CVE-2021-47488 Information

Description

In the Linux kernel the following vulnerability has been resolved:

cgroup: Fix memory leak caused by missing cgroup_bpf_offline

When enabling CONFIG_CGROUP_BPF kmemleak can be observed by running the command as below:

$mount -t cgroup -o nonename=foo cgroup cgroup/
$umount cgroup/

unreferenced object 0xc3585c40 (size 64): comm \mount\ pid 425 jiffies 4294959825 (age 31.990s) hex dump (first 32 bytes): 01 00 00 80 84 8c 28 c0 00 00 00 00 00 00 00 00 ……(……… 00 00 00 00 00 00 00 00 6c 43 a0 c3 00 00 00 00 ……..lC…… backtrace: [] cgroup_bpf_inherit+0x44/0x24c [<1f03679c>] cgroup_setup_root+0x174/0x37c [] cgroup1_get_tree+0x2c0/0x4a0 [] vfs_get_tree+0x24/0x108 [] path_mount+0x384/0x988 [] do_mount+0x64/0x9c [<208c9cfe>] sys_mount+0xfc/0x1f4 [<06dd06e0>] ret_fast_syscall+0x0/0x48 [] 0xbeb4daa8

This is because that since the commit 2b0d3d3e4fcf (\percpu_ref: reduce memory footprint of percpu_ref in fast path) root_cgrp->bpf.refcnt.data is allocated by the function percpu_ref_init in cgroup_bpf_inherit which is called by cgroup_setup_root when mounting but not freed along with root_cgrp when umounting. Adding cgroup_bpf_offline which calls percpu_ref_kill to cgroup_kill_sb can free root_cgrp->bpf.refcnt.data in umount path.

This patch also fixes the commit 4bfc0bb2c60e (pf: decouple the lifetime of cgroup_bpf from cgroup itself). A cgroup_bpf_offline is needed to do a cleanup that frees the resources which are allocated by cgroup_bpf_inherit in cgroup_setup_root.

And inside cgroup_bpf_offline cgroup_get() is at the beginning and cgroup_put is at the end of cgroup_bpf_release which is called by cgroup_bpf_offline. So cgroup_bpf_offline can keep the balance of cgroup’s refcount.

Reference

https://git.kernel.org/stable/c/01599bf7cc2b49c3d2be886cb438647dc25446ed https://git.kernel.org/stable/c/b529f88d93884cf8ccafda793ee3d27b82fa578d https://git.kernel.org/stable/c/04f8ef5643bcd8bcde25dfdebef998aea480b2ba