CVE-2024-38663: blk-cgroup – fix list corruption from resetting io stat (25-June-2024)

Preface: Android uses cgroups to control and account for system resources such as CPU and memory usage and allocation, with support for Linux kernel cgroups v1 and cgroups v2.

Background: New IO stats are stored in the percpu iostat_cpu within blkcg_gq (blkg). There are multiple blkg’s (one for each block device) attached to each blkcg. The rstat code keeps track of which cpu has IO stats updated, but it doesn’t know which blkg has the updated stats. If there are many block devices in a system, the cost of iterating all the blkg’s to flush out the IO stats can be high. To reduce such overhead, a set of percpu lockless lists (lhead) per blkcg are used to track the set of recently updated iostat_cpu’s since the last flush. An iostat_cpu will be put onto the lockless list on the update side [blk_cgroup_bio_start()] if not there yet and then removed when being flushed [blkcg_rstat_flush()].

References to blkg are gotten and then put back in the process to protect against blkg removal.

Vulnerability details: blk-cgroup: fix list corruption from resetting io stat. Since commit 3b8cc6298724 (“blk-cgroup: Optimize blkcg_rstat_flush()”), each iostat instance is added to blkcg percpu list, so blkcg_reset_stats() can’t reset the stat instance by memset(), otherwise the llist may be corrupted.

Fix the issue by only resetting the counter part.

Official announcement: For detail, please refer to link –

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.