CVE-2023-54134

In the Linux kernel, the following vulnerability has been resolved:

autofs: fix memory leak of waitqueues in autofscatatonicmode

Syzkaller reports a memory leak:

BUG: memory leak unreferenced object 0xffff88810b279e00 (size 96): comm "syz-executor399", pid 3631, jiffies 4294964921 (age 23.870s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'..... 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'............. backtrace: [<ffffffff814cfc90>] kmalloctrace+0x20/0x90 mm/slabcommon.c:1046 [<ffffffff81bb75ca>] kmalloc include/linux/slab.h:576 [inline] [<ffffffff81bb75ca>] autofswait+0x3fa/0x9a0 fs/autofs/waitq.c:378 [<ffffffff81bb88a7>] autofsdoexpiremulti+0xa7/0x3e0 fs/autofs/expire.c:593 [<ffffffff81bb8c33>] autofsexpiremulti+0x53/0x80 fs/autofs/expire.c:619 [<ffffffff81bb6972>] autofsrootioctlunlocked+0x322/0x3b0 fs/autofs/root.c:897 [<ffffffff81bb6a95>] autofsrootioctl+0x25/0x30 fs/autofs/root.c:910 [<ffffffff81602a9c>] vfsioctl fs/ioctl.c:51 [inline] [<ffffffff81602a9c>] __dosysioctl fs/ioctl.c:870 [inline] [<ffffffff81602a9c>] __sesysioctl fs/ioctl.c:856 [inline] [<ffffffff81602a9c>] __x64sysioctl+0xfc/0x140 fs/ioctl.c:856 [<ffffffff84608225>] dosyscallx64 arch/x86/entry/common.c:50 [inline] [<ffffffff84608225>] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 [<ffffffff84800087>] entrySYSCALL64afterhwframe+0x63/0xcd

autofswaitqueue structs should be freed if their wait_ctr becomes zero. Otherwise they will be lost.

In this case an AUTOFSIOCEXPIREMULTI ioctl is done, then a new waitqueue struct is allocated in autofswait(), its initial waitctr equals 2. After that waiteventkillable() is interrupted (it returns -ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not satisfied. Actually, this condition can be satisfied when autofswaitrelease() or autofscatatonicmode() is called and, what is also important, waitctr is decremented in those places. Upon the exit of autofswait(), waitctr is decremented to 1. Then the unmounting process begins: killsb calls autofscatatonic_mode(), which should have freed the waitqueues, but it only decrements its usage counter to zero which is not a correct behaviour.

edit:imk This description is of course not correct. The umount performed as a result of an expire is a umount of a mount that has been automounted, it's not the autofs mount itself. They happen independently, usually after everything mounted within the autofs file system has been expired away. If everything hasn't been expired away the automount daemon can still exit leaving mounts in place. But expires done in both cases will result in a notification that calls autofswaitrelease() with a result status. The problem case is the summary execution of of the automount daemon. In this case any waiting processes won't be woken up until either they are terminated or the mount is umounted. end edit: imk

So in catatonic mode we should free waitqueues which counter becomes zero.

edit: imk Initially I was concerned that the calling of autofswaitrelease() and autofscatatonicmode() was not mutually exclusive but that can't be the case (obviously) because the queue entry (or entries) is removed from the list when either of these two functions are called. Consequently the wait entry will be freed by only one of these functions or by the woken process in autofs_wait() depending on the order of the calls. end edit: imk