Linux Kernel Cgroup Defer Css Percpu Ref Kill Vulnerability

A vulnerability in the Linux kernel's cgroup management has been addressed. The issue involved improper handling of the removal process for control groups (cgroups), which could lead to a deadlock situation. When a cgroup is removed, the kernel must ensure that no tasks are still performing work within that cgroup. However, the original implementation could cause the removal process to hang, particularly when systemd was reaping orphaned processes. This deadlock occurred because the removal process was waiting for certain processes to terminate, while those processes were blocked, creating a circular dependency. The vulnerability has been fixed by allowing the cgroup removal process to proceed asynchronously, ensuring that the removal can complete without getting stuck waiting for processes to exit.

Impact

The vulnerability could lead to a deadlock situation, where the system becomes unresponsive because processes are waiting on each other to release resources, causing a standstill in operations.

Reproduction

The vulnerability can be reproduced by initiating a PID namespace teardown while systemd is reaping orphaned processes. This scenario creates a situation where the cgroup removal process gets stuck, waiting for processes to free up, while those processes cannot terminate because they are being managed by the systemd reaper, which is also blocked in the removal process.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux Kernel Stable Tree to address this vulnerability.