CVE-2021-47488 in Linux
Summary
by MITRE • 05/22/2024
In the Linux kernel, the following vulnerability has been resolved:
cgroup: Fix memory leak caused by missing cgroup_bpf_offline
When enabling CONFIG_CGROUP_BPF, kmemleak can be observed by running the command as below:
$mount -t cgroup -o none,name=foo cgroup cgroup/ $umount cgroup/
unreferenced object 0xc3585c40 (size 64): comm "mount", pid 425, jiffies 4294959825 (age 31.990s) hex dump (first 32 bytes): 01 00 00 80 84 8c 28 c0 00 00 00 00 00 00 00 00 ......(......... 00 00 00 00 00 00 00 00 6c 43 a0 c3 00 00 00 00 ........lC...... backtrace: [] cgroup_bpf_inherit+0x44/0x24c
[] cgroup_setup_root+0x174/0x37c
[] cgroup1_get_tree+0x2c0/0x4a0
[] vfs_get_tree+0x24/0x108
[] path_mount+0x384/0x988
[] do_mount+0x64/0x9c
[] sys_mount+0xfc/0x1f4
[] ret_fast_syscall+0x0/0x48
[] 0xbeb4daa8
This is because that since the commit 2b0d3d3e4fcf ("percpu_ref: reduce memory footprint of percpu_ref in fast path") root_cgrp->bpf.refcnt.data is allocated by the function percpu_ref_init in cgroup_bpf_inherit which is called by cgroup_setup_root when mounting, but not freed along with root_cgrp when umounting. Adding cgroup_bpf_offline which calls percpu_ref_kill to cgroup_kill_sb can free root_cgrp->bpf.refcnt.data in umount path.
This patch also fixes the commit 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself"). A cgroup_bpf_offline is needed to do a cleanup that frees the resources which are allocated by cgroup_bpf_inherit in cgroup_setup_root.
And inside cgroup_bpf_offline, cgroup_get() is at the beginning and cgroup_put is at the end of cgroup_bpf_release which is called by cgroup_bpf_offline. So cgroup_bpf_offline can keep the balance of cgroup's refcount.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/08/2026
This vulnerability represents a memory leak in the Linux kernel's control group (cgroup) subsystem when the CONFIG_CGROUP_BPF configuration option is enabled. The issue manifests as a kmemleak detection during cgroup mount and unmount operations, specifically when the cgroup filesystem is mounted and then unmounted. The leaked memory object, sized at 64 bytes, contains data that references the mount process and shows a timestamp indicating the object's age. The memory leak occurs because the percpu_ref structure allocated during cgroup initialization is not properly freed during the unmount process, creating a persistent memory allocation that cannot be reclaimed.
The technical root cause lies in the cgroup subsystem's handling of BPF (Berkeley Packet Filter) resources during the cgroup setup and teardown lifecycle. When mounting a cgroup filesystem, the cgroup_bpf_inherit function is called by cgroup_setup_root which initializes the percpu_ref structure through percpu_ref_init. This allocation occurs in the fast path of percpu_ref operations as modified by commit 2b0d3d3e4fcf, but the corresponding cleanup mechanism is missing during unmount operations. The cgroup_kill_sb function, which handles filesystem unmounting, does not include the necessary cleanup call to free the BPF-related resources that were allocated during mount.
The vulnerability directly impacts system memory management and can lead to progressive memory consumption over time, particularly in systems that frequently mount and unmount cgroup filesystems. This type of memory leak falls under CWE-401: Improper Release of Memory and is related to improper resource management in kernel subsystems. The issue affects the cgroup BPF subsystem specifically, which provides a mechanism for attaching BPF programs to cgroup events, and represents a failure in the resource lifecycle management of kernel objects.
The patch addresses this by introducing a new cgroup_bpf_offline function that properly cleans up BPF resources during the unmount path. This function calls percpu_ref_kill to properly terminate the percpu_ref structure that was initialized during mount operations. The fix also resolves a related issue from commit 4bfc0bb2c60e that decoupled cgroup BPF from cgroup itself, requiring explicit cleanup mechanisms. The implementation ensures proper reference counting by including cgroup_get() at the beginning and cgroup_put() at the end of the cgroup_bpf_release function within the cgroup_bpf_offline context, maintaining the balance of cgroup reference counts throughout the operation. This approach aligns with the ATT&CK framework's resource exhaustion tactics, specifically targeting memory resource management failures that could lead to system instability or performance degradation. The fix ensures that all allocated resources are properly reclaimed during normal cgroup lifecycle operations, preventing the accumulation of unreferenced memory objects that would otherwise persist until system reboot.