CVE-2021-47492: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm, thp: bail out early in collapse_file for writeback page Currently collapse_file does not explicitly check PG_writeback, instead, page_has_private and try_to_release_page are used to filter writeback pages. This does not work for xfs with blocksize equal to or larger than pagesize, because in such case xfs has no page->private. This makes collapse_file bail out early for writeback page. Otherwise, xfs end_page_writeback will panic as follows. page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:ffff0003f88c86a8 index:0x0 pfn:0x84ef32 aops:xfs_address_space_operations [xfs] ino:30000b7 dentry name:"libtest.so" flags: 0x57fffe0000008027(locked|referenced|uptodate|active|writeback) raw: 57fffe0000008027 ffff80001b48bc28 ffff80001b48bc28 ffff0003f88c86a8 raw: 0000000000000000 0000000000000000 00000000ffffffff ffff0000c3e9a000 page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u <= 127u)) page->mem_cgroup:ffff0000c3e9a000 ------------[ cut here ]------------ kernel BUG at include/linux/mm.h:1212! Internal error: Oops - BUG: 0 [#1] SMP Modules linked in: BUG: Bad page state in process khugepaged pfn:84ef32 xfs(E) page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:0 index:0x0 pfn:0x84ef32 libcrc32c(E) rfkill(E) aes_ce_blk(E) crypto_simd(E) ... CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Tainted: ... pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--) Call trace: end_page_writeback+0x1c0/0x214 iomap_finish_page_writeback+0x13c/0x204 iomap_finish_ioend+0xe8/0x19c iomap_writepage_end_bio+0x38/0x50 bio_endio+0x168/0x1ec blk_update_request+0x278/0x3f0 blk_mq_end_request+0x34/0x15c virtblk_request_done+0x38/0x74 [virtio_blk] blk_done_softirq+0xc4/0x110 __do_softirq+0x128/0x38c __irq_exit_rcu+0x118/0x150 irq_exit+0x1c/0x30 __handle_domain_irq+0x8c/0xf0 gic_handle_irq+0x84/0x108 el1_irq+0xcc/0x180 arch_cpu_idle+0x18/0x40 default_idle_call+0x4c/0x1a0 cpuidle_idle_call+0x168/0x1e0 do_idle+0xb4/0x104 cpu_startup_entry+0x30/0x9c secondary_start_kernel+0x104/0x180 Code: d4210000 b0006161 910c8021 94013f4d (d4210000) ---[ end trace 4a88c6a074082f8c ]--- Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt
AI Analysis
Technical Summary
CVE-2021-47492 is a vulnerability in the Linux kernel's memory management subsystem, specifically related to the handling of writeback pages during the collapse_file operation. The vulnerability arises because collapse_file does not explicitly check the PG_writeback flag on pages. Instead, it relies on page_has_private and try_to_release_page to filter out writeback pages. This approach fails in the case of the XFS filesystem when the block size is equal to or larger than the system page size. In such scenarios, XFS does not assign a private field to the page structure, causing collapse_file to incorrectly bail out early for writeback pages. This improper handling leads to a kernel panic triggered by the end_page_writeback function, which attempts to finalize writeback on a page in an invalid state. The panic manifests as a BUG in the kernel, with detailed kernel oops logs indicating a bad page state and a fatal exception in interrupt context. The issue can cause system instability or crashes, particularly on systems using XFS with large block sizes. The vulnerability is rooted in the kernel's memory management and filesystem interaction, affecting the reliability and availability of affected Linux systems. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability was published on May 22, 2024, and affects certain Linux kernel versions identified by specific commit hashes.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected versions and using the XFS filesystem configured with block sizes equal to or larger than the page size. XFS is commonly used in enterprise environments for its scalability and performance, especially in storage servers, cloud infrastructure, and high-performance computing clusters. A kernel panic caused by this vulnerability can lead to unexpected system crashes, resulting in downtime, potential data loss, and disruption of critical services. Organizations relying on Linux-based servers for file storage, virtualization hosts, or container orchestration platforms may experience availability issues. While the vulnerability does not appear to allow direct code execution or privilege escalation, the denial-of-service impact can be significant in production environments. The lack of known exploits reduces immediate risk, but the severity of kernel panics warrants prompt attention. The impact is heightened in sectors with stringent uptime requirements such as finance, telecommunications, healthcare, and public infrastructure within Europe.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Identify Linux systems running affected kernel versions and verify if XFS is used with block sizes equal to or larger than the system page size. 2) Apply the official Linux kernel patches or upgrade to a kernel version where this issue is resolved as soon as they become available. Since no patch links are provided, monitoring official Linux kernel mailing lists and vendor advisories (e.g., distributions like Red Hat, SUSE, Ubuntu) is critical. 3) Implement robust monitoring and alerting for kernel panics and system crashes to detect potential exploitation or triggering of this bug early. 4) Consider temporary workarounds such as adjusting XFS block size configurations if feasible, or avoiding workloads that trigger collapse_file on writeback pages until patched. 5) Maintain regular backups and disaster recovery plans to minimize data loss risks from unexpected crashes. 6) Engage with Linux distribution vendors for support and guidance on backported fixes or mitigations tailored to their kernel versions. 7) Test kernel updates in staging environments to ensure stability before deployment in production.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2021-47492: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm, thp: bail out early in collapse_file for writeback page Currently collapse_file does not explicitly check PG_writeback, instead, page_has_private and try_to_release_page are used to filter writeback pages. This does not work for xfs with blocksize equal to or larger than pagesize, because in such case xfs has no page->private. This makes collapse_file bail out early for writeback page. Otherwise, xfs end_page_writeback will panic as follows. page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:ffff0003f88c86a8 index:0x0 pfn:0x84ef32 aops:xfs_address_space_operations [xfs] ino:30000b7 dentry name:"libtest.so" flags: 0x57fffe0000008027(locked|referenced|uptodate|active|writeback) raw: 57fffe0000008027 ffff80001b48bc28 ffff80001b48bc28 ffff0003f88c86a8 raw: 0000000000000000 0000000000000000 00000000ffffffff ffff0000c3e9a000 page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u <= 127u)) page->mem_cgroup:ffff0000c3e9a000 ------------[ cut here ]------------ kernel BUG at include/linux/mm.h:1212! Internal error: Oops - BUG: 0 [#1] SMP Modules linked in: BUG: Bad page state in process khugepaged pfn:84ef32 xfs(E) page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:0 index:0x0 pfn:0x84ef32 libcrc32c(E) rfkill(E) aes_ce_blk(E) crypto_simd(E) ... CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Tainted: ... pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--) Call trace: end_page_writeback+0x1c0/0x214 iomap_finish_page_writeback+0x13c/0x204 iomap_finish_ioend+0xe8/0x19c iomap_writepage_end_bio+0x38/0x50 bio_endio+0x168/0x1ec blk_update_request+0x278/0x3f0 blk_mq_end_request+0x34/0x15c virtblk_request_done+0x38/0x74 [virtio_blk] blk_done_softirq+0xc4/0x110 __do_softirq+0x128/0x38c __irq_exit_rcu+0x118/0x150 irq_exit+0x1c/0x30 __handle_domain_irq+0x8c/0xf0 gic_handle_irq+0x84/0x108 el1_irq+0xcc/0x180 arch_cpu_idle+0x18/0x40 default_idle_call+0x4c/0x1a0 cpuidle_idle_call+0x168/0x1e0 do_idle+0xb4/0x104 cpu_startup_entry+0x30/0x9c secondary_start_kernel+0x104/0x180 Code: d4210000 b0006161 910c8021 94013f4d (d4210000) ---[ end trace 4a88c6a074082f8c ]--- Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt
AI-Powered Analysis
Technical Analysis
CVE-2021-47492 is a vulnerability in the Linux kernel's memory management subsystem, specifically related to the handling of writeback pages during the collapse_file operation. The vulnerability arises because collapse_file does not explicitly check the PG_writeback flag on pages. Instead, it relies on page_has_private and try_to_release_page to filter out writeback pages. This approach fails in the case of the XFS filesystem when the block size is equal to or larger than the system page size. In such scenarios, XFS does not assign a private field to the page structure, causing collapse_file to incorrectly bail out early for writeback pages. This improper handling leads to a kernel panic triggered by the end_page_writeback function, which attempts to finalize writeback on a page in an invalid state. The panic manifests as a BUG in the kernel, with detailed kernel oops logs indicating a bad page state and a fatal exception in interrupt context. The issue can cause system instability or crashes, particularly on systems using XFS with large block sizes. The vulnerability is rooted in the kernel's memory management and filesystem interaction, affecting the reliability and availability of affected Linux systems. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability was published on May 22, 2024, and affects certain Linux kernel versions identified by specific commit hashes.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected versions and using the XFS filesystem configured with block sizes equal to or larger than the page size. XFS is commonly used in enterprise environments for its scalability and performance, especially in storage servers, cloud infrastructure, and high-performance computing clusters. A kernel panic caused by this vulnerability can lead to unexpected system crashes, resulting in downtime, potential data loss, and disruption of critical services. Organizations relying on Linux-based servers for file storage, virtualization hosts, or container orchestration platforms may experience availability issues. While the vulnerability does not appear to allow direct code execution or privilege escalation, the denial-of-service impact can be significant in production environments. The lack of known exploits reduces immediate risk, but the severity of kernel panics warrants prompt attention. The impact is heightened in sectors with stringent uptime requirements such as finance, telecommunications, healthcare, and public infrastructure within Europe.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Identify Linux systems running affected kernel versions and verify if XFS is used with block sizes equal to or larger than the system page size. 2) Apply the official Linux kernel patches or upgrade to a kernel version where this issue is resolved as soon as they become available. Since no patch links are provided, monitoring official Linux kernel mailing lists and vendor advisories (e.g., distributions like Red Hat, SUSE, Ubuntu) is critical. 3) Implement robust monitoring and alerting for kernel panics and system crashes to detect potential exploitation or triggering of this bug early. 4) Consider temporary workarounds such as adjusting XFS block size configurations if feasible, or avoiding workloads that trigger collapse_file on writeback pages until patched. 5) Maintain regular backups and disaster recovery plans to minimize data loss risks from unexpected crashes. 6) Engage with Linux distribution vendors for support and guidance on backported fixes or mitigations tailored to their kernel versions. 7) Test kernel updates in staging environments to ensure stability before deployment in production.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-22T06:20:56.201Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe9290
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 1:41:22 PM
Last updated: 7/28/2025, 6:21:09 PM
Views: 12
Related Threats
CVE-2025-50610: n/a
HighCVE-2025-50609: n/a
HighCVE-2025-50608: n/a
HighCVE-2025-55194: CWE-248: Uncaught Exception in Part-DB Part-DB-server
MediumCVE-2025-55197: CWE-400: Uncontrolled Resource Consumption in py-pdf pypdf
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.