CVE-2023-52562

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/slab_common: fix slab_caches list corruption after kmem_cache_destroy()<br /> <br /> After the commit in Fixes:, if a module that created a slab cache does not<br /> release all of its allocated objects before destroying the cache (at rmmod<br /> time), we might end up releasing the kmem_cache object without removing it<br /> from the slab_caches list thus corrupting the list as kmem_cache_destroy()<br /> ignores the return value from shutdown_cache(), which in turn never removes<br /> the kmem_cache object from slabs_list in case __kmem_cache_shutdown() fails<br /> to release all of the cache&amp;#39;s slabs.<br /> <br /> This is easily observable on a kernel built with CONFIG_DEBUG_LIST=y<br /> as after that ill release the system will immediately trip on list_add,<br /> or list_del, assertions similar to the one shown below as soon as another<br /> kmem_cache gets created, or destroyed:<br /> <br /> [ 1041.213632] list_del corruption. next-&gt;prev should be ffff89f596fb5768, but was 52f1e5016aeee75d. (next=ffff89f595a1b268)<br /> [ 1041.219165] ------------[ cut here ]------------<br /> [ 1041.221517] kernel BUG at lib/list_debug.c:62!<br /> [ 1041.223452] invalid opcode: 0000 [#1] PREEMPT SMP PTI<br /> [ 1041.225408] CPU: 2 PID: 1852 Comm: rmmod Kdump: loaded Tainted: G B W OE 6.5.0 #15<br /> [ 1041.228244] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023<br /> [ 1041.231212] RIP: 0010:__list_del_entry_valid+0xae/0xb0<br /> <br /> Another quick way to trigger this issue, in a kernel with CONFIG_SLUB=y,<br /> is to set slub_debug to poison the released objects and then just run<br /> cat /proc/slabinfo after removing the module that leaks slab objects,<br /> in which case the kernel will panic:<br /> <br /> [ 50.954843] general protection fault, probably for non-canonical address 0xa56b6b6b6b6b6b8b: 0000 [#1] PREEMPT SMP PTI<br /> [ 50.961545] CPU: 2 PID: 1495 Comm: cat Kdump: loaded Tainted: G B W OE 6.5.0 #15<br /> [ 50.966808] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023<br /> [ 50.972663] RIP: 0010:get_slabinfo+0x42/0xf0<br /> <br /> This patch fixes this issue by properly checking shutdown_cache()&amp;#39;s<br /> return value before taking the kmem_cache_release() branch.