Linux Kernel Blk-Cgroup Use-After-Free Vulnerability in Work Release Function

A use-after-free vulnerability has been identified in the Linux kernel's block cgroup (blk-cgroup) management. The issue arises in the 'cgwb_release_workfn()' function, which handles the release of work in the cgroup writeback subsystem. The vulnerability occurs when the function calls 'css_put()' to decrement the reference count of a block cgroup's CSS (control group) pointer. If this operation drops the last reference, the block cgroup can be freed asynchronously before the function accesses the pointer again, leading to a use-after-free condition. This flaw has been observed sporadically in Meta fleet across multiple kernel versions.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where a pointer is accessed after the memory it references has been freed. This can lead to memory corruption, allowing for arbitrary code execution or causing a system crash.

Reproduction

The vulnerability can be reproduced by injecting a delay of 100 milliseconds between the 'css_put()' call and the 'blkcg_unpin_online()' call in the 'cgwb_release_workfn()' function. This delay creates a race condition that can be exploited, triggering the use-after-free vulnerability. The issue can be consistently reproduced in less than a second on a kernel with KASAN (Kernel Address Sanitizer) enabled.

Remediation

The vulnerability has been fixed by modifying the order of operations in the 'cgwb_release_workfn()' function. The 'blkcg_unpin_online()' call has been moved before the 'css_put()' call, ensuring that the block cgroup remains valid while it is being accessed.