vulnerability
Ubuntu: (CVE-2021-47412): linux-fips vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:L/AC:L/Au:S/C:N/I:N/A:C) | May 21, 2024 | Jun 26, 2025 | Mar 27, 2026 |
Description
In the Linux kernel, the following vulnerability has been resolved:
block: don't call rq_qos_ops->done_bio if the bio isn't tracked
rq_qos framework is only applied on request based driver, so:
1) rq_qos_done_bio() needn't to be called for bio based driver
2) rq_qos_done_bio() needn't to be called for bio which isn't tracked,
such as bios ended from error handling code.
Especially in bio_endio():
1) request queue is referred via bio->bi_bdev->bd_disk->queue, which
may be gone since request queue refcount may not be held in above two
cases
2) q->rq_qos may be freed in blk_cleanup_queue() when calling into
__rq_qos_done_bio()
Fix the potential kernel panic by not calling rq_qos_ops->done_bio if
the bio isn't tracked. This way is safe because both ioc_rqos_done_bio()
and blkcg_iolatency_done_bio() are nop if the bio isn't tracked.
Solution
References
- CVE-2021-47412
- https://attackerkb.com/topics/CVE-2021-47412
- EUVD-EUVD-2021-34417
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-34417
- https://git.kernel.org/linus/a647a524a46736786c95cdb553a070322ca096e3
- https://git.kernel.org/stable/c/004b8f8a691205a93d9e80d98b786b2b97424d6e
- https://git.kernel.org/stable/c/a647a524a46736786c95cdb553a070322ca096e3
- https://www.cve.org/CVERecord?id=CVE-2021-47412
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.