+++ /dev/null
-From 17bb6914ae5bb542ac6a27b8b5d93509c831e6d4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 14 Apr 2026 14:15:43 +0800
-Subject: sched/psi: fix race between file release and pressure write
-
-From: Edward Adam Davis <eadavis@qq.com>
-
-[ Upstream commit a5b98009f16d8a5fb4a8ff9a193f5735515c38fa ]
-
-A potential race condition exists between pressure write and cgroup file
-release regarding the priv member of struct kernfs_open_file, which
-triggers the uaf reported in [1].
-
-Consider the following scenario involving execution on two separate CPUs:
-
- CPU0 CPU1
- ==== ====
- vfs_rmdir()
- kernfs_iop_rmdir()
- cgroup_rmdir()
- cgroup_kn_lock_live()
- cgroup_destroy_locked()
- cgroup_addrm_files()
- cgroup_rm_file()
- kernfs_remove_by_name()
- kernfs_remove_by_name_ns()
- vfs_write() __kernfs_remove()
- new_sync_write() kernfs_drain()
- kernfs_fop_write_iter() kernfs_drain_open_files()
- cgroup_file_write() kernfs_release_file()
- pressure_write() cgroup_file_release()
- ctx = of->priv;
- kfree(ctx);
- of->priv = NULL;
- cgroup_kn_unlock()
- cgroup_kn_lock_live()
- cgroup_get(cgrp)
- cgroup_kn_unlock()
- if (ctx->psi.trigger) // here, trigger uaf for ctx, that is of->priv
-
-The cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards
-the memory deallocation of of->priv performed within cgroup_file_release().
-However, the operations involving of->priv executed within pressure_write()
-are not entirely covered by the protection of cgroup_mutex. Consequently,
-if the code in pressure_write(), specifically the section handling the
-ctx variable executes after cgroup_file_release() has completed, a uaf
-vulnerability involving of->priv is triggered.
-
-Therefore, the issue can be resolved by extending the scope of the
-cgroup_mutex lock within pressure_write() to encompass all code paths
-involving of->priv, thereby properly synchronizing the race condition
-occurring between cgroup_file_release() and pressure_write().
-
-And, if an live kn lock can be successfully acquired while executing
-the pressure write operation, it indicates that the cgroup deletion
-process has not yet reached its final stage; consequently, the priv
-pointer within open_file cannot be NULL. Therefore, the operation to
-retrieve the ctx value must be moved to a point *after* the live kn
-lock has been successfully acquired.
-
-In another situation, specifically after entering cgroup_kn_lock_live()
-but before acquiring cgroup_mutex, there exists a different class of
-race condition:
-
-CPU0: write memory.pressure CPU1: write cgroup.pressure=0
-=========================== =============================
-
-kernfs_fop_write_iter()
- kernfs_get_active_of(of)
- pressure_write()
- cgroup_kn_lock_live(memory.pressure)
- cgroup_tryget(cgrp)
- kernfs_break_active_protection(kn)
- ... blocks on cgroup_mutex
-
- cgroup_pressure_write()
- cgroup_kn_lock_live(cgroup.pressure)
- cgroup_file_show(memory.pressure, false)
- kernfs_show(false)
- kernfs_drain_open_files()
- cgroup_file_release(of)
- kfree(ctx)
- of->priv = NULL
- cgroup_kn_unlock()
-
- ... acquires cgroup_mutex
- ctx = of->priv; // may now be NULL
- if (ctx->psi.trigger) // NULL dereference
-
-Consequently, there is a possibility that of->priv is NULL, the pressure
-write needs to check for this.
-
-Now that the scope of the cgroup_mutex has been expanded, the original
-explicit cgroup_get/put operations are no longer necessary, this is
-because acquiring/releasing the live kn lock inherently executes a
-cgroup get/put operation.
-
-[1]
-BUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
-Call Trace:
- pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
- cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:4311
- kernfs_fop_write_iter+0x3b0/0x540 fs/kernfs/file.c:352
-
-Allocated by task 9352:
- cgroup_file_open+0x90/0x3a0 kernel/cgroup/cgroup.c:4256
- kernfs_fop_open+0x9eb/0xcb0 fs/kernfs/file.c:724
- do_dentry_open+0x83d/0x13e0 fs/open.c:949
-
-Freed by task 9353:
- cgroup_file_release+0xd6/0x100 kernel/cgroup/cgroup.c:4283
- kernfs_release_file fs/kernfs/file.c:764 [inline]
- kernfs_drain_open_files+0x392/0x720 fs/kernfs/file.c:834
- kernfs_drain+0x470/0x600 fs/kernfs/dir.c:525
-
-Fixes: 0e94682b73bf ("psi: introduce psi monitor")
-Reported-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=33e571025d88efd1312c
-Tested-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com
-Signed-off-by: Edward Adam Davis <eadavis@qq.com>
-Reviewed-by: Chen Ridong <chenridong@huaweicloud.com>
-Signed-off-by: Tejun Heo <tj@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/cgroup/cgroup.c | 24 ++++++++++++++++--------
- 1 file changed, 16 insertions(+), 8 deletions(-)
-
-diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
-index 8d420e00d89a7..42d6b76208d42 100644
---- a/kernel/cgroup/cgroup.c
-+++ b/kernel/cgroup/cgroup.c
-@@ -3679,33 +3679,41 @@ static int cgroup_cpu_pressure_show(struct seq_file *seq, void *v)
- static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf,
- size_t nbytes, enum psi_res res)
- {
-- struct cgroup_file_ctx *ctx = of->priv;
-+ struct cgroup_file_ctx *ctx;
- struct psi_trigger *new;
- struct cgroup *cgrp;
- struct psi_group *psi;
-+ ssize_t ret = 0;
-
- cgrp = cgroup_kn_lock_live(of->kn, false);
- if (!cgrp)
- return -ENODEV;
-
-- cgroup_get(cgrp);
-- cgroup_kn_unlock(of->kn);
-+ ctx = of->priv;
-+ if (!ctx) {
-+ ret = -ENODEV;
-+ goto out_unlock;
-+ }
-
- /* Allow only one trigger per file descriptor */
- if (ctx->psi.trigger) {
-- cgroup_put(cgrp);
-- return -EBUSY;
-+ ret = -EBUSY;
-+ goto out_unlock;
- }
-
- psi = cgroup_ino(cgrp) == 1 ? &psi_system : &cgrp->psi;
- new = psi_trigger_create(psi, buf, nbytes, res);
- if (IS_ERR(new)) {
-- cgroup_put(cgrp);
-- return PTR_ERR(new);
-+ ret = PTR_ERR(new);
-+ goto out_unlock;
- }
-
- smp_store_release(&ctx->psi.trigger, new);
-- cgroup_put(cgrp);
-+
-+out_unlock:
-+ cgroup_kn_unlock(of->kn);
-+ if (ret)
-+ return ret;
-
- return nbytes;
- }
---
-2.53.0
-
rtc-abx80x-disable-alarm-feature-if-no-interrupt-att.patch
fbdev-offb-fix-pci-device-reference-leak-on-probe-fa.patch
mailbox-mailbox-test-free-channels-on-probe-error.patch
-sched-psi-fix-race-between-file-release-and-pressure.patch
cgroup-rdma-fix-integer-overflow-in-rdmacg_try_charg.patch
mailbox-add-sanity-check-for-channel-array.patch
mailbox-mailbox-test-don-t-free-the-reused-channel.patch
+++ /dev/null
-From ee493c7f339cb2ff38fd005d3aeeb792e773e2c9 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 14 Apr 2026 14:15:43 +0800
-Subject: sched/psi: fix race between file release and pressure write
-
-From: Edward Adam Davis <eadavis@qq.com>
-
-[ Upstream commit a5b98009f16d8a5fb4a8ff9a193f5735515c38fa ]
-
-A potential race condition exists between pressure write and cgroup file
-release regarding the priv member of struct kernfs_open_file, which
-triggers the uaf reported in [1].
-
-Consider the following scenario involving execution on two separate CPUs:
-
- CPU0 CPU1
- ==== ====
- vfs_rmdir()
- kernfs_iop_rmdir()
- cgroup_rmdir()
- cgroup_kn_lock_live()
- cgroup_destroy_locked()
- cgroup_addrm_files()
- cgroup_rm_file()
- kernfs_remove_by_name()
- kernfs_remove_by_name_ns()
- vfs_write() __kernfs_remove()
- new_sync_write() kernfs_drain()
- kernfs_fop_write_iter() kernfs_drain_open_files()
- cgroup_file_write() kernfs_release_file()
- pressure_write() cgroup_file_release()
- ctx = of->priv;
- kfree(ctx);
- of->priv = NULL;
- cgroup_kn_unlock()
- cgroup_kn_lock_live()
- cgroup_get(cgrp)
- cgroup_kn_unlock()
- if (ctx->psi.trigger) // here, trigger uaf for ctx, that is of->priv
-
-The cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards
-the memory deallocation of of->priv performed within cgroup_file_release().
-However, the operations involving of->priv executed within pressure_write()
-are not entirely covered by the protection of cgroup_mutex. Consequently,
-if the code in pressure_write(), specifically the section handling the
-ctx variable executes after cgroup_file_release() has completed, a uaf
-vulnerability involving of->priv is triggered.
-
-Therefore, the issue can be resolved by extending the scope of the
-cgroup_mutex lock within pressure_write() to encompass all code paths
-involving of->priv, thereby properly synchronizing the race condition
-occurring between cgroup_file_release() and pressure_write().
-
-And, if an live kn lock can be successfully acquired while executing
-the pressure write operation, it indicates that the cgroup deletion
-process has not yet reached its final stage; consequently, the priv
-pointer within open_file cannot be NULL. Therefore, the operation to
-retrieve the ctx value must be moved to a point *after* the live kn
-lock has been successfully acquired.
-
-In another situation, specifically after entering cgroup_kn_lock_live()
-but before acquiring cgroup_mutex, there exists a different class of
-race condition:
-
-CPU0: write memory.pressure CPU1: write cgroup.pressure=0
-=========================== =============================
-
-kernfs_fop_write_iter()
- kernfs_get_active_of(of)
- pressure_write()
- cgroup_kn_lock_live(memory.pressure)
- cgroup_tryget(cgrp)
- kernfs_break_active_protection(kn)
- ... blocks on cgroup_mutex
-
- cgroup_pressure_write()
- cgroup_kn_lock_live(cgroup.pressure)
- cgroup_file_show(memory.pressure, false)
- kernfs_show(false)
- kernfs_drain_open_files()
- cgroup_file_release(of)
- kfree(ctx)
- of->priv = NULL
- cgroup_kn_unlock()
-
- ... acquires cgroup_mutex
- ctx = of->priv; // may now be NULL
- if (ctx->psi.trigger) // NULL dereference
-
-Consequently, there is a possibility that of->priv is NULL, the pressure
-write needs to check for this.
-
-Now that the scope of the cgroup_mutex has been expanded, the original
-explicit cgroup_get/put operations are no longer necessary, this is
-because acquiring/releasing the live kn lock inherently executes a
-cgroup get/put operation.
-
-[1]
-BUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
-Call Trace:
- pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
- cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:4311
- kernfs_fop_write_iter+0x3b0/0x540 fs/kernfs/file.c:352
-
-Allocated by task 9352:
- cgroup_file_open+0x90/0x3a0 kernel/cgroup/cgroup.c:4256
- kernfs_fop_open+0x9eb/0xcb0 fs/kernfs/file.c:724
- do_dentry_open+0x83d/0x13e0 fs/open.c:949
-
-Freed by task 9353:
- cgroup_file_release+0xd6/0x100 kernel/cgroup/cgroup.c:4283
- kernfs_release_file fs/kernfs/file.c:764 [inline]
- kernfs_drain_open_files+0x392/0x720 fs/kernfs/file.c:834
- kernfs_drain+0x470/0x600 fs/kernfs/dir.c:525
-
-Fixes: 0e94682b73bf ("psi: introduce psi monitor")
-Reported-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=33e571025d88efd1312c
-Tested-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com
-Signed-off-by: Edward Adam Davis <eadavis@qq.com>
-Reviewed-by: Chen Ridong <chenridong@huaweicloud.com>
-Signed-off-by: Tejun Heo <tj@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/cgroup/cgroup.c | 24 ++++++++++++++++--------
- 1 file changed, 16 insertions(+), 8 deletions(-)
-
-diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
-index 2048fc3e22565..f131da1a8abfa 100644
---- a/kernel/cgroup/cgroup.c
-+++ b/kernel/cgroup/cgroup.c
-@@ -3720,33 +3720,41 @@ static int cgroup_cpu_pressure_show(struct seq_file *seq, void *v)
- static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf,
- size_t nbytes, enum psi_res res)
- {
-- struct cgroup_file_ctx *ctx = of->priv;
-+ struct cgroup_file_ctx *ctx;
- struct psi_trigger *new;
- struct cgroup *cgrp;
- struct psi_group *psi;
-+ ssize_t ret = 0;
-
- cgrp = cgroup_kn_lock_live(of->kn, false);
- if (!cgrp)
- return -ENODEV;
-
-- cgroup_get(cgrp);
-- cgroup_kn_unlock(of->kn);
-+ ctx = of->priv;
-+ if (!ctx) {
-+ ret = -ENODEV;
-+ goto out_unlock;
-+ }
-
- /* Allow only one trigger per file descriptor */
- if (ctx->psi.trigger) {
-- cgroup_put(cgrp);
-- return -EBUSY;
-+ ret = -EBUSY;
-+ goto out_unlock;
- }
-
- psi = cgroup_ino(cgrp) == 1 ? &psi_system : &cgrp->psi;
- new = psi_trigger_create(psi, buf, nbytes, res);
- if (IS_ERR(new)) {
-- cgroup_put(cgrp);
-- return PTR_ERR(new);
-+ ret = PTR_ERR(new);
-+ goto out_unlock;
- }
-
- smp_store_release(&ctx->psi.trigger, new);
-- cgroup_put(cgrp);
-+
-+out_unlock:
-+ cgroup_kn_unlock(of->kn);
-+ if (ret)
-+ return ret;
-
- return nbytes;
- }
---
-2.53.0
-
rtc-abx80x-disable-alarm-feature-if-no-interrupt-att.patch
fbdev-offb-fix-pci-device-reference-leak-on-probe-fa.patch
mailbox-mailbox-test-free-channels-on-probe-error.patch
-sched-psi-fix-race-between-file-release-and-pressure.patch
cgroup-rdma-fix-integer-overflow-in-rdmacg_try_charg.patch
mailbox-add-sanity-check-for-channel-array.patch
mailbox-mailbox-test-don-t-free-the-reused-channel.patch
+++ /dev/null
-From 2e2c61fbd84f62f4d4e13a22afe85e345d092aa4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 14 Apr 2026 14:15:43 +0800
-Subject: sched/psi: fix race between file release and pressure write
-
-From: Edward Adam Davis <eadavis@qq.com>
-
-[ Upstream commit a5b98009f16d8a5fb4a8ff9a193f5735515c38fa ]
-
-A potential race condition exists between pressure write and cgroup file
-release regarding the priv member of struct kernfs_open_file, which
-triggers the uaf reported in [1].
-
-Consider the following scenario involving execution on two separate CPUs:
-
- CPU0 CPU1
- ==== ====
- vfs_rmdir()
- kernfs_iop_rmdir()
- cgroup_rmdir()
- cgroup_kn_lock_live()
- cgroup_destroy_locked()
- cgroup_addrm_files()
- cgroup_rm_file()
- kernfs_remove_by_name()
- kernfs_remove_by_name_ns()
- vfs_write() __kernfs_remove()
- new_sync_write() kernfs_drain()
- kernfs_fop_write_iter() kernfs_drain_open_files()
- cgroup_file_write() kernfs_release_file()
- pressure_write() cgroup_file_release()
- ctx = of->priv;
- kfree(ctx);
- of->priv = NULL;
- cgroup_kn_unlock()
- cgroup_kn_lock_live()
- cgroup_get(cgrp)
- cgroup_kn_unlock()
- if (ctx->psi.trigger) // here, trigger uaf for ctx, that is of->priv
-
-The cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards
-the memory deallocation of of->priv performed within cgroup_file_release().
-However, the operations involving of->priv executed within pressure_write()
-are not entirely covered by the protection of cgroup_mutex. Consequently,
-if the code in pressure_write(), specifically the section handling the
-ctx variable executes after cgroup_file_release() has completed, a uaf
-vulnerability involving of->priv is triggered.
-
-Therefore, the issue can be resolved by extending the scope of the
-cgroup_mutex lock within pressure_write() to encompass all code paths
-involving of->priv, thereby properly synchronizing the race condition
-occurring between cgroup_file_release() and pressure_write().
-
-And, if an live kn lock can be successfully acquired while executing
-the pressure write operation, it indicates that the cgroup deletion
-process has not yet reached its final stage; consequently, the priv
-pointer within open_file cannot be NULL. Therefore, the operation to
-retrieve the ctx value must be moved to a point *after* the live kn
-lock has been successfully acquired.
-
-In another situation, specifically after entering cgroup_kn_lock_live()
-but before acquiring cgroup_mutex, there exists a different class of
-race condition:
-
-CPU0: write memory.pressure CPU1: write cgroup.pressure=0
-=========================== =============================
-
-kernfs_fop_write_iter()
- kernfs_get_active_of(of)
- pressure_write()
- cgroup_kn_lock_live(memory.pressure)
- cgroup_tryget(cgrp)
- kernfs_break_active_protection(kn)
- ... blocks on cgroup_mutex
-
- cgroup_pressure_write()
- cgroup_kn_lock_live(cgroup.pressure)
- cgroup_file_show(memory.pressure, false)
- kernfs_show(false)
- kernfs_drain_open_files()
- cgroup_file_release(of)
- kfree(ctx)
- of->priv = NULL
- cgroup_kn_unlock()
-
- ... acquires cgroup_mutex
- ctx = of->priv; // may now be NULL
- if (ctx->psi.trigger) // NULL dereference
-
-Consequently, there is a possibility that of->priv is NULL, the pressure
-write needs to check for this.
-
-Now that the scope of the cgroup_mutex has been expanded, the original
-explicit cgroup_get/put operations are no longer necessary, this is
-because acquiring/releasing the live kn lock inherently executes a
-cgroup get/put operation.
-
-[1]
-BUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
-Call Trace:
- pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
- cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:4311
- kernfs_fop_write_iter+0x3b0/0x540 fs/kernfs/file.c:352
-
-Allocated by task 9352:
- cgroup_file_open+0x90/0x3a0 kernel/cgroup/cgroup.c:4256
- kernfs_fop_open+0x9eb/0xcb0 fs/kernfs/file.c:724
- do_dentry_open+0x83d/0x13e0 fs/open.c:949
-
-Freed by task 9353:
- cgroup_file_release+0xd6/0x100 kernel/cgroup/cgroup.c:4283
- kernfs_release_file fs/kernfs/file.c:764 [inline]
- kernfs_drain_open_files+0x392/0x720 fs/kernfs/file.c:834
- kernfs_drain+0x470/0x600 fs/kernfs/dir.c:525
-
-Fixes: 0e94682b73bf ("psi: introduce psi monitor")
-Reported-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=33e571025d88efd1312c
-Tested-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com
-Signed-off-by: Edward Adam Davis <eadavis@qq.com>
-Reviewed-by: Chen Ridong <chenridong@huaweicloud.com>
-Signed-off-by: Tejun Heo <tj@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/cgroup/cgroup.c | 24 ++++++++++++++++--------
- 1 file changed, 16 insertions(+), 8 deletions(-)
-
-diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
-index 5ff7619301458..606d17021e3e1 100644
---- a/kernel/cgroup/cgroup.c
-+++ b/kernel/cgroup/cgroup.c
-@@ -3786,33 +3786,41 @@ static int cgroup_cpu_pressure_show(struct seq_file *seq, void *v)
- static ssize_t pressure_write(struct kernfs_open_file *of, char *buf,
- size_t nbytes, enum psi_res res)
- {
-- struct cgroup_file_ctx *ctx = of->priv;
-+ struct cgroup_file_ctx *ctx;
- struct psi_trigger *new;
- struct cgroup *cgrp;
- struct psi_group *psi;
-+ ssize_t ret = 0;
-
- cgrp = cgroup_kn_lock_live(of->kn, false);
- if (!cgrp)
- return -ENODEV;
-
-- cgroup_get(cgrp);
-- cgroup_kn_unlock(of->kn);
-+ ctx = of->priv;
-+ if (!ctx) {
-+ ret = -ENODEV;
-+ goto out_unlock;
-+ }
-
- /* Allow only one trigger per file descriptor */
- if (ctx->psi.trigger) {
-- cgroup_put(cgrp);
-- return -EBUSY;
-+ ret = -EBUSY;
-+ goto out_unlock;
- }
-
- psi = cgroup_psi(cgrp);
- new = psi_trigger_create(psi, buf, res, of->file, of);
- if (IS_ERR(new)) {
-- cgroup_put(cgrp);
-- return PTR_ERR(new);
-+ ret = PTR_ERR(new);
-+ goto out_unlock;
- }
-
- smp_store_release(&ctx->psi.trigger, new);
-- cgroup_put(cgrp);
-+
-+out_unlock:
-+ cgroup_kn_unlock(of->kn);
-+ if (ret)
-+ return ret;
-
- return nbytes;
- }
---
-2.53.0
-
rtc-abx80x-disable-alarm-feature-if-no-interrupt-att.patch
fbdev-offb-fix-pci-device-reference-leak-on-probe-fa.patch
mailbox-mailbox-test-free-channels-on-probe-error.patch
-sched-psi-fix-race-between-file-release-and-pressure.patch
cgroup-rdma-fix-integer-overflow-in-rdmacg_try_charg.patch
mailbox-add-sanity-check-for-channel-array.patch
mailbox-mailbox-test-don-t-free-the-reused-channel.patch
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- kernel/cgroup/cgroup.c | 22 ++++++++++++----------
+ kernel/cgroup/cgroup.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
-diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
-index 0914a1a189ee1..dfb93a201fc32 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
-@@ -5654,16 +5654,6 @@ static void offline_css(struct cgroup_subsys_state *css)
+@@ -5646,16 +5646,6 @@ static void offline_css(struct cgroup_su
RCU_INIT_POINTER(css->cgroup->subsys[ss->id], NULL);
wake_up_all(&css->cgroup->offline_waitq);
}
/**
-@@ -5965,6 +5955,8 @@ static void css_killed_ref_fn(struct percpu_ref *ref)
+@@ -5957,6 +5947,8 @@ static void css_killed_ref_fn(struct per
*/
static void kill_css(struct cgroup_subsys_state *css)
{
lockdep_assert_held(&cgroup_mutex);
if (css->flags & CSS_DYING)
-@@ -6001,6 +5993,16 @@ static void kill_css(struct cgroup_subsys_state *css)
+@@ -5993,6 +5985,16 @@ static void kill_css(struct cgroup_subsy
* css is confirmed to be seen as killed on all CPUs.
*/
percpu_ref_kill_and_confirm(&css->refcnt, css_killed_ref_fn);
}
/**
---
-2.53.0
-
+++ /dev/null
-From 91e55e720471f5e138aff9beaf82a3a935007529 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 14 Apr 2026 14:15:43 +0800
-Subject: sched/psi: fix race between file release and pressure write
-
-From: Edward Adam Davis <eadavis@qq.com>
-
-[ Upstream commit a5b98009f16d8a5fb4a8ff9a193f5735515c38fa ]
-
-A potential race condition exists between pressure write and cgroup file
-release regarding the priv member of struct kernfs_open_file, which
-triggers the uaf reported in [1].
-
-Consider the following scenario involving execution on two separate CPUs:
-
- CPU0 CPU1
- ==== ====
- vfs_rmdir()
- kernfs_iop_rmdir()
- cgroup_rmdir()
- cgroup_kn_lock_live()
- cgroup_destroy_locked()
- cgroup_addrm_files()
- cgroup_rm_file()
- kernfs_remove_by_name()
- kernfs_remove_by_name_ns()
- vfs_write() __kernfs_remove()
- new_sync_write() kernfs_drain()
- kernfs_fop_write_iter() kernfs_drain_open_files()
- cgroup_file_write() kernfs_release_file()
- pressure_write() cgroup_file_release()
- ctx = of->priv;
- kfree(ctx);
- of->priv = NULL;
- cgroup_kn_unlock()
- cgroup_kn_lock_live()
- cgroup_get(cgrp)
- cgroup_kn_unlock()
- if (ctx->psi.trigger) // here, trigger uaf for ctx, that is of->priv
-
-The cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards
-the memory deallocation of of->priv performed within cgroup_file_release().
-However, the operations involving of->priv executed within pressure_write()
-are not entirely covered by the protection of cgroup_mutex. Consequently,
-if the code in pressure_write(), specifically the section handling the
-ctx variable executes after cgroup_file_release() has completed, a uaf
-vulnerability involving of->priv is triggered.
-
-Therefore, the issue can be resolved by extending the scope of the
-cgroup_mutex lock within pressure_write() to encompass all code paths
-involving of->priv, thereby properly synchronizing the race condition
-occurring between cgroup_file_release() and pressure_write().
-
-And, if an live kn lock can be successfully acquired while executing
-the pressure write operation, it indicates that the cgroup deletion
-process has not yet reached its final stage; consequently, the priv
-pointer within open_file cannot be NULL. Therefore, the operation to
-retrieve the ctx value must be moved to a point *after* the live kn
-lock has been successfully acquired.
-
-In another situation, specifically after entering cgroup_kn_lock_live()
-but before acquiring cgroup_mutex, there exists a different class of
-race condition:
-
-CPU0: write memory.pressure CPU1: write cgroup.pressure=0
-=========================== =============================
-
-kernfs_fop_write_iter()
- kernfs_get_active_of(of)
- pressure_write()
- cgroup_kn_lock_live(memory.pressure)
- cgroup_tryget(cgrp)
- kernfs_break_active_protection(kn)
- ... blocks on cgroup_mutex
-
- cgroup_pressure_write()
- cgroup_kn_lock_live(cgroup.pressure)
- cgroup_file_show(memory.pressure, false)
- kernfs_show(false)
- kernfs_drain_open_files()
- cgroup_file_release(of)
- kfree(ctx)
- of->priv = NULL
- cgroup_kn_unlock()
-
- ... acquires cgroup_mutex
- ctx = of->priv; // may now be NULL
- if (ctx->psi.trigger) // NULL dereference
-
-Consequently, there is a possibility that of->priv is NULL, the pressure
-write needs to check for this.
-
-Now that the scope of the cgroup_mutex has been expanded, the original
-explicit cgroup_get/put operations are no longer necessary, this is
-because acquiring/releasing the live kn lock inherently executes a
-cgroup get/put operation.
-
-[1]
-BUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
-Call Trace:
- pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
- cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:4311
- kernfs_fop_write_iter+0x3b0/0x540 fs/kernfs/file.c:352
-
-Allocated by task 9352:
- cgroup_file_open+0x90/0x3a0 kernel/cgroup/cgroup.c:4256
- kernfs_fop_open+0x9eb/0xcb0 fs/kernfs/file.c:724
- do_dentry_open+0x83d/0x13e0 fs/open.c:949
-
-Freed by task 9353:
- cgroup_file_release+0xd6/0x100 kernel/cgroup/cgroup.c:4283
- kernfs_release_file fs/kernfs/file.c:764 [inline]
- kernfs_drain_open_files+0x392/0x720 fs/kernfs/file.c:834
- kernfs_drain+0x470/0x600 fs/kernfs/dir.c:525
-
-Fixes: 0e94682b73bf ("psi: introduce psi monitor")
-Reported-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=33e571025d88efd1312c
-Tested-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com
-Signed-off-by: Edward Adam Davis <eadavis@qq.com>
-Reviewed-by: Chen Ridong <chenridong@huaweicloud.com>
-Signed-off-by: Tejun Heo <tj@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/cgroup/cgroup.c | 24 ++++++++++++++++--------
- 1 file changed, 16 insertions(+), 8 deletions(-)
-
-diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
-index 046f671532b04..0914a1a189ee1 100644
---- a/kernel/cgroup/cgroup.c
-+++ b/kernel/cgroup/cgroup.c
-@@ -3876,33 +3876,41 @@ static int cgroup_cpu_pressure_show(struct seq_file *seq, void *v)
- static ssize_t pressure_write(struct kernfs_open_file *of, char *buf,
- size_t nbytes, enum psi_res res)
- {
-- struct cgroup_file_ctx *ctx = of->priv;
-+ struct cgroup_file_ctx *ctx;
- struct psi_trigger *new;
- struct cgroup *cgrp;
- struct psi_group *psi;
-+ ssize_t ret = 0;
-
- cgrp = cgroup_kn_lock_live(of->kn, false);
- if (!cgrp)
- return -ENODEV;
-
-- cgroup_get(cgrp);
-- cgroup_kn_unlock(of->kn);
-+ ctx = of->priv;
-+ if (!ctx) {
-+ ret = -ENODEV;
-+ goto out_unlock;
-+ }
-
- /* Allow only one trigger per file descriptor */
- if (ctx->psi.trigger) {
-- cgroup_put(cgrp);
-- return -EBUSY;
-+ ret = -EBUSY;
-+ goto out_unlock;
- }
-
- psi = cgroup_psi(cgrp);
- new = psi_trigger_create(psi, buf, res, of->file, of);
- if (IS_ERR(new)) {
-- cgroup_put(cgrp);
-- return PTR_ERR(new);
-+ ret = PTR_ERR(new);
-+ goto out_unlock;
- }
-
- smp_store_release(&ctx->psi.trigger, new);
-- cgroup_put(cgrp);
-+
-+out_unlock:
-+ cgroup_kn_unlock(of->kn);
-+ if (ret)
-+ return ret;
-
- return nbytes;
- }
---
-2.53.0
-
fbdev-offb-fix-pci-device-reference-leak-on-probe-fa.patch
mailbox-mtk-cmdq-fix-curr-and-end-addr-for-task-inse.patch
mailbox-mailbox-test-free-channels-on-probe-error.patch
-sched-psi-fix-race-between-file-release-and-pressure.patch
cgroup-rdma-fix-integer-overflow-in-rdmacg_try_charg.patch
mailbox-add-sanity-check-for-channel-array.patch
mailbox-mailbox-test-don-t-free-the-reused-channel.patch
+++ /dev/null
-From 9f1f225c06def48af6e2401809a56061e4ef9672 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 14 Apr 2026 14:15:43 +0800
-Subject: sched/psi: fix race between file release and pressure write
-
-From: Edward Adam Davis <eadavis@qq.com>
-
-[ Upstream commit a5b98009f16d8a5fb4a8ff9a193f5735515c38fa ]
-
-A potential race condition exists between pressure write and cgroup file
-release regarding the priv member of struct kernfs_open_file, which
-triggers the uaf reported in [1].
-
-Consider the following scenario involving execution on two separate CPUs:
-
- CPU0 CPU1
- ==== ====
- vfs_rmdir()
- kernfs_iop_rmdir()
- cgroup_rmdir()
- cgroup_kn_lock_live()
- cgroup_destroy_locked()
- cgroup_addrm_files()
- cgroup_rm_file()
- kernfs_remove_by_name()
- kernfs_remove_by_name_ns()
- vfs_write() __kernfs_remove()
- new_sync_write() kernfs_drain()
- kernfs_fop_write_iter() kernfs_drain_open_files()
- cgroup_file_write() kernfs_release_file()
- pressure_write() cgroup_file_release()
- ctx = of->priv;
- kfree(ctx);
- of->priv = NULL;
- cgroup_kn_unlock()
- cgroup_kn_lock_live()
- cgroup_get(cgrp)
- cgroup_kn_unlock()
- if (ctx->psi.trigger) // here, trigger uaf for ctx, that is of->priv
-
-The cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards
-the memory deallocation of of->priv performed within cgroup_file_release().
-However, the operations involving of->priv executed within pressure_write()
-are not entirely covered by the protection of cgroup_mutex. Consequently,
-if the code in pressure_write(), specifically the section handling the
-ctx variable executes after cgroup_file_release() has completed, a uaf
-vulnerability involving of->priv is triggered.
-
-Therefore, the issue can be resolved by extending the scope of the
-cgroup_mutex lock within pressure_write() to encompass all code paths
-involving of->priv, thereby properly synchronizing the race condition
-occurring between cgroup_file_release() and pressure_write().
-
-And, if an live kn lock can be successfully acquired while executing
-the pressure write operation, it indicates that the cgroup deletion
-process has not yet reached its final stage; consequently, the priv
-pointer within open_file cannot be NULL. Therefore, the operation to
-retrieve the ctx value must be moved to a point *after* the live kn
-lock has been successfully acquired.
-
-In another situation, specifically after entering cgroup_kn_lock_live()
-but before acquiring cgroup_mutex, there exists a different class of
-race condition:
-
-CPU0: write memory.pressure CPU1: write cgroup.pressure=0
-=========================== =============================
-
-kernfs_fop_write_iter()
- kernfs_get_active_of(of)
- pressure_write()
- cgroup_kn_lock_live(memory.pressure)
- cgroup_tryget(cgrp)
- kernfs_break_active_protection(kn)
- ... blocks on cgroup_mutex
-
- cgroup_pressure_write()
- cgroup_kn_lock_live(cgroup.pressure)
- cgroup_file_show(memory.pressure, false)
- kernfs_show(false)
- kernfs_drain_open_files()
- cgroup_file_release(of)
- kfree(ctx)
- of->priv = NULL
- cgroup_kn_unlock()
-
- ... acquires cgroup_mutex
- ctx = of->priv; // may now be NULL
- if (ctx->psi.trigger) // NULL dereference
-
-Consequently, there is a possibility that of->priv is NULL, the pressure
-write needs to check for this.
-
-Now that the scope of the cgroup_mutex has been expanded, the original
-explicit cgroup_get/put operations are no longer necessary, this is
-because acquiring/releasing the live kn lock inherently executes a
-cgroup get/put operation.
-
-[1]
-BUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
-Call Trace:
- pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
- cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:4311
- kernfs_fop_write_iter+0x3b0/0x540 fs/kernfs/file.c:352
-
-Allocated by task 9352:
- cgroup_file_open+0x90/0x3a0 kernel/cgroup/cgroup.c:4256
- kernfs_fop_open+0x9eb/0xcb0 fs/kernfs/file.c:724
- do_dentry_open+0x83d/0x13e0 fs/open.c:949
-
-Freed by task 9353:
- cgroup_file_release+0xd6/0x100 kernel/cgroup/cgroup.c:4283
- kernfs_release_file fs/kernfs/file.c:764 [inline]
- kernfs_drain_open_files+0x392/0x720 fs/kernfs/file.c:834
- kernfs_drain+0x470/0x600 fs/kernfs/dir.c:525
-
-Fixes: 0e94682b73bf ("psi: introduce psi monitor")
-Reported-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=33e571025d88efd1312c
-Tested-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com
-Signed-off-by: Edward Adam Davis <eadavis@qq.com>
-Reviewed-by: Chen Ridong <chenridong@huaweicloud.com>
-Signed-off-by: Tejun Heo <tj@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/cgroup/cgroup.c | 24 ++++++++++++++++--------
- 1 file changed, 16 insertions(+), 8 deletions(-)
-
-diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
-index e787dc0eacd7d..97812c0b04dd6 100644
---- a/kernel/cgroup/cgroup.c
-+++ b/kernel/cgroup/cgroup.c
-@@ -3775,33 +3775,41 @@ static int cgroup_cpu_pressure_show(struct seq_file *seq, void *v)
- static ssize_t pressure_write(struct kernfs_open_file *of, char *buf,
- size_t nbytes, enum psi_res res)
- {
-- struct cgroup_file_ctx *ctx = of->priv;
-+ struct cgroup_file_ctx *ctx;
- struct psi_trigger *new;
- struct cgroup *cgrp;
- struct psi_group *psi;
-+ ssize_t ret = 0;
-
- cgrp = cgroup_kn_lock_live(of->kn, false);
- if (!cgrp)
- return -ENODEV;
-
-- cgroup_get(cgrp);
-- cgroup_kn_unlock(of->kn);
-+ ctx = of->priv;
-+ if (!ctx) {
-+ ret = -ENODEV;
-+ goto out_unlock;
-+ }
-
- /* Allow only one trigger per file descriptor */
- if (ctx->psi.trigger) {
-- cgroup_put(cgrp);
-- return -EBUSY;
-+ ret = -EBUSY;
-+ goto out_unlock;
- }
-
- psi = cgroup_psi(cgrp);
- new = psi_trigger_create(psi, buf, res, of->file, of);
- if (IS_ERR(new)) {
-- cgroup_put(cgrp);
-- return PTR_ERR(new);
-+ ret = PTR_ERR(new);
-+ goto out_unlock;
- }
-
- smp_store_release(&ctx->psi.trigger, new);
-- cgroup_put(cgrp);
-+
-+out_unlock:
-+ cgroup_kn_unlock(of->kn);
-+ if (ret)
-+ return ret;
-
- return nbytes;
- }
---
-2.53.0
-
rtc-abx80x-disable-alarm-feature-if-no-interrupt-att.patch
fbdev-offb-fix-pci-device-reference-leak-on-probe-fa.patch
mailbox-mailbox-test-free-channels-on-probe-error.patch
-sched-psi-fix-race-between-file-release-and-pressure.patch
cgroup-rdma-fix-integer-overflow-in-rdmacg_try_charg.patch
mailbox-add-sanity-check-for-channel-array.patch
mailbox-mailbox-test-don-t-free-the-reused-channel.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
