CVE-2024-43892

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> memcg: protect concurrent access to mem_cgroup_idr<br /> <br /> Commit 73f576c04b94 ("mm: memcontrol: fix cgroup creation failure after<br /> many small jobs") decoupled the memcg IDs from the CSS ID space to fix the<br /> cgroup creation failures. It introduced IDR to maintain the memcg ID<br /> space. The IDR depends on external synchronization mechanisms for<br /> modifications. For the mem_cgroup_idr, the idr_alloc() and idr_replace()<br /> happen within css callback and thus are protected through cgroup_mutex<br /> from concurrent modifications. However idr_remove() for mem_cgroup_idr<br /> was not protected against concurrency and can be run concurrently for<br /> different memcgs when they hit their refcnt to zero. Fix that.<br /> <br /> We have been seeing list_lru based kernel crashes at a low frequency in<br /> our fleet for a long time. These crashes were in different part of<br /> list_lru code including list_lru_add(), list_lru_del() and reparenting<br /> code. Upon further inspection, it looked like for a given object (dentry<br /> and inode), the super_block&amp;#39;s list_lru didn&amp;#39;t have list_lru_one for the<br /> memcg of that object. The initial suspicions were either the object is<br /> not allocated through kmem_cache_alloc_lru() or somehow<br /> memcg_list_lru_alloc() failed to allocate list_lru_one() for a memcg but<br /> returned success. No evidence were found for these cases.<br /> <br /> Looking more deeply, we started seeing situations where valid memcg&amp;#39;s id<br /> is not present in mem_cgroup_idr and in some cases multiple valid memcgs<br /> have same id and mem_cgroup_idr is pointing to one of them. So, the most<br /> reasonable explanation is that these situations can happen due to race<br /> between multiple idr_remove() calls or race between<br /> idr_alloc()/idr_replace() and idr_remove(). These races are causing<br /> multiple memcgs to acquire the same ID and then offlining of one of them<br /> would cleanup list_lrus on the system for all of them. Later access from<br /> other memcgs to the list_lru cause crashes due to missing list_lru_one.