CVE-2021-47163: tipc: wait and exit until all work queues are done
In the Linux kernel, the following vulnerability has been resolved:
tipc: wait and exit until all work queues are done
On some host, a crash could be triggered simply by repeating these
commands several times:
# modprobe tipc
# tipc bearer enable media udp name UDP1 localip 127.0.0.1
# rmmod tipc
[] BUG: unable to handle kernel paging request at ffffffffc096bb00
[] Workqueue: events 0xffffffffc096bb00
[] Call Trace:
[] ? process_one_work+0x1a7/0x360
[] ? worker_thread+0x30/0x390
[] ? create_worker+0x1a0/0x1a0
[] ? kthread+0x116/0x130
[] ? kthread_flush_work_fn+0x10/0x10
[] ? ret_from_fork+0x35/0x40
When removing the TIPC module, the UDP tunnel sock will be delayed to
release in a work queue as sock_release() can't be done in rtnl_lock().
If the work queue is schedule to run after the TIPC module is removed,
kernel will crash as the work queue function cleanup_beareri() code no
longer exists when trying to invoke it.
To fix it, this patch introduce a member wq_count in tipc_net to track
the numbers of work queues in schedule, and wait and exit until all
work queues are done in tipc_exit_net().
Security readout for executives and security teams
Plain-English summary
CVE-2021-47163 is a Linux kernel TIPC cleanup bug. If delayed cleanup work runs after the TIPC module is removed, the kernel can crash. The source describes an availability failure during repeated module lifecycle operations, not proven remote compromise or data theft.
Executive priority
Prioritize patching on Linux systems where TIPC is used or where kernel crashes would materially affect uptime. Lower urgency is reasonable for systems without TIPC exposure, but confirm with asset and kernel-package inventory.
Technical view
The TIPC UDP bearer cleanup path can schedule work that outlives module removal. When that delayed work later invokes cleanup code from an unloaded module, the kernel may fault. The fix tracks scheduled workqueue count in tipc_net and waits in tipc_exit_net until queued work completes.
Likely exposure
Exposure is most relevant on Linux systems with the TIPC module available and operational processes or privileged users able to load, configure, and unload it. The provided source lists Linux 4.1 and several later stable branches as affected, with kernel stable commits referenced as fixes.
Exploitation context
The bundle does not show KEV listing or public active exploitation. The described trigger requires repeated TIPC module lifecycle activity and appears local or privileged in nature. Treat it primarily as a denial-of-service risk unless vendor guidance identifies broader exposure.
Researcher notes
Evidence supports a TIPC module teardown race causing kernel crash through stale delayed work. No CVSS, CWE, exploit-in-the-wild evidence, or distribution-specific fixed packages are included in the bundle, so exposure assessment should be validated against vendor kernel advisories.
Mitigation direction
Update to a Linux kernel containing one of the referenced stable fixes.
Check distribution vendor advisories for exact fixed package versions.
Disable or avoid loading TIPC where it is not required.
Restrict privileged module management to trusted administrators only.
Validation and detection
Confirm whether TIPC is present, loadable, or enabled on target systems.
Map running kernel versions against vendor fixed versions or referenced stable commits.
Review operational automation for repeated TIPC load, bearer setup, or unload activity.
Verify patched kernels include the workqueue wait behavior in TIPC teardown.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47163 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.