shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-04-01 02:33:01 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
b072e32e0874568f9bbc7c19eb0a118dcb883da0
linux/fs
History
Chen Ridong 854baafc00 kernfs: Fix UAF in polling when open file is released 
commit 3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f upstream.

A use-after-free (UAF) vulnerability was identified in the PSI (Pressure
Stall Information) monitoring mechanism:

BUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140
Read of size 8 at addr ffff3de3d50bd308 by task systemd/1

psi_trigger_poll+0x3c/0x140
cgroup_pressure_poll+0x70/0xa0
cgroup_file_poll+0x8c/0x100
kernfs_fop_poll+0x11c/0x1c0
ep_item_poll.isra.0+0x188/0x2c0

Allocated by task 1:
cgroup_file_open+0x88/0x388
kernfs_fop_open+0x73c/0xaf0
do_dentry_open+0x5fc/0x1200
vfs_open+0xa0/0x3f0
do_open+0x7e8/0xd08
path_openat+0x2fc/0x6b0
do_filp_open+0x174/0x368

Freed by task 8462:
cgroup_file_release+0x130/0x1f8
kernfs_drain_open_files+0x17c/0x440
kernfs_drain+0x2dc/0x360
kernfs_show+0x1b8/0x288
cgroup_file_show+0x150/0x268
cgroup_pressure_write+0x1dc/0x340
cgroup_file_write+0x274/0x548

Reproduction Steps:
1. Open test/cpu.pressure and establish epoll monitoring
2. Disable monitoring: echo 0 > test/cgroup.pressure
3. Re-enable monitoring: echo 1 > test/cgroup.pressure

The race condition occurs because:
1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it:
   - Releases PSI triggers via cgroup_file_release()
   - Frees of->priv through kernfs_drain_open_files()
2. While epoll still holds reference to the file and continues polling
3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->priv

epolling			disable/enable cgroup.pressure
fd=open(cpu.pressure)
while(1)
...
epoll_wait
kernfs_fop_poll
kernfs_get_active = true	echo 0 > cgroup.pressure
...				cgroup_file_show
				kernfs_show
				// inactive kn
				kernfs_drain_open_files
				cft->release(of);
				kfree(ctx);
				...
kernfs_get_active = false
				echo 1 > cgroup.pressure
				kernfs_show
				kernfs_activate_one(kn);
kernfs_fop_poll
kernfs_get_active = true
cgroup_file_poll
psi_trigger_poll
// UAF
...
end: close(fd)

To address this issue, introduce kernfs_get_active_of() for kernfs open
files to obtain active references. This function will fail if the open file
has been released. Replace kernfs_get_active() with kernfs_get_active_of()
to prevent further operations on released file descriptors.

Fixes: 34f26a1561 ("sched/psi: Per-cgroup PSI accounting disable/re-enable interface")
Cc: stable <stable@kernel.org>
Reported-by: Zhang Zhaotian <zhangzhaotian@huawei.com>
Signed-off-by: Chen Ridong <chenridong@huawei.com>
Acked-by: Tejun Heo <tj@kernel.org>
Link: https://lore.kernel.org/r/20250822070715.1565236-2-chenridong@huaweicloud.com
[ Drop llseek bits ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-09-19 16:32:05 +02:00
..
9p
fs/9p: fix uninitialized values during inode evict
2024-11-22 15:38:37 +01:00
adfs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
affs
affs: don't write overlarge OFS data block size fields
2025-04-10 14:37:37 +02:00
afs
afs: Fix the server_list to unuse a displaced server rather than putting it
2025-03-07 16:45:38 +01:00
autofs
Merge tag 'v6.6-vfs.autofs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
2023-08-28 11:39:14 -07:00
befs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
bfs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
btrfs
btrfs: fix corruption reading compressed range when block size is smaller than page size
2025-09-19 16:32:04 +02:00
cachefiles
cachefiles: Fix the incorrect return value in __cachefiles_write()
2025-07-24 08:53:16 +02:00
ceph
ceph: fix possible integer overflow in ceph_zero_objects()
2025-07-06 11:00:08 +02:00
coda
Merge tag 'v6.6-vfs.ctime' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
2023-08-28 09:31:32 -07:00
configfs
configfs: Do not override creating attribute file failure in populate_attrs()
2025-06-27 11:08:42 +01:00
cramfs
fs: Convert to bdev_open_by_dev()
2024-08-19 06:04:25 +02:00
crypto
fscrypt: Don't use problematic non-inline crypto engines
2025-08-28 16:28:40 +02:00
debugfs
debugfs: fix automount d_fsdata usage
2024-01-20 11:51:37 +01:00
devpts
Merge tag 'v6.6-vfs.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
2023-08-28 10:17:14 -07:00
dlm
dlm: make tcp still work in multi-link env
2025-06-04 14:41:57 +02:00
ecryptfs
fs: Create a generic is_dot_dotdot() utility
2024-10-04 16:29:48 +02:00
efivarfs
efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare
2025-09-04 15:30:26 +02:00
efs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
erofs
erofs: fix atomic context detection when !CONFIG_DEBUG_LOCK_ALLOC
2025-09-04 15:30:19 +02:00
exfat
exfat: add cluster chain loop check for dir
2025-08-28 16:28:28 +02:00
exportfs
exportfs: remove kernel-doc warnings in exportfs
2023-08-29 17:45:22 -04:00
ext2
ext2: Handle fiemap on empty files to prevent EINVAL
2025-08-28 16:28:15 +02:00
ext4
ext4: preserve SB_I_VERSION on remount
2025-08-28 16:28:44 +02:00
f2fs
f2fs: fix to avoid out-of-boundary access in dnode page
2025-08-28 16:28:36 +02:00
fat
fat: fix uninitialized variable
2024-10-22 15:46:20 +02:00
freevxfs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
fscache
netfs/fscache: Add a memory barrier for FSCACHE_VOLUME_CREATING
2024-12-09 10:31:45 +01:00
fuse
fuse: prevent overflow in copy_file_range return value
2025-09-19 16:32:04 +02:00
gfs2
gfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops
2025-08-28 16:28:15 +02:00
hfs
hfs: fix not erasing deleted b-tree node issue
2025-08-28 16:28:15 +02:00
hfsplus
hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()
2025-08-28 16:28:14 +02:00
hostfs
um: hostfs: avoid issues on inode number reuse by host
2025-04-10 14:37:34 +02:00
hpfs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
hugetlbfs
mm: update memfd seal write check to include F_SEAL_WRITE
2025-08-28 16:28:39 +02:00
iomap
iomap: skip unnecessary ifs_block_is_uptodate check
2025-05-02 07:51:01 +02:00
isofs
isofs: Verify inode mode when loading from disk
2025-07-24 08:53:13 +02:00
jbd2
jbd2: prevent softlockup in jbd2_log_do_checkpoint()
2025-08-28 16:28:36 +02:00
jffs2
jffs2: check jffs2_prealloc_raw_node_refs() result in few other places
2025-06-27 11:08:58 +01:00
jfs
jfs: upper bound check of tree index in dbAllocAG
2025-08-28 16:28:26 +02:00
kernfs
kernfs: Fix UAF in polling when open file is released
2025-09-19 16:32:05 +02:00
lockd
nfsd: stop setting ->pg_stats for unused stats
2024-08-19 06:04:23 +02:00
minix
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
netfs
netfs: Only call folio_start_fscache() one time for each folio
2023-09-18 12:03:46 -07:00
nfs
NFSv4/flexfiles: Fix layout merge mirror check.
2025-09-19 16:32:02 +02:00
nfs_common
NFSv4.2: remove MODULE_LICENSE in non-modules
2023-04-13 13:13:52 -07:00
nfsd
NFSD: nfsd_unlink() clobbers non-zero status returned from fh_fill_pre_attrs()
2025-09-19 16:32:01 +02:00
nilfs2
nilfs2: reject invalid file types when reading inodes
2025-08-01 09:47:30 +01:00
nls
nls: Hide new NLS_UCS2_UTILS
2023-08-31 12:07:34 -05:00
notify
fanotify: sanitize handle_type values when reporting fid
2025-08-15 12:08:52 +02:00
ntfs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
ntfs3
fs/ntfs3: correctly create symlink for relative path
2025-08-28 16:28:15 +02:00
ocfs2
ocfs2: fix recursive semaphore deadlock in fiemap call
2025-09-19 16:32:03 +02:00
omfs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
openpromfs
openpromfs: finish conversion to the new mount API
2024-06-12 11:11:30 +02:00
orangefs
fs/orangefs: use snprintf() instead of sprintf()
2025-08-28 16:28:25 +02:00
overlayfs
ovl: Check for NULL d_inode() in ovl_dentry_upper()
2025-07-06 11:00:08 +02:00
proc
proc: fix type confusion in pde_set_flags()
2025-09-19 16:32:02 +02:00
pstore
pstore: Change kmsg_bytes storage size to u32
2025-06-04 14:42:11 +02:00
qnx4
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
qnx6
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
quota
quota: flush quota_release_work upon quota writeback
2024-12-09 10:33:01 +01:00
ramfs
ramfs: convert to ctime accessor functions
2023-07-24 10:30:04 +02:00
reiserfs
reiserfs: fix uninit-value in comp_keys
2024-08-19 06:04:26 +02:00
romfs
fs: Convert to bdev_open_by_dev()
2024-08-19 06:04:25 +02:00
smb
cifs: fix pagecache leak when do writepages
2025-09-19 16:32:05 +02:00
squashfs
squashfs: fix memory leak in squashfs_fill_super
2025-08-28 16:28:43 +02:00
sysfs
fs: sysfs: Fix reference leak in sysfs_break_active_protection()
2024-04-27 17:11:41 +02:00
sysv
sysv: don't call sb_bread() with pointers_lock held
2024-04-13 13:07:34 +02:00
tracefs
tracefs: Add d_delete to remove negative dentries
2025-08-28 16:28:15 +02:00
ubifs
ubifs: skip dumping tnc tree when zroot is null
2025-02-08 09:52:28 +01:00
udf
udf: Verify partition map count
2025-08-28 16:28:15 +02:00
ufs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
unicode
Revert "unicode: Don't special case ignorable code points"
2024-12-14 20:00:20 +01:00
vboxsf
vboxsf: fix building with GCC 15
2025-03-22 12:50:41 -07:00
verity
fsverity: use register_sysctl_init() to avoid kmemleak warning
2024-06-16 13:47:33 +02:00
xfs
xfs: do not propagate ENODATA disk errors into xattr code
2025-09-04 15:30:29 +02:00
zonefs
zonefs: Improve error handling
2024-02-23 09:25:13 +01:00
aio.c
fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion
2024-04-03 15:28:44 +02:00
anon_inodes.c
fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass
2025-07-10 16:03:18 +02:00
attr.c
Merge tag 'v6.6-vfs.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
2023-08-28 10:17:14 -07:00
bad_inode.c
fs: drop the timespec64 argument from update_time
2023-08-11 09:04:57 +02:00
binfmt_elf_fdpic.c
fs: binfmt_elf_efpic: don't use missing interpreter's properties
2024-08-29 17:33:33 +02:00
binfmt_elf_test.c
binfmt_elf.c
binfmt_elf: Move brk for static PIE even if ASLR disabled
2025-05-22 14:12:12 +02:00
binfmt_flat.c
binfmt_flat: Fix integer overflow bug on 32 bit systems
2025-02-17 09:40:16 +01:00
binfmt_misc.c
binfmt_misc: cleanup on filesystem umount
2024-08-29 17:33:27 +02:00
binfmt_script.c
buffer.c
fs/buffer: fix use-after-free when call bh_read() helper
2025-08-28 16:28:44 +02:00
char_dev.c
vfs: Replace all non-returning strlcpy with strscpy
2023-05-15 09:42:01 +02:00
compat_binfmt_elf.c
coredump.c
coredump: hand a pidfd to the usermode coredump helper
2025-06-04 14:42:24 +02:00
d_path.c
fs: d_path: include internal.h
2023-05-17 09:16:59 +02:00
dax.c
fsdax: dax_unshare_iter needs to copy entire blocks
2024-11-08 16:28:19 +01:00
dcache.c
fs: better handle deep ancestor chains in is_subdir()
2024-07-25 09:50:54 +02:00
direct-io.c
Merge tag 'mm-stable-2023-06-24-19-15' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2023-06-28 10:28:11 -07:00
drop_caches.c
fs: drop_caches: draining pages before dropping caches
2023-08-18 10:12:11 -07:00
eventfd.c
eventfd: prevent underflow for eventfd semaphores
2023-07-11 11:41:34 +02:00
eventpoll.c
eventpoll: Fix semi-unbounded recursion
2025-08-28 16:28:12 +02:00
exec.c
exec: fix the racy usage of fs_struct->in_exec
2025-04-10 14:37:44 +02:00
fcntl.c
fs: Fix file_set_fowner LSM hook inconsistencies
2024-10-04 16:29:56 +02:00
fhandle.c
fs: Annotate struct file_handle with __counted_by() and use struct_size()
2024-08-19 06:04:28 +02:00
file_table.c
fs: fix proc_handler for sysctl_nr_open
2025-02-08 09:51:42 +01:00
file.c
alloc_fdtable(): change calling conventions.
2025-08-28 16:28:50 +02:00
filesystems.c
fs/filesystems: Fix potential unsigned integer underflow in fs_name()
2025-06-19 15:28:43 +02:00
fs_context.c
fs: factor out vfs_parse_monolithic_sep() helper
2023-10-12 18:53:36 +03:00
fs_parser.c
ext4: journal_path mount options should follow links
2022-12-01 10:46:54 -05:00
fs_pin.c
fs_struct.c
kill do_each_thread()
2023-08-21 13:46:25 -07:00
fs_types.c
fs-writeback.c
fs: writeback: fix use-after-free in __mark_inode_dirty()
2025-09-09 18:56:20 +02:00
fsopen.c
fs: add FSCONFIG_CMD_CREATE_EXCL
2023-08-14 18:48:02 +02:00
init.c
fs: port ->permission() to pass mnt_idmap
2023-01-19 09:24:28 +01:00
inode.c
fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name
2024-12-09 10:31:41 +01:00
internal.h
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
ioctl.c
lsm: new security_file_ioctl_compat() hook
2024-01-31 16:18:54 -08:00
Kconfig
nfs: add missing selections of CONFIG_CRC32
2025-04-25 10:45:46 +02:00
Kconfig.binfmt
riscv: support the elf-fdpic binfmt loader
2023-08-23 14:17:43 -07:00
kernel_read_file.c
fs: Fix kernel-doc warnings
2023-08-19 12:12:12 +02:00
libfs.c
better lockdep annotations for simple_recursive_removal()
2025-08-28 16:28:15 +02:00
locks.c
filelock: Fix fcntl/close race recovery compat path
2024-07-27 11:34:10 +02:00
Makefile
fs: add CONFIG_BUFFER_HEAD
2023-08-02 09:13:09 -06:00
mbcache.c
ext4: fix deadlock due to mbcache entry corruption
2022-12-08 21:49:25 -05:00
mnt_idmapping.c
fs: move mnt_idmap
2023-01-19 09:24:30 +01:00
mount.h
mpage.c
mpage: use folios in bio end_io handler
2023-04-18 16:30:02 -07:00
namei.c
fuse: don't truncate cached, mutated symlink
2025-03-22 12:50:44 -07:00
namespace.c
use uniform permission checks for all mount propagation changes
2025-08-28 16:28:44 +02:00
nsfs.c
fs: convert to ctime accessor functions
2023-07-13 10:28:04 +02:00
open.c
openat2: explicitly return -E2BIG for (usize > PAGE_SIZE)
2024-11-01 01:58:32 +01:00
pipe.c
fs/pipe: Fix lockdep false-positive in watchqueue pipe_write()
2024-04-10 16:35:57 +02:00
pnode.c
fs: allow to mount beneath top mount
2023-05-19 04:30:22 +02:00
pnode.h
fs: allow to mount beneath top mount
2023-05-19 04:30:22 +02:00
posix_acl.c
fs: convert to ctime accessor functions
2023-07-13 10:28:04 +02:00
proc_namespace.c
tty, proc, kernfs, random: Use copy_splice_read()
2023-05-24 08:42:16 -06:00
read_write.c
fs: Fix one kernel-doc comment
2023-08-15 08:32:45 +02:00
readdir.c
vfs: get rid of old '->iterate' directory operation
2023-08-06 15:08:35 +02:00
remap_range.c
fs: use UB-safe check for signed addition overflow in remap_verify_area
2023-05-24 11:03:59 +02:00
select.c
hrtimer: Use and report correct timerslack values for realtime tasks
2025-03-22 12:50:37 -07:00
seq_file.c
use less confusing names for iov_iter direction initializers
2022-11-25 13:01:55 -05:00
signalfd.c
splice.c
splice: remove duplicate noinline from pipe_clear_nowait
2025-05-02 07:50:45 +02:00
stack.c
fs: convert to ctime accessor functions
2023-07-13 10:28:04 +02:00
stat.c
fs: Pass AT_GETATTR_NOSEC flag to getattr interface function
2023-12-03 07:33:03 +01:00
statfs.c
statfs: enforce statfs[64] structure initialization
2023-05-17 15:20:17 +02:00
super.c
fs: Convert to bdev_open_by_dev()
2024-08-19 06:04:25 +02:00
sync.c
sysctls.c
sysctl: Refactor base paths registrations
2023-05-23 21:43:26 -07:00
timerfd.c
userfaultfd.c
mm/userfaultfd: fix release hang over concurrent GUP
2025-04-25 10:45:31 +02:00
utimes.c
Merge tag 'fs.idmapped.v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping
2023-02-20 11:53:11 -08:00
xattr.c
fs/xattr.c: fix simple_xattr_list()
2025-06-27 11:08:57 +01:00