210 [ 352.814759] ? netlink_unicast+0x480/0x480 [ 352.815580] sock_sendmsg+0x6c/0x80 [ 352.816299] ____sys_sendmsg+0x3a5/0x3c0 [ 352.817096] ? kernel_sendmsg+0x30/0x30 [ 352.817873] ? __ia32_sys_recvmmsg+0x150/0x150 [ 352.818753] ___sys_sendmsg+0xd8/0x140 [ 352.819518] ? sendmsg_copy_msghdr+0x110/0x110 [ 352.820402] ? ___sys_recvmsg+0xf4/0x1a0 [ 352.821110] ? __copy_msghdr_from_user+0x260/0x260 [ 352.821934] ? _raw_spin_lock+0x81/0xd0 [ 352.822680] ? __handle_mm_fault+0xef3/0x1b20 [ 352.823549] ? rb_insert_color+0x2a/0x270 [ 352.824373] ? copy_page_range+0x16b0/0x16b0 [ 352.825209] ? perf_event_update_userpage+0x2d0/0x2d0 [ 352.826190] ? __fget_light+0xd9/0xf0 [ 352.826941] __sys_sendmsg+0xb3/0x130 [ 352.827613] ? __sys_sendmsg_sock+0x20/0x20 [ 352.828377] ? do_user_addr_fault+0x2c5/0x8a0 [ 352.829184] ? fpregs_assert_state_consistent+0x52/0x60 [ 352.830001] ? exit_to_user_mode_prepare+0x32/0x160 [ 352.830845] do_syscall_64+0x35/0x80 [ 352.831445] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 352.832331] RIP: 0033:0x7f7bee973c17 [ ---truncated---
AI Analysis
Technical Summary
CVE-2021-47402 is a use-after-free vulnerability in the Linux kernel's networking subsystem, specifically within the 'flower' classifier component of the traffic control (tc) scheduler. The vulnerability arises from a concurrency issue in the function fl_walk(), which iterates over filters in the flower classifier. A recent patch refactoring fl_walk() replaced the iteration mechanism with idr_for_each_entry_continue_ul(), removing the Read-Copy-Update (RCU) protection on individual filters. This removal inadvertently introduced a use-after-free condition when a filter is deleted concurrently while fl_walk() is iterating. The fix involves reintroducing RCU read locks during iteration to safely obtain references to filters and temporarily releasing the lock when invoking callback functions that may sleep. The kernel address sanitizer (KASAN) trace confirms the use-after-free by showing an invalid read during fl_walk() execution. This vulnerability affects Linux kernel versions around 5.15.0-rc2 and potentially other versions using the flower classifier with the flawed iteration logic. Exploitation could occur via local or remote manipulation of traffic control filters, potentially leading to kernel crashes or arbitrary code execution in kernel context due to memory corruption. No known public exploits have been reported yet. The vulnerability is technical and requires detailed knowledge of Linux kernel internals and concurrency mechanisms to exploit. However, the impact on system stability and security is significant given the kernel-level nature of the flaw.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with the flower classifier enabled, which is common in network infrastructure devices, routers, firewalls, and servers handling advanced traffic control. Exploitation could lead to denial of service through kernel crashes or privilege escalation by executing arbitrary code in kernel space. This threatens confidentiality, integrity, and availability of critical network services. Organizations relying on Linux-based network appliances or cloud infrastructure could face service disruptions or compromise of sensitive data. Given the kernel-level impact, attackers gaining local access or leveraging network interfaces that allow traffic control manipulation could exploit this flaw. The lack of known exploits currently reduces immediate risk, but the vulnerability's presence in widely deployed Linux kernels means European enterprises must prioritize patching to prevent future attacks. The impact is heightened in sectors with critical network infrastructure such as telecommunications, finance, and government services within Europe.
Mitigation Recommendations
European organizations should immediately verify the Linux kernel versions deployed in their network infrastructure and servers, focusing on those using the flower classifier for traffic control. Applying the official Linux kernel patches that reintroduce proper RCU locking in fl_walk() is essential. If patching is not immediately feasible, organizations should consider disabling or restricting the use of the flower classifier module to prevent exploitation. Network administrators should audit and monitor traffic control configurations for unusual or unauthorized changes. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues early. Additionally, limiting local user access and enforcing strict privilege separation reduces the attack surface. Regularly updating Linux distributions and subscribing to security advisories ensures timely awareness of patches. Finally, integrating intrusion detection systems that monitor kernel anomalies may help detect exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland, Belgium, Finland
CVE-2021-47402: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: sched: flower: protect fl_walk() with rcu Patch that refactored fl_walk() to use idr_for_each_entry_continue_ul() also removed rcu protection of individual filters which causes following use-after-free when filter is deleted concurrently. Fix fl_walk() to obtain rcu read lock while iterating and taking the filter reference and temporary release the lock while calling arg->fn() callback that can sleep. KASAN trace: [ 352.773640] ================================================================== [ 352.775041] BUG: KASAN: use-after-free in fl_walk+0x159/0x240 [cls_flower] [ 352.776304] Read of size 4 at addr ffff8881c8251480 by task tc/2987 [ 352.777862] CPU: 3 PID: 2987 Comm: tc Not tainted 5.15.0-rc2+ #2 [ 352.778980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 352.781022] Call Trace: [ 352.781573] dump_stack_lvl+0x46/0x5a [ 352.782332] print_address_description.constprop.0+0x1f/0x140 [ 352.783400] ? fl_walk+0x159/0x240 [cls_flower] [ 352.784292] ? fl_walk+0x159/0x240 [cls_flower] [ 352.785138] kasan_report.cold+0x83/0xdf [ 352.785851] ? fl_walk+0x159/0x240 [cls_flower] [ 352.786587] kasan_check_range+0x145/0x1a0 [ 352.787337] fl_walk+0x159/0x240 [cls_flower] [ 352.788163] ? fl_put+0x10/0x10 [cls_flower] [ 352.789007] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.790102] tcf_chain_dump+0x231/0x450 [ 352.790878] ? tcf_chain_tp_delete_empty+0x170/0x170 [ 352.791833] ? __might_sleep+0x2e/0xc0 [ 352.792594] ? tfilter_notify+0x170/0x170 [ 352.793400] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.794477] tc_dump_tfilter+0x385/0x4b0 [ 352.795262] ? tc_new_tfilter+0x1180/0x1180 [ 352.796103] ? __mod_node_page_state+0x1f/0xc0 [ 352.796974] ? __build_skb_around+0x10e/0x130 [ 352.797826] netlink_dump+0x2c0/0x560 [ 352.798563] ? netlink_getsockopt+0x430/0x430 [ 352.799433] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.800542] __netlink_dump_start+0x356/0x440 [ 352.801397] rtnetlink_rcv_msg+0x3ff/0x550 [ 352.802190] ? tc_new_tfilter+0x1180/0x1180 [ 352.802872] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 352.803668] ? tc_new_tfilter+0x1180/0x1180 [ 352.804344] ? _copy_from_iter_nocache+0x800/0x800 [ 352.805202] ? kasan_set_track+0x1c/0x30 [ 352.805900] netlink_rcv_skb+0xc6/0x1f0 [ 352.806587] ? rht_deferred_worker+0x6b0/0x6b0 [ 352.807455] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 352.808324] ? netlink_ack+0x4d0/0x4d0 [ 352.809086] ? netlink_deliver_tap+0x62/0x3d0 [ 352.809951] netlink_unicast+0x353/0x480 [ 352.810744] ? netlink_attachskb+0x430/0x430 [ 352.811586] ? __alloc_skb+0xd7/0x200 [ 352.812349] netlink_sendmsg+0x396/0x680 [ 352.813132] ? netlink_unicast+0x480/0x480 [ 352.813952] ? __import_iovec+0x192/0x210 [ 352.814759] ? netlink_unicast+0x480/0x480 [ 352.815580] sock_sendmsg+0x6c/0x80 [ 352.816299] ____sys_sendmsg+0x3a5/0x3c0 [ 352.817096] ? kernel_sendmsg+0x30/0x30 [ 352.817873] ? __ia32_sys_recvmmsg+0x150/0x150 [ 352.818753] ___sys_sendmsg+0xd8/0x140 [ 352.819518] ? sendmsg_copy_msghdr+0x110/0x110 [ 352.820402] ? ___sys_recvmsg+0xf4/0x1a0 [ 352.821110] ? __copy_msghdr_from_user+0x260/0x260 [ 352.821934] ? _raw_spin_lock+0x81/0xd0 [ 352.822680] ? __handle_mm_fault+0xef3/0x1b20 [ 352.823549] ? rb_insert_color+0x2a/0x270 [ 352.824373] ? copy_page_range+0x16b0/0x16b0 [ 352.825209] ? perf_event_update_userpage+0x2d0/0x2d0 [ 352.826190] ? __fget_light+0xd9/0xf0 [ 352.826941] __sys_sendmsg+0xb3/0x130 [ 352.827613] ? __sys_sendmsg_sock+0x20/0x20 [ 352.828377] ? do_user_addr_fault+0x2c5/0x8a0 [ 352.829184] ? fpregs_assert_state_consistent+0x52/0x60 [ 352.830001] ? exit_to_user_mode_prepare+0x32/0x160 [ 352.830845] do_syscall_64+0x35/0x80 [ 352.831445] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 352.832331] RIP: 0033:0x7f7bee973c17 [ ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2021-47402 is a use-after-free vulnerability in the Linux kernel's networking subsystem, specifically within the 'flower' classifier component of the traffic control (tc) scheduler. The vulnerability arises from a concurrency issue in the function fl_walk(), which iterates over filters in the flower classifier. A recent patch refactoring fl_walk() replaced the iteration mechanism with idr_for_each_entry_continue_ul(), removing the Read-Copy-Update (RCU) protection on individual filters. This removal inadvertently introduced a use-after-free condition when a filter is deleted concurrently while fl_walk() is iterating. The fix involves reintroducing RCU read locks during iteration to safely obtain references to filters and temporarily releasing the lock when invoking callback functions that may sleep. The kernel address sanitizer (KASAN) trace confirms the use-after-free by showing an invalid read during fl_walk() execution. This vulnerability affects Linux kernel versions around 5.15.0-rc2 and potentially other versions using the flower classifier with the flawed iteration logic. Exploitation could occur via local or remote manipulation of traffic control filters, potentially leading to kernel crashes or arbitrary code execution in kernel context due to memory corruption. No known public exploits have been reported yet. The vulnerability is technical and requires detailed knowledge of Linux kernel internals and concurrency mechanisms to exploit. However, the impact on system stability and security is significant given the kernel-level nature of the flaw.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with the flower classifier enabled, which is common in network infrastructure devices, routers, firewalls, and servers handling advanced traffic control. Exploitation could lead to denial of service through kernel crashes or privilege escalation by executing arbitrary code in kernel space. This threatens confidentiality, integrity, and availability of critical network services. Organizations relying on Linux-based network appliances or cloud infrastructure could face service disruptions or compromise of sensitive data. Given the kernel-level impact, attackers gaining local access or leveraging network interfaces that allow traffic control manipulation could exploit this flaw. The lack of known exploits currently reduces immediate risk, but the vulnerability's presence in widely deployed Linux kernels means European enterprises must prioritize patching to prevent future attacks. The impact is heightened in sectors with critical network infrastructure such as telecommunications, finance, and government services within Europe.
Mitigation Recommendations
European organizations should immediately verify the Linux kernel versions deployed in their network infrastructure and servers, focusing on those using the flower classifier for traffic control. Applying the official Linux kernel patches that reintroduce proper RCU locking in fl_walk() is essential. If patching is not immediately feasible, organizations should consider disabling or restricting the use of the flower classifier module to prevent exploitation. Network administrators should audit and monitor traffic control configurations for unusual or unauthorized changes. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues early. Additionally, limiting local user access and enforcing strict privilege separation reduces the attack surface. Regularly updating Linux distributions and subscribing to security advisories ensures timely awareness of patches. Finally, integrating intrusion detection systems that monitor kernel anomalies may help detect exploitation attempts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:58:30.816Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe9019
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 12:26:48 PM
Last updated: 7/28/2025, 4:42:14 PM
Views: 7
Related Threats
CVE-2025-7973: CWE-268: Privilege Chaining in Rockwell Automation FactoryTalk® ViewPoint
HighCVE-2025-7773: CWE-863: Incorrect Authorization in Rockwell Automation 5032-CFGB16M12P5DR
HighCVE-2025-43984: n/a
CriticalCVE-2025-36581: CWE-788: Access of Memory Location After End of Buffer in Dell PowerEdge
LowCVE-2025-9036: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Rockwell Automation FactoryTalk® Action Manager
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.