3.4 KiB
CVE-2021-47011
Description
In the Linux kernel, the following vulnerability has been resolved:mm: memcontrol: slab: fix obtain a reference to a freeing memcgPatch series "Use obj_cgroup APIs to charge kmem pages", v5.Since Roman's series "The new cgroup slab memory controller" applied.All slab objects are charged with the new APIs of obj_cgroup. The newAPIs introduce a struct obj_cgroup to charge slab objects. It preventslong-living objects from pinning the original memory cgroup in thememory. But there are still some corner objects (e.g. allocationslarger than order-1 page on SLUB) which are not charged with the newAPIs. Those objects (include the pages which are allocated from buddyallocator directly) are charged as kmem pages which still hold areference to the memory cgroup.E.g. We know that the kernel stack is charged as kmem pages because thesize of the kernel stack can be greater than 2 pages (e.g. 16KB onx86_64 or arm64). If we create a thread (suppose the thread stack ischarged to memory cgroup A) and then move it from memory cgroup A tomemory cgroup B. Because the kernel stack of the thread hold areference to the memory cgroup A. The thread can pin the memory cgroupA in the memory even if we remove the cgroup A. If we want to see thisscenario by using the following script. We can see that the system hasadded 500 dying cgroups (This is not a real world issue, just a scriptto show that the large kmallocs are charged as kmem pages which can pinthe memory cgroup in the memory). #!/bin/bash cat /proc/cgroups | grep memory cd /sys/fs/cgroup/memory echo 1 > memory.move_charge_at_immigrate for i in range{1..500} do mkdir kmem_test echo > kmem_test/cgroup.procs sleep 3600 & echo > cgroup.procs echo cat kmem_test/cgroup.procs > cgroup.procs rmdir kmem_test done cat /proc/cgroups | grep memoryThis patchset aims to make those kmem pages to drop the reference tomemory cgroup by using the APIs of obj_cgroup. Finally, we can see thatthe number of the dying cgroups will not increase if we run the above testscript.This patch (of 7):The rcu_read_lock/unlock only can guarantee that the memcg will not befreed, but it cannot guarantee the success of css_get (which is in therefill_stock when cached memcg changed) to memcg. rcu_read_lock() memcg = obj_cgroup_memcg(old) __memcg_kmem_uncharge(memcg) refill_stock(memcg) if (stock->cached != memcg) // css_get can change the ref counter from 0 back to 1. css_get(&memcg->css) rcu_read_unlock()This fix is very like the commit: eefbfa7fd678 ("mm: memcg/slab: fix use after free in obj_cgroup_charge")Fix this by holding a reference to the memcg which is passed to the__memcg_kmem_uncharge() before calling __memcg_kmem_uncharge().
POC
Reference
No PoCs from references.