CVE-2021-47512: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/sched: fq_pie: prevent dismantle issue For some reason, fq_pie_destroy() did not copy working code from pie_destroy() and other qdiscs, thus causing elusive bug. Before calling del_timer_sync(&q->adapt_timer), we need to ensure timer will not rearm itself. rcu: INFO: rcu_preempt self-detected stall on CPU rcu: 0-....: (4416 ticks this GP) idle=60d/1/0x4000000000000000 softirq=10433/10434 fqs=2579 (t=10501 jiffies g=13085 q=3989) NMI backtrace for cpu 0 CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 nmi_cpu_backtrace.cold+0x47/0x144 lib/nmi_backtrace.c:111 nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62 trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline] rcu_dump_cpu_stacks+0x25e/0x3f0 kernel/rcu/tree_stall.h:343 print_cpu_stall kernel/rcu/tree_stall.h:627 [inline] check_cpu_stall kernel/rcu/tree_stall.h:711 [inline] rcu_pending kernel/rcu/tree.c:3878 [inline] rcu_sched_clock_irq.cold+0x9d/0x746 kernel/rcu/tree.c:2597 update_process_times+0x16d/0x200 kernel/time/timer.c:1785 tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:226 tick_sched_timer+0x1b0/0x2d0 kernel/time/tick-sched.c:1428 __run_hrtimer kernel/time/hrtimer.c:1685 [inline] __hrtimer_run_queues+0x1c0/0xe50 kernel/time/hrtimer.c:1749 hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1086 [inline] __sysvec_apic_timer_interrupt+0x146/0x530 arch/x86/kernel/apic/apic.c:1103 sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1097 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:write_comp_data kernel/kcov.c:221 [inline] RIP: 0010:__sanitizer_cov_trace_const_cmp1+0x1d/0x80 kernel/kcov.c:273 Code: 54 c8 20 48 89 10 c3 66 0f 1f 44 00 00 53 41 89 fb 41 89 f1 bf 03 00 00 00 65 48 8b 0c 25 40 70 02 00 48 89 ce 4c 8b 54 24 08 <e8> 4e f7 ff ff 84 c0 74 51 48 8b 81 88 15 00 00 44 8b 81 84 15 00 RSP: 0018:ffffc90000d27b28 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffff888064bf1bf0 RCX: ffff888011928000 RDX: ffff888011928000 RSI: ffff888011928000 RDI: 0000000000000003 RBP: ffff888064bf1c28 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff875d8295 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8880783dd300 R14: 0000000000000000 R15: 0000000000000000 pie_calculate_probability+0x405/0x7c0 net/sched/sch_pie.c:418 fq_pie_timer+0x170/0x2a0 net/sched/sch_fq_pie.c:383 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913 smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK>
AI Analysis
Technical Summary
CVE-2021-47512 is a vulnerability identified in the Linux kernel's network scheduler component, specifically within the fq_pie (Fair Queueing with Proportional Integral controller Enhanced) queue discipline implementation. The issue arises because the fq_pie_destroy() function failed to properly replicate the timer cleanup logic present in similar queue disciplines such as pie_destroy(). This omission leads to a subtle bug where the adaptive timer (q->adapt_timer) can rearm itself even after del_timer_sync() is called, potentially causing a timer to remain active unexpectedly. This behavior can trigger a self-detected stall in the Read-Copy-Update (RCU) subsystem, as evidenced by kernel logs showing rcu_preempt stalls and NMI (Non-Maskable Interrupt) backtraces. The stall occurs because the timer's unexpected rearming interferes with the kernel's ability to progress RCU grace periods, which are critical for safe memory reclamation and synchronization in the kernel. The vulnerability is rooted in a race condition and improper timer management within the fq_pie scheduler, which can lead to kernel stalls or hangs, impacting system responsiveness and availability. The detailed kernel stack traces indicate that the issue manifests during timer expiration and softirq handling, which are fundamental to Linux kernel operation. Although no known exploits are reported in the wild, the vulnerability could be triggered by crafted network traffic or workloads that exercise the fq_pie scheduler, potentially leading to denial-of-service (DoS) conditions on affected systems. The vulnerability affects Linux kernel versions prior to the patch that corrected the fq_pie_destroy() function to properly prevent timer rearming.
Potential Impact
For European organizations, the impact of CVE-2021-47512 primarily concerns system availability and stability. Linux is widely deployed across European enterprises, government agencies, cloud providers, and critical infrastructure, often serving as the backbone for servers, networking equipment, and embedded devices. A kernel stall or hang caused by this vulnerability could disrupt essential services, leading to downtime, degraded performance, or loss of productivity. Organizations relying on fq_pie for network traffic shaping and congestion control may experience intermittent or sustained outages, affecting applications such as web hosting, telecommunications, and cloud services. While the vulnerability does not directly expose confidentiality or integrity risks, the denial-of-service potential can indirectly impact business continuity and service-level agreements. Additionally, in environments with high network traffic or specialized QoS configurations, the risk of triggering this bug may be elevated. Given the absence of known exploits, the immediate threat level is moderate; however, the potential for targeted exploitation in critical sectors cannot be discounted. The complexity of the bug and its manifestation in kernel timer management also means that troubleshooting and recovery could be challenging, increasing operational costs and incident response efforts.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the latest stable version that includes the fix for CVE-2021-47512. Specifically, ensure that the fq_pie_destroy() function has been patched to prevent the adaptive timer from rearming after deletion. For environments where immediate patching is not feasible, consider temporarily disabling the fq_pie queue discipline or replacing it with alternative, stable qdiscs such as fq_codel or pie, depending on network performance requirements. Network administrators should monitor kernel logs for signs of RCU stalls or timer-related warnings that could indicate attempts to trigger the vulnerability. Implementing robust kernel crash dump and monitoring solutions can aid in early detection and forensic analysis. Additionally, organizations should review their network traffic shaping policies to minimize exposure to unusual or crafted traffic patterns that might exacerbate the issue. For critical infrastructure, deploying kernel live patching solutions can reduce downtime associated with patch application. Finally, maintain close coordination with Linux distribution vendors and security advisories to receive timely updates and guidance.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2021-47512: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: fq_pie: prevent dismantle issue For some reason, fq_pie_destroy() did not copy working code from pie_destroy() and other qdiscs, thus causing elusive bug. Before calling del_timer_sync(&q->adapt_timer), we need to ensure timer will not rearm itself. rcu: INFO: rcu_preempt self-detected stall on CPU rcu: 0-....: (4416 ticks this GP) idle=60d/1/0x4000000000000000 softirq=10433/10434 fqs=2579 (t=10501 jiffies g=13085 q=3989) NMI backtrace for cpu 0 CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 nmi_cpu_backtrace.cold+0x47/0x144 lib/nmi_backtrace.c:111 nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62 trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline] rcu_dump_cpu_stacks+0x25e/0x3f0 kernel/rcu/tree_stall.h:343 print_cpu_stall kernel/rcu/tree_stall.h:627 [inline] check_cpu_stall kernel/rcu/tree_stall.h:711 [inline] rcu_pending kernel/rcu/tree.c:3878 [inline] rcu_sched_clock_irq.cold+0x9d/0x746 kernel/rcu/tree.c:2597 update_process_times+0x16d/0x200 kernel/time/timer.c:1785 tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:226 tick_sched_timer+0x1b0/0x2d0 kernel/time/tick-sched.c:1428 __run_hrtimer kernel/time/hrtimer.c:1685 [inline] __hrtimer_run_queues+0x1c0/0xe50 kernel/time/hrtimer.c:1749 hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1086 [inline] __sysvec_apic_timer_interrupt+0x146/0x530 arch/x86/kernel/apic/apic.c:1103 sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1097 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:write_comp_data kernel/kcov.c:221 [inline] RIP: 0010:__sanitizer_cov_trace_const_cmp1+0x1d/0x80 kernel/kcov.c:273 Code: 54 c8 20 48 89 10 c3 66 0f 1f 44 00 00 53 41 89 fb 41 89 f1 bf 03 00 00 00 65 48 8b 0c 25 40 70 02 00 48 89 ce 4c 8b 54 24 08 <e8> 4e f7 ff ff 84 c0 74 51 48 8b 81 88 15 00 00 44 8b 81 84 15 00 RSP: 0018:ffffc90000d27b28 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffff888064bf1bf0 RCX: ffff888011928000 RDX: ffff888011928000 RSI: ffff888011928000 RDI: 0000000000000003 RBP: ffff888064bf1c28 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff875d8295 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8880783dd300 R14: 0000000000000000 R15: 0000000000000000 pie_calculate_probability+0x405/0x7c0 net/sched/sch_pie.c:418 fq_pie_timer+0x170/0x2a0 net/sched/sch_fq_pie.c:383 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913 smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2021-47512 is a vulnerability identified in the Linux kernel's network scheduler component, specifically within the fq_pie (Fair Queueing with Proportional Integral controller Enhanced) queue discipline implementation. The issue arises because the fq_pie_destroy() function failed to properly replicate the timer cleanup logic present in similar queue disciplines such as pie_destroy(). This omission leads to a subtle bug where the adaptive timer (q->adapt_timer) can rearm itself even after del_timer_sync() is called, potentially causing a timer to remain active unexpectedly. This behavior can trigger a self-detected stall in the Read-Copy-Update (RCU) subsystem, as evidenced by kernel logs showing rcu_preempt stalls and NMI (Non-Maskable Interrupt) backtraces. The stall occurs because the timer's unexpected rearming interferes with the kernel's ability to progress RCU grace periods, which are critical for safe memory reclamation and synchronization in the kernel. The vulnerability is rooted in a race condition and improper timer management within the fq_pie scheduler, which can lead to kernel stalls or hangs, impacting system responsiveness and availability. The detailed kernel stack traces indicate that the issue manifests during timer expiration and softirq handling, which are fundamental to Linux kernel operation. Although no known exploits are reported in the wild, the vulnerability could be triggered by crafted network traffic or workloads that exercise the fq_pie scheduler, potentially leading to denial-of-service (DoS) conditions on affected systems. The vulnerability affects Linux kernel versions prior to the patch that corrected the fq_pie_destroy() function to properly prevent timer rearming.
Potential Impact
For European organizations, the impact of CVE-2021-47512 primarily concerns system availability and stability. Linux is widely deployed across European enterprises, government agencies, cloud providers, and critical infrastructure, often serving as the backbone for servers, networking equipment, and embedded devices. A kernel stall or hang caused by this vulnerability could disrupt essential services, leading to downtime, degraded performance, or loss of productivity. Organizations relying on fq_pie for network traffic shaping and congestion control may experience intermittent or sustained outages, affecting applications such as web hosting, telecommunications, and cloud services. While the vulnerability does not directly expose confidentiality or integrity risks, the denial-of-service potential can indirectly impact business continuity and service-level agreements. Additionally, in environments with high network traffic or specialized QoS configurations, the risk of triggering this bug may be elevated. Given the absence of known exploits, the immediate threat level is moderate; however, the potential for targeted exploitation in critical sectors cannot be discounted. The complexity of the bug and its manifestation in kernel timer management also means that troubleshooting and recovery could be challenging, increasing operational costs and incident response efforts.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the latest stable version that includes the fix for CVE-2021-47512. Specifically, ensure that the fq_pie_destroy() function has been patched to prevent the adaptive timer from rearming after deletion. For environments where immediate patching is not feasible, consider temporarily disabling the fq_pie queue discipline or replacing it with alternative, stable qdiscs such as fq_codel or pie, depending on network performance requirements. Network administrators should monitor kernel logs for signs of RCU stalls or timer-related warnings that could indicate attempts to trigger the vulnerability. Implementing robust kernel crash dump and monitoring solutions can aid in early detection and forensic analysis. Additionally, organizations should review their network traffic shaping policies to minimize exposure to unusual or crafted traffic patterns that might exacerbate the issue. For critical infrastructure, deploying kernel live patching solutions can reduce downtime associated with patch application. Finally, maintain close coordination with Linux distribution vendors and security advisories to receive timely updates and guidance.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:02:54.824Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe9323
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 1:57:53 PM
Last updated: 7/31/2025, 7:10:02 PM
Views: 13
Related Threats
CVE-2025-8927: Improper Restriction of Excessive Authentication Attempts in mtons mblog
MediumCVE-2025-43988: n/a
CriticalCVE-2025-8926: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-43986: n/a
CriticalCVE-2025-43982: n/a
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.