CVE-2021-47435: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: dm: fix mempool NULL pointer race when completing IO dm_io_dec_pending() calls end_io_acct() first and will then dec md in-flight pending count. But if a task is swapping DM table at same time this can result in a crash due to mempool->elements being NULL: task1 task2 do_resume ->do_suspend ->dm_wait_for_completion bio_endio ->clone_endio ->dm_io_dec_pending ->end_io_acct ->wakeup task1 ->dm_swap_table ->__bind ->__bind_mempools ->bioset_exit ->mempool_exit ->free_io [ 67.330330] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 ...... [ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO) [ 67.330510] pc : mempool_free+0x70/0xa0 [ 67.330515] lr : mempool_free+0x4c/0xa0 [ 67.330520] sp : ffffff8008013b20 [ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004 [ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8 [ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800 [ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800 [ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80 [ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c [ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd [ 67.330563] x15: 000000000093b41e x14: 0000000000000010 [ 67.330569] x13: 0000000000007f7a x12: 0000000034155555 [ 67.330574] x11: 0000000000000001 x10: 0000000000000001 [ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000 [ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a [ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001 [ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8 [ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970 [ 67.330609] Call trace: [ 67.330616] mempool_free+0x70/0xa0 [ 67.330627] bio_put+0xf8/0x110 [ 67.330638] dec_pending+0x13c/0x230 [ 67.330644] clone_endio+0x90/0x180 [ 67.330649] bio_endio+0x198/0x1b8 [ 67.330655] dec_pending+0x190/0x230 [ 67.330660] clone_endio+0x90/0x180 [ 67.330665] bio_endio+0x198/0x1b8 [ 67.330673] blk_update_request+0x214/0x428 [ 67.330683] scsi_end_request+0x2c/0x300 [ 67.330688] scsi_io_completion+0xa0/0x710 [ 67.330695] scsi_finish_command+0xd8/0x110 [ 67.330700] scsi_softirq_done+0x114/0x148 [ 67.330708] blk_done_softirq+0x74/0xd0 [ 67.330716] __do_softirq+0x18c/0x374 [ 67.330724] irq_exit+0xb4/0xb8 [ 67.330732] __handle_domain_irq+0x84/0xc0 [ 67.330737] gic_handle_irq+0x148/0x1b0 [ 67.330744] el1_irq+0xe8/0x190 [ 67.330753] lpm_cpuidle_enter+0x4f8/0x538 [ 67.330759] cpuidle_enter_state+0x1fc/0x398 [ 67.330764] cpuidle_enter+0x18/0x20 [ 67.330772] do_idle+0x1b4/0x290 [ 67.330778] cpu_startup_entry+0x20/0x28 [ 67.330786] secondary_start_kernel+0x160/0x170 Fix this by: 1) Establishing pointers to 'struct dm_io' members in dm_io_dec_pending() so that they may be passed into end_io_acct() _after_ free_io() is called. 2) Moving end_io_acct() after free_io().
AI Analysis
Technical Summary
CVE-2021-47435 is a race condition vulnerability in the Linux kernel's device mapper (dm) subsystem, specifically related to memory pool (mempool) handling during IO completion. The flaw arises in the dm_io_dec_pending() function, which calls end_io_acct() before decrementing the in-flight pending count of the device mapper. Concurrently, if another task is swapping the device mapper table (dm_swap_table), it may lead to a situation where the mempool pointer becomes NULL. This results in a NULL pointer dereference and kernel crash, as demonstrated by the kernel panic logs referencing mempool_free and related stack traces. The root cause is the improper ordering of operations: end_io_acct() is called before free_io(), which can free the mempool, leaving pointers invalid. The fix involves reordering these calls to ensure pointers remain valid during end_io_acct() execution and establishing stable pointers to struct dm_io members to prevent race conditions. This vulnerability can cause system instability and denial of service (DoS) due to kernel crashes triggered by concurrent IO and device mapper table swaps. It affects Linux kernel versions identified by the commit hash 6a8736d10cb413be95ea443ba40f25c93f4ef9b2 and likely other versions with similar device mapper implementations. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected device mapper code, which is common in enterprise servers, cloud infrastructure, and embedded devices. The device mapper is widely used for logical volume management, RAID, and storage virtualization, making this vulnerability relevant to data centers and critical infrastructure. Exploitation could lead to kernel panics and system crashes, causing denial of service and potential disruption of business operations. Systems handling high IO workloads or frequent device mapper table changes are particularly vulnerable. Although this vulnerability does not directly lead to privilege escalation or data leakage, the resulting instability can impact availability of services, which is critical for sectors such as finance, healthcare, telecommunications, and government services in Europe. Additionally, recovery from kernel crashes may require manual intervention, increasing operational costs and downtime.
Mitigation Recommendations
European organizations should apply the official Linux kernel patches that reorder the calls in dm_io_dec_pending() and stabilize pointer usage as described in the fix. Until patches are applied, organizations should minimize concurrent device mapper table swaps and IO operations where possible, especially on critical systems. Monitoring kernel logs for signs of mempool NULL pointer dereferences or device mapper related crashes can provide early warning. Employing kernel live patching solutions where available can reduce downtime during patch deployment. Additionally, organizations should ensure robust backup and recovery procedures are in place to mitigate impact from unexpected crashes. For environments using custom or older kernels, backporting the patch or upgrading to a supported kernel version that includes the fix is recommended. Finally, limiting access to systems that can trigger device mapper table swaps to trusted administrators reduces risk of accidental or malicious triggering of the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47435: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: dm: fix mempool NULL pointer race when completing IO dm_io_dec_pending() calls end_io_acct() first and will then dec md in-flight pending count. But if a task is swapping DM table at same time this can result in a crash due to mempool->elements being NULL: task1 task2 do_resume ->do_suspend ->dm_wait_for_completion bio_endio ->clone_endio ->dm_io_dec_pending ->end_io_acct ->wakeup task1 ->dm_swap_table ->__bind ->__bind_mempools ->bioset_exit ->mempool_exit ->free_io [ 67.330330] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 ...... [ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO) [ 67.330510] pc : mempool_free+0x70/0xa0 [ 67.330515] lr : mempool_free+0x4c/0xa0 [ 67.330520] sp : ffffff8008013b20 [ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004 [ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8 [ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800 [ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800 [ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80 [ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c [ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd [ 67.330563] x15: 000000000093b41e x14: 0000000000000010 [ 67.330569] x13: 0000000000007f7a x12: 0000000034155555 [ 67.330574] x11: 0000000000000001 x10: 0000000000000001 [ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000 [ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a [ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001 [ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8 [ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970 [ 67.330609] Call trace: [ 67.330616] mempool_free+0x70/0xa0 [ 67.330627] bio_put+0xf8/0x110 [ 67.330638] dec_pending+0x13c/0x230 [ 67.330644] clone_endio+0x90/0x180 [ 67.330649] bio_endio+0x198/0x1b8 [ 67.330655] dec_pending+0x190/0x230 [ 67.330660] clone_endio+0x90/0x180 [ 67.330665] bio_endio+0x198/0x1b8 [ 67.330673] blk_update_request+0x214/0x428 [ 67.330683] scsi_end_request+0x2c/0x300 [ 67.330688] scsi_io_completion+0xa0/0x710 [ 67.330695] scsi_finish_command+0xd8/0x110 [ 67.330700] scsi_softirq_done+0x114/0x148 [ 67.330708] blk_done_softirq+0x74/0xd0 [ 67.330716] __do_softirq+0x18c/0x374 [ 67.330724] irq_exit+0xb4/0xb8 [ 67.330732] __handle_domain_irq+0x84/0xc0 [ 67.330737] gic_handle_irq+0x148/0x1b0 [ 67.330744] el1_irq+0xe8/0x190 [ 67.330753] lpm_cpuidle_enter+0x4f8/0x538 [ 67.330759] cpuidle_enter_state+0x1fc/0x398 [ 67.330764] cpuidle_enter+0x18/0x20 [ 67.330772] do_idle+0x1b4/0x290 [ 67.330778] cpu_startup_entry+0x20/0x28 [ 67.330786] secondary_start_kernel+0x160/0x170 Fix this by: 1) Establishing pointers to 'struct dm_io' members in dm_io_dec_pending() so that they may be passed into end_io_acct() _after_ free_io() is called. 2) Moving end_io_acct() after free_io().
AI-Powered Analysis
Technical Analysis
CVE-2021-47435 is a race condition vulnerability in the Linux kernel's device mapper (dm) subsystem, specifically related to memory pool (mempool) handling during IO completion. The flaw arises in the dm_io_dec_pending() function, which calls end_io_acct() before decrementing the in-flight pending count of the device mapper. Concurrently, if another task is swapping the device mapper table (dm_swap_table), it may lead to a situation where the mempool pointer becomes NULL. This results in a NULL pointer dereference and kernel crash, as demonstrated by the kernel panic logs referencing mempool_free and related stack traces. The root cause is the improper ordering of operations: end_io_acct() is called before free_io(), which can free the mempool, leaving pointers invalid. The fix involves reordering these calls to ensure pointers remain valid during end_io_acct() execution and establishing stable pointers to struct dm_io members to prevent race conditions. This vulnerability can cause system instability and denial of service (DoS) due to kernel crashes triggered by concurrent IO and device mapper table swaps. It affects Linux kernel versions identified by the commit hash 6a8736d10cb413be95ea443ba40f25c93f4ef9b2 and likely other versions with similar device mapper implementations. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected device mapper code, which is common in enterprise servers, cloud infrastructure, and embedded devices. The device mapper is widely used for logical volume management, RAID, and storage virtualization, making this vulnerability relevant to data centers and critical infrastructure. Exploitation could lead to kernel panics and system crashes, causing denial of service and potential disruption of business operations. Systems handling high IO workloads or frequent device mapper table changes are particularly vulnerable. Although this vulnerability does not directly lead to privilege escalation or data leakage, the resulting instability can impact availability of services, which is critical for sectors such as finance, healthcare, telecommunications, and government services in Europe. Additionally, recovery from kernel crashes may require manual intervention, increasing operational costs and downtime.
Mitigation Recommendations
European organizations should apply the official Linux kernel patches that reorder the calls in dm_io_dec_pending() and stabilize pointer usage as described in the fix. Until patches are applied, organizations should minimize concurrent device mapper table swaps and IO operations where possible, especially on critical systems. Monitoring kernel logs for signs of mempool NULL pointer dereferences or device mapper related crashes can provide early warning. Employing kernel live patching solutions where available can reduce downtime during patch deployment. Additionally, organizations should ensure robust backup and recovery procedures are in place to mitigate impact from unexpected crashes. For environments using custom or older kernels, backporting the patch or upgrading to a supported kernel version that includes the fix is recommended. Finally, limiting access to systems that can trigger device mapper table swaps to trusted administrators reduces risk of accidental or malicious triggering of the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:58:30.830Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aebf52
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/4/2025, 6:41:08 AM
Last updated: 8/11/2025, 4:20:02 AM
Views: 15
Related Threats
CVE-2025-8314: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in emarket-design Project Management, Bug and Issue Tracking Plugin – Software Issue Manager
MediumCVE-2025-8059: CWE-862 Missing Authorization in bplugins B Blocks – The ultimate block collection
CriticalCVE-2025-8690: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in addix Simple Responsive Slider
MediumCVE-2025-8688: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ebernstein Inline Stock Quotes
MediumCVE-2025-8685: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in emilien Wp chart generator
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.