vulnerability

SUSE: CVE-2021-47488: SUSE Linux Security Advisory

Try Surface Command
Back to search
Severity
5
CVSS
(AV:L/AC:L/Au:S/C:N/I:N/A:C)
Published
May 22, 2024
Added
Aug 9, 2024
Modified
Oct 23, 2025

Description

In the Linux kernel, the following vulnerability has been resolved:

cgroup: Fix memory leak caused by missing cgroup_bpf_offline

When enabling CONFIG_CGROUP_BPF, kmemleak can be observed by running
the command as below:

$mount -t cgroup -o none,name=foo cgroup cgroup/
$umount cgroup/

unreferenced object 0xc3585c40 (size 64):
comm "mount", pid 425, jiffies 4294959825 (age 31.990s)
hex dump (first 32 bytes):
01 00 00 80 84 8c 28 c0 00 00 00 00 00 00 00 00 ......(.........
00 00 00 00 00 00 00 00 6c 43 a0 c3 00 00 00 00 ........lC......
backtrace:
[<e95a2f9e>] cgroup_bpf_inherit+0x44/0x24c
[<1f03679c>] cgroup_setup_root+0x174/0x37c
[<ed4b0ac5>] cgroup1_get_tree+0x2c0/0x4a0
[<f85b12fd>] vfs_get_tree+0x24/0x108
[<f55aec5c>] path_mount+0x384/0x988
[<e2d5e9cd>] do_mount+0x64/0x9c
[<208c9cfe>] sys_mount+0xfc/0x1f4
[<06dd06e0>] ret_fast_syscall+0x0/0x48
[<a8308cb3>] 0xbeb4daa8

This is because that since the commit 2b0d3d3e4fcf ("percpu_ref: reduce
memory footprint of percpu_ref in fast path") root_cgrp->bpf.refcnt.data
is allocated by the function percpu_ref_init in cgroup_bpf_inherit which
is called by cgroup_setup_root when mounting, but not freed along with
root_cgrp when umounting. Adding cgroup_bpf_offline which calls
percpu_ref_kill to cgroup_kill_sb can free root_cgrp->bpf.refcnt.data in
umount path.

This patch also fixes the commit 4bfc0bb2c60e ("bpf: decouple the lifetime
of cgroup_bpf from cgroup itself"). A cgroup_bpf_offline is needed to do a
cleanup that frees the resources which are allocated by cgroup_bpf_inherit
in cgroup_setup_root.

And inside cgroup_bpf_offline, cgroup_get() is at the beginning and
cgroup_put is at the end of cgroup_bpf_release which is called by
cgroup_bpf_offline. So cgroup_bpf_offline can keep the balance of
cgroup's refcount.

Solutions

suse-upgrade-cluster-md-kmp-64kbsuse-upgrade-cluster-md-kmp-azuresuse-upgrade-cluster-md-kmp-defaultsuse-upgrade-cluster-md-kmp-rtsuse-upgrade-dlm-kmp-64kbsuse-upgrade-dlm-kmp-azuresuse-upgrade-dlm-kmp-defaultsuse-upgrade-dlm-kmp-rtsuse-upgrade-dtb-allwinnersuse-upgrade-dtb-alterasuse-upgrade-dtb-amazonsuse-upgrade-dtb-amdsuse-upgrade-dtb-amlogicsuse-upgrade-dtb-apmsuse-upgrade-dtb-applesuse-upgrade-dtb-armsuse-upgrade-dtb-broadcomsuse-upgrade-dtb-caviumsuse-upgrade-dtb-exynossuse-upgrade-dtb-freescalesuse-upgrade-dtb-hisiliconsuse-upgrade-dtb-lgsuse-upgrade-dtb-marvellsuse-upgrade-dtb-mediateksuse-upgrade-dtb-nvidiasuse-upgrade-dtb-qcomsuse-upgrade-dtb-renesassuse-upgrade-dtb-rockchipsuse-upgrade-dtb-socionextsuse-upgrade-dtb-sprdsuse-upgrade-dtb-xilinxsuse-upgrade-gfs2-kmp-64kbsuse-upgrade-gfs2-kmp-azuresuse-upgrade-gfs2-kmp-defaultsuse-upgrade-gfs2-kmp-rtsuse-upgrade-kernel-64kbsuse-upgrade-kernel-64kb-develsuse-upgrade-kernel-64kb-extrasuse-upgrade-kernel-64kb-livepatch-develsuse-upgrade-kernel-64kb-optionalsuse-upgrade-kernel-azuresuse-upgrade-kernel-azure-develsuse-upgrade-kernel-azure-extrasuse-upgrade-kernel-azure-livepatch-develsuse-upgrade-kernel-azure-optionalsuse-upgrade-kernel-azure-vdsosuse-upgrade-kernel-debugsuse-upgrade-kernel-debug-develsuse-upgrade-kernel-debug-livepatch-develsuse-upgrade-kernel-debug-vdsosuse-upgrade-kernel-defaultsuse-upgrade-kernel-default-basesuse-upgrade-kernel-default-base-rebuildsuse-upgrade-kernel-default-develsuse-upgrade-kernel-default-extrasuse-upgrade-kernel-default-livepatchsuse-upgrade-kernel-default-livepatch-develsuse-upgrade-kernel-default-optionalsuse-upgrade-kernel-default-vdsosuse-upgrade-kernel-develsuse-upgrade-kernel-devel-azuresuse-upgrade-kernel-devel-rtsuse-upgrade-kernel-docssuse-upgrade-kernel-docs-htmlsuse-upgrade-kernel-kvmsmallsuse-upgrade-kernel-kvmsmall-develsuse-upgrade-kernel-kvmsmall-livepatch-develsuse-upgrade-kernel-kvmsmall-vdsosuse-upgrade-kernel-macrossuse-upgrade-kernel-obs-buildsuse-upgrade-kernel-obs-qasuse-upgrade-kernel-rtsuse-upgrade-kernel-rt-develsuse-upgrade-kernel-rt-extrasuse-upgrade-kernel-rt-livepatchsuse-upgrade-kernel-rt-livepatch-develsuse-upgrade-kernel-rt-optionalsuse-upgrade-kernel-rt-vdsosuse-upgrade-kernel-rt_debugsuse-upgrade-kernel-rt_debug-develsuse-upgrade-kernel-rt_debug-livepatch-develsuse-upgrade-kernel-rt_debug-vdsosuse-upgrade-kernel-sourcesuse-upgrade-kernel-source-azuresuse-upgrade-kernel-source-rtsuse-upgrade-kernel-source-vanillasuse-upgrade-kernel-symssuse-upgrade-kernel-syms-azuresuse-upgrade-kernel-syms-rtsuse-upgrade-kernel-zfcpdumpsuse-upgrade-kselftests-kmp-64kbsuse-upgrade-kselftests-kmp-azuresuse-upgrade-kselftests-kmp-defaultsuse-upgrade-kselftests-kmp-rtsuse-upgrade-ocfs2-kmp-64kbsuse-upgrade-ocfs2-kmp-azuresuse-upgrade-ocfs2-kmp-defaultsuse-upgrade-ocfs2-kmp-rtsuse-upgrade-reiserfs-kmp-64kbsuse-upgrade-reiserfs-kmp-azuresuse-upgrade-reiserfs-kmp-defaultsuse-upgrade-reiserfs-kmp-rt

References

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today