In the Linux kernel, the following vulnerability has been resolved:
cgroup: Fix memory leak caused by missing cgroupbpfoffline
When enabling CONFIGCGROUPBPF, kmemleak can be observed by running the command as below:
$mount -t cgroup -o none,name=foo cgroup cgroup/
$umount cgroup/
unreferenced object 0xc3585c40 (size 64): comm "mount", pid 425, jiffies 4294959825 (age 31.990s) hex dump (first 32 bytes): 01 00 00 80 84 8c 28 c0 00 00 00 00 00 00 00 00 ......(......... 00 00 00 00 00 00 00 00 6c 43 a0 c3 00 00 00 00 ........lC...... backtrace: [<e95a2f9e>] cgroupbpfinherit+0x44/0x24c [<1f03679c>] cgroupsetuproot+0x174/0x37c [<ed4b0ac5>] cgroup1gettree+0x2c0/0x4a0 [<f85b12fd>] vfsgettree+0x24/0x108 [<f55aec5c>] pathmount+0x384/0x988 [<e2d5e9cd>] domount+0x64/0x9c [<208c9cfe>] sysmount+0xfc/0x1f4 [<06dd06e0>] retfast_syscall+0x0/0x48 [<a8308cb3>] 0xbeb4daa8
This is because that since the commit 2b0d3d3e4fcf ("percpuref: reduce memory footprint of percpuref in fast path") rootcgrp->bpf.refcnt.data is allocated by the function percpurefinit in cgroupbpfinherit which is called by cgroupsetuproot when mounting, but not freed along with rootcgrp when umounting. Adding cgroupbpfoffline which calls percpurefkill to cgroupkillsb can free root_cgrp->bpf.refcnt.data in umount path.
This patch also fixes the commit 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroupbpf from cgroup itself"). A cgroupbpfoffline is needed to do a cleanup that frees the resources which are allocated by cgroupbpfinherit in cgroupsetup_root.
And inside cgroupbpfoffline, cgroupget() is at the beginning and cgroupput is at the end of cgroupbpfrelease which is called by cgroupbpfoffline. So cgroupbpfoffline can keep the balance of cgroup's refcount.