In the Linux kernel, the following vulnerability has been resolved:
mm/slabcommon: fix slabcaches list corruption after kmemcachedestroy()
After the commit in Fixes:, if a module that created a slab cache does not release all of its allocated objects before destroying the cache (at rmmod time), we might end up releasing the kmemcache object without removing it from the slabcaches list thus corrupting the list as kmemcachedestroy() ignores the return value from shutdowncache(), which in turn never removes the kmemcache object from slabslist in case _kmemcacheshutdown() fails to release all of the cache's slabs.
This is easily observable on a kernel built with CONFIGDEBUGLIST=y as after that ill release the system will immediately trip on listadd, or listdel, assertions similar to the one shown below as soon as another kmem_cache gets created, or destroyed:
[ 1041.213632] listdel corruption. next->prev should be ffff89f596fb5768, but was 52f1e5016aeee75d. (next=ffff89f595a1b268) [ 1041.219165] ------------[ cut here ]------------ [ 1041.221517] kernel BUG at lib/listdebug.c:62! [ 1041.223452] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 1041.225408] CPU: 2 PID: 1852 Comm: rmmod Kdump: loaded Tainted: G B W OE 6.5.0 #15 [ 1041.228244] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023 [ 1041.231212] RIP: 0010:_listdelentryvalid+0xae/0xb0
Another quick way to trigger this issue, in a kernel with CONFIGSLUB=y, is to set slubdebug to poison the released objects and then just run cat /proc/slabinfo after removing the module that leaks slab objects, in which case the kernel will panic:
[ 50.954843] general protection fault, probably for non-canonical address 0xa56b6b6b6b6b6b8b: 0000 [#1] PREEMPT SMP PTI [ 50.961545] CPU: 2 PID: 1495 Comm: cat Kdump: loaded Tainted: G B W OE 6.5.0 #15 [ 50.966808] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023 [ 50.972663] RIP: 0010:get_slabinfo+0x42/0xf0
This patch fixes this issue by properly checking shutdowncache()'s return value before taking the kmemcache_release() branch.