CVE-2021-47584: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: iocost: Fix divide-by-zero on donation from low hweight cgroup The donation calculation logic assumes that the donor has non-zero after-donation hweight, so the lowest active hweight a donating cgroup can have is 2 so that it can donate 1 while keeping the other 1 for itself. Earlier, we only donated from cgroups with sizable surpluses so this condition was always true. However, with the precise donation algorithm implemented, f1de2439ec43 ("blk-iocost: revamp donation amount determination") made the donation amount calculation exact enabling even low hweight cgroups to donate. This means that in rare occasions, a cgroup with active hweight of 1 can enter donation calculation triggering the following warning and then a divide-by-zero oops. WARNING: CPU: 4 PID: 0 at block/blk-iocost.c:1928 transfer_surpluses.cold+0x0/0x53 [884/94867] ... RIP: 0010:transfer_surpluses.cold+0x0/0x53 Code: 92 ff 48 c7 c7 28 d1 ab b5 65 48 8b 34 25 00 ae 01 00 48 81 c6 90 06 00 00 e8 8b 3f fe ff 48 c7 c0 ea ff ff ff e9 95 ff 92 ff <0f> 0b 48 c7 c7 30 da ab b5 e8 71 3f fe ff 4c 89 e8 4d 85 ed 74 0 4 ... Call Trace: <IRQ> ioc_timer_fn+0x1043/0x1390 call_timer_fn+0xa1/0x2c0 __run_timers.part.0+0x1ec/0x2e0 run_timer_softirq+0x35/0x70 ... iocg: invalid donation weights in /a/b: active=1 donating=1 after=0 Fix it by excluding cgroups w/ active hweight < 2 from donating. Excluding these extreme low hweight donations shouldn't affect work conservation in any meaningful way.
AI Analysis
Technical Summary
CVE-2021-47584 is a vulnerability identified in the Linux kernel's iocost subsystem, which manages I/O cost control for block devices. The flaw arises from a divide-by-zero error in the donation calculation logic of the iocost controller when handling cgroups (control groups) with very low active hweight values. The iocost subsystem uses a donation mechanism to redistribute I/O bandwidth among cgroups based on their active weights (hweight). The vulnerability was introduced after a revision (commit f1de2439ec43) that made the donation calculation more precise, allowing cgroups with low active hweight (even as low as 1) to donate I/O bandwidth. However, the logic assumed that the donor cgroup would always have an after-donation hweight of at least 1, which is not true for cgroups with active hweight of 1. This leads to a division by zero during the donation calculation, causing a kernel oops (crash) and triggering warnings in the kernel logs. The issue manifests as a kernel panic or crash, impacting system stability and availability. The fix involves excluding cgroups with active hweight less than 2 from participating in donation, which prevents the divide-by-zero condition without significantly affecting I/O work conservation. This vulnerability affects Linux kernel versions containing the specified commit and is relevant to systems using the iocost controller for block device I/O management. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the primary impact of CVE-2021-47584 is on system availability and stability. Systems running vulnerable Linux kernel versions with the iocost controller enabled may experience kernel crashes or panics under specific workloads involving cgroups with low active hweight donating I/O bandwidth. This can lead to unexpected downtime, disruption of critical services, and potential data loss if the crash occurs during I/O operations. Organizations relying on Linux servers for infrastructure, cloud services, or embedded systems could face operational interruptions. While this vulnerability does not directly compromise confidentiality or integrity, the availability impact can affect business continuity, especially for sectors with high uptime requirements such as finance, healthcare, telecommunications, and public services. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed proactively to prevent potential exploitation or accidental triggering in production environments.
Mitigation Recommendations
To mitigate CVE-2021-47584, European organizations should: 1) Apply the official Linux kernel patches that exclude cgroups with active hweight less than 2 from donation calculations. This fix is the definitive solution and prevents the divide-by-zero error. 2) If patching is not immediately possible, consider disabling or avoiding the use of the iocost controller in the Linux kernel configuration or cgroup setup, especially in environments where low hweight cgroups are used. 3) Monitor kernel logs for warnings related to iocost donation weights and divide-by-zero errors to detect potential triggering of this vulnerability. 4) Test kernel updates in staging environments to ensure stability before deployment, as kernel patches can affect system performance. 5) Maintain up-to-date Linux kernel versions from trusted sources and subscribe to vendor security advisories to receive timely updates. 6) Review cgroup configurations to avoid scenarios where cgroups have active hweight of 1 donating I/O bandwidth, reducing the chance of triggering the bug.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47584: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: iocost: Fix divide-by-zero on donation from low hweight cgroup The donation calculation logic assumes that the donor has non-zero after-donation hweight, so the lowest active hweight a donating cgroup can have is 2 so that it can donate 1 while keeping the other 1 for itself. Earlier, we only donated from cgroups with sizable surpluses so this condition was always true. However, with the precise donation algorithm implemented, f1de2439ec43 ("blk-iocost: revamp donation amount determination") made the donation amount calculation exact enabling even low hweight cgroups to donate. This means that in rare occasions, a cgroup with active hweight of 1 can enter donation calculation triggering the following warning and then a divide-by-zero oops. WARNING: CPU: 4 PID: 0 at block/blk-iocost.c:1928 transfer_surpluses.cold+0x0/0x53 [884/94867] ... RIP: 0010:transfer_surpluses.cold+0x0/0x53 Code: 92 ff 48 c7 c7 28 d1 ab b5 65 48 8b 34 25 00 ae 01 00 48 81 c6 90 06 00 00 e8 8b 3f fe ff 48 c7 c0 ea ff ff ff e9 95 ff 92 ff <0f> 0b 48 c7 c7 30 da ab b5 e8 71 3f fe ff 4c 89 e8 4d 85 ed 74 0 4 ... Call Trace: <IRQ> ioc_timer_fn+0x1043/0x1390 call_timer_fn+0xa1/0x2c0 __run_timers.part.0+0x1ec/0x2e0 run_timer_softirq+0x35/0x70 ... iocg: invalid donation weights in /a/b: active=1 donating=1 after=0 Fix it by excluding cgroups w/ active hweight < 2 from donating. Excluding these extreme low hweight donations shouldn't affect work conservation in any meaningful way.
AI-Powered Analysis
Technical Analysis
CVE-2021-47584 is a vulnerability identified in the Linux kernel's iocost subsystem, which manages I/O cost control for block devices. The flaw arises from a divide-by-zero error in the donation calculation logic of the iocost controller when handling cgroups (control groups) with very low active hweight values. The iocost subsystem uses a donation mechanism to redistribute I/O bandwidth among cgroups based on their active weights (hweight). The vulnerability was introduced after a revision (commit f1de2439ec43) that made the donation calculation more precise, allowing cgroups with low active hweight (even as low as 1) to donate I/O bandwidth. However, the logic assumed that the donor cgroup would always have an after-donation hweight of at least 1, which is not true for cgroups with active hweight of 1. This leads to a division by zero during the donation calculation, causing a kernel oops (crash) and triggering warnings in the kernel logs. The issue manifests as a kernel panic or crash, impacting system stability and availability. The fix involves excluding cgroups with active hweight less than 2 from participating in donation, which prevents the divide-by-zero condition without significantly affecting I/O work conservation. This vulnerability affects Linux kernel versions containing the specified commit and is relevant to systems using the iocost controller for block device I/O management. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the primary impact of CVE-2021-47584 is on system availability and stability. Systems running vulnerable Linux kernel versions with the iocost controller enabled may experience kernel crashes or panics under specific workloads involving cgroups with low active hweight donating I/O bandwidth. This can lead to unexpected downtime, disruption of critical services, and potential data loss if the crash occurs during I/O operations. Organizations relying on Linux servers for infrastructure, cloud services, or embedded systems could face operational interruptions. While this vulnerability does not directly compromise confidentiality or integrity, the availability impact can affect business continuity, especially for sectors with high uptime requirements such as finance, healthcare, telecommunications, and public services. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed proactively to prevent potential exploitation or accidental triggering in production environments.
Mitigation Recommendations
To mitigate CVE-2021-47584, European organizations should: 1) Apply the official Linux kernel patches that exclude cgroups with active hweight less than 2 from donation calculations. This fix is the definitive solution and prevents the divide-by-zero error. 2) If patching is not immediately possible, consider disabling or avoiding the use of the iocost controller in the Linux kernel configuration or cgroup setup, especially in environments where low hweight cgroups are used. 3) Monitor kernel logs for warnings related to iocost donation weights and divide-by-zero errors to detect potential triggering of this vulnerability. 4) Test kernel updates in staging environments to ensure stability before deployment, as kernel patches can affect system performance. 5) Maintain up-to-date Linux kernel versions from trusted sources and subscribe to vendor security advisories to receive timely updates. 6) Review cgroup configurations to avoid scenarios where cgroups have active hweight of 1 donating I/O bandwidth, reducing the chance of triggering the bug.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:11:00.731Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe9519
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 2:57:11 PM
Last updated: 8/1/2025, 12:34:29 AM
Views: 13
Related Threats
CVE-2025-8921: SQL Injection in code-projects Job Diary
MediumCVE-2025-8920: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-45316: n/a
UnknownCVE-2025-45314: n/a
UnknownCVE-2025-8919: Cross Site Scripting in Portabilis i-Diario
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.