CVE-2021-47209: sched/fair: Prevent dead task groups from regaining cfs_rq's
In the Linux kernel, the following vulnerability has been resolved:
sched/fair: Prevent dead task groups from regaining cfs_rq's
Kevin is reporting crashes which point to a use-after-free of a cfs_rq
in update_blocked_averages(). Initial debugging revealed that we've
live cfs_rq's (on_list=1) in an about to be kfree()'d task group in
free_fair_sched_group(). However, it was unclear how that can happen.
His kernel config happened to lead to a layout of struct sched_entity
that put the 'my_q' member directly into the middle of the object
which makes it incidentally overlap with SLUB's freelist pointer.
That, in combination with SLAB_FREELIST_HARDENED's freelist pointer
mangling, leads to a reliable access violation in form of a #GP which
made the UAF fail fast.
Michal seems to have run into the same issue[1]. He already correctly
diagnosed that commit a7b359fc6a37 ("sched/fair: Correctly insert
cfs_rq's to list on unthrottle") is causing the preconditions for the
UAF to happen by re-adding cfs_rq's also to task groups that have no
more running tasks, i.e. also to dead ones. His analysis, however,
misses the real root cause and it cannot be seen from the crash
backtrace only, as the real offender is tg_unthrottle_up() getting
called via sched_cfs_period_timer() via the timer interrupt at an
inconvenient time.
When unregister_fair_sched_group() unlinks all cfs_rq's from the dying
task group, it doesn't protect itself from getting interrupted. If the
timer interrupt triggers while we iterate over all CPUs or after
unregister_fair_sched_group() has finished but prior to unlinking the
task group, sched_cfs_period_timer() will execute and walk the list of
task groups, trying to unthrottle cfs_rq's, i.e. re-add them to the
dying task group. These will later -- in free_fair_sched_group() -- be
kfree()'ed while still being linked, leading to the fireworks Kevin
and Michal are seeing.
To fix this race, ensure the dying task group gets unlinked first.
However, simply switching the order of unregistering and unlinking the
task group isn't sufficient, as concurrent RCU walkers might still see
it, as can be seen below:
CPU1: CPU2:
: timer IRQ:
: do_sched_cfs_period_timer():
: :
: distribute_cfs_runtime():
: rcu_read_lock();
: :
: unthrottle_cfs_rq():
sched_offline_group(): :
: walk_tg_tree_from(…,tg_unthrottle_up,…):
list_del_rcu(&tg->list); :
(1) : list_for_each_entry_rcu(child, &parent->children, siblings)
: :
(2) list_del_rcu(&tg->siblings); :
: tg_unthrottle_up():
unregister_fair_sched_group(): struct cfs_rq *cfs_rq = tg->cfs_rq[cpu_of(rq)];
: :
list_del_leaf_cfs_rq(tg->cfs_rq[cpu]); :
: :
: if (!cfs_rq_is_decayed(cfs_rq) || cfs_rq->nr_running)
(3) : list_add_leaf_cfs_rq(cfs_rq);
: :
: :
: :
: :
:
---truncated---
Security readout for executives and security teams
Plain-English summary
CVE-2021-47209 is a Linux kernel scheduler flaw that can leave freed scheduler data still reachable. The public record describes crashes from a use-after-free during task-group cleanup. There is no CVSS score or KEV listing in the supplied sources, so urgency depends on whether affected kernels are deployed.
Executive priority
Handle through normal kernel patch governance, with higher priority for shared compute and container platforms. No active exploitation is cited, but kernel use-after-free crashes can affect availability and may carry security risk.
Technical view
The bug is a race in sched/fair involving CFS task groups. A timer-driven unthrottle path can re-add cfs_rq entries to a dying task group after unregister logic unlinks them, causing free_fair_sched_group() to free still-linked structures and leading to use-after-free crashes.
Likely exposure
Exposure is likely limited to Linux systems running affected kernel versions or code containing commit a7b359fc6a37 without the referenced stable fixes. Containerized or multi-tenant systems using cgroups/task groups may deserve closer review, but the supplied sources do not provide distro package mappings.
Exploitation context
The supplied sources describe crash reports and root-cause analysis, not public exploitation. KEV is false. Treat this as a kernel stability and potential local security risk until vendor advisories clarify exploitability for your deployed kernel builds.
Researcher notes
Evidence is strongest for the race condition and upstream stable fixes. The source bundle lacks CVSS, CWE, distro status, and exploitability analysis. Avoid claiming privilege escalation or remote exposure without additional vendor evidence.
Mitigation direction
Update Linux kernels to versions containing the referenced stable fixes.
Check distro security advisories for CVE-2021-47209 package mapping.
Prioritize internet-facing, multi-tenant, and container-heavy Linux hosts.
Avoid direct deploy assumptions; follow vendor kernel guidance.
Validation and detection
Inventory running kernel versions across Linux systems.
Confirm kernel changelogs include the referenced stable commits.
Review crash logs for scheduler, cfs_rq, or use-after-free indicators.
Verify vendor advisories mark the installed package as fixed.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47209 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.