From: Greg Kroah-Hartman Date: Sat, 23 May 2026 09:22:36 +0000 (+0200) Subject: drop sched patch X-Git-Tag: v6.6.141~5 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=440121cf0754b8740473d6a74a25bb2ee407748d;p=thirdparty%2Fkernel%2Fstable-queue.git drop sched patch --- diff --git a/queue-5.10/sched-psi-fix-race-between-file-release-and-pressure.patch b/queue-5.10/sched-psi-fix-race-between-file-release-and-pressure.patch deleted file mode 100644 index 17f1a48a6f..0000000000 --- a/queue-5.10/sched-psi-fix-race-between-file-release-and-pressure.patch +++ /dev/null @@ -1,184 +0,0 @@ -From 17bb6914ae5bb542ac6a27b8b5d93509c831e6d4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Apr 2026 14:15:43 +0800 -Subject: sched/psi: fix race between file release and pressure write - -From: Edward Adam Davis - -[ Upstream commit a5b98009f16d8a5fb4a8ff9a193f5735515c38fa ] - -A potential race condition exists between pressure write and cgroup file -release regarding the priv member of struct kernfs_open_file, which -triggers the uaf reported in [1]. - -Consider the following scenario involving execution on two separate CPUs: - - CPU0 CPU1 - ==== ==== - vfs_rmdir() - kernfs_iop_rmdir() - cgroup_rmdir() - cgroup_kn_lock_live() - cgroup_destroy_locked() - cgroup_addrm_files() - cgroup_rm_file() - kernfs_remove_by_name() - kernfs_remove_by_name_ns() - vfs_write() __kernfs_remove() - new_sync_write() kernfs_drain() - kernfs_fop_write_iter() kernfs_drain_open_files() - cgroup_file_write() kernfs_release_file() - pressure_write() cgroup_file_release() - ctx = of->priv; - kfree(ctx); - of->priv = NULL; - cgroup_kn_unlock() - cgroup_kn_lock_live() - cgroup_get(cgrp) - cgroup_kn_unlock() - if (ctx->psi.trigger) // here, trigger uaf for ctx, that is of->priv - -The cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards -the memory deallocation of of->priv performed within cgroup_file_release(). -However, the operations involving of->priv executed within pressure_write() -are not entirely covered by the protection of cgroup_mutex. Consequently, -if the code in pressure_write(), specifically the section handling the -ctx variable executes after cgroup_file_release() has completed, a uaf -vulnerability involving of->priv is triggered. - -Therefore, the issue can be resolved by extending the scope of the -cgroup_mutex lock within pressure_write() to encompass all code paths -involving of->priv, thereby properly synchronizing the race condition -occurring between cgroup_file_release() and pressure_write(). - -And, if an live kn lock can be successfully acquired while executing -the pressure write operation, it indicates that the cgroup deletion -process has not yet reached its final stage; consequently, the priv -pointer within open_file cannot be NULL. Therefore, the operation to -retrieve the ctx value must be moved to a point *after* the live kn -lock has been successfully acquired. - -In another situation, specifically after entering cgroup_kn_lock_live() -but before acquiring cgroup_mutex, there exists a different class of -race condition: - -CPU0: write memory.pressure CPU1: write cgroup.pressure=0 -=========================== ============================= - -kernfs_fop_write_iter() - kernfs_get_active_of(of) - pressure_write() - cgroup_kn_lock_live(memory.pressure) - cgroup_tryget(cgrp) - kernfs_break_active_protection(kn) - ... blocks on cgroup_mutex - - cgroup_pressure_write() - cgroup_kn_lock_live(cgroup.pressure) - cgroup_file_show(memory.pressure, false) - kernfs_show(false) - kernfs_drain_open_files() - cgroup_file_release(of) - kfree(ctx) - of->priv = NULL - cgroup_kn_unlock() - - ... acquires cgroup_mutex - ctx = of->priv; // may now be NULL - if (ctx->psi.trigger) // NULL dereference - -Consequently, there is a possibility that of->priv is NULL, the pressure -write needs to check for this. - -Now that the scope of the cgroup_mutex has been expanded, the original -explicit cgroup_get/put operations are no longer necessary, this is -because acquiring/releasing the live kn lock inherently executes a -cgroup get/put operation. - -[1] -BUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011 -Call Trace: - pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011 - cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:4311 - kernfs_fop_write_iter+0x3b0/0x540 fs/kernfs/file.c:352 - -Allocated by task 9352: - cgroup_file_open+0x90/0x3a0 kernel/cgroup/cgroup.c:4256 - kernfs_fop_open+0x9eb/0xcb0 fs/kernfs/file.c:724 - do_dentry_open+0x83d/0x13e0 fs/open.c:949 - -Freed by task 9353: - cgroup_file_release+0xd6/0x100 kernel/cgroup/cgroup.c:4283 - kernfs_release_file fs/kernfs/file.c:764 [inline] - kernfs_drain_open_files+0x392/0x720 fs/kernfs/file.c:834 - kernfs_drain+0x470/0x600 fs/kernfs/dir.c:525 - -Fixes: 0e94682b73bf ("psi: introduce psi monitor") -Reported-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=33e571025d88efd1312c -Tested-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com -Signed-off-by: Edward Adam Davis -Reviewed-by: Chen Ridong -Signed-off-by: Tejun Heo -Signed-off-by: Sasha Levin ---- - kernel/cgroup/cgroup.c | 24 ++++++++++++++++-------- - 1 file changed, 16 insertions(+), 8 deletions(-) - -diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c -index 8d420e00d89a7..42d6b76208d42 100644 ---- a/kernel/cgroup/cgroup.c -+++ b/kernel/cgroup/cgroup.c -@@ -3679,33 +3679,41 @@ static int cgroup_cpu_pressure_show(struct seq_file *seq, void *v) - static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf, - size_t nbytes, enum psi_res res) - { -- struct cgroup_file_ctx *ctx = of->priv; -+ struct cgroup_file_ctx *ctx; - struct psi_trigger *new; - struct cgroup *cgrp; - struct psi_group *psi; -+ ssize_t ret = 0; - - cgrp = cgroup_kn_lock_live(of->kn, false); - if (!cgrp) - return -ENODEV; - -- cgroup_get(cgrp); -- cgroup_kn_unlock(of->kn); -+ ctx = of->priv; -+ if (!ctx) { -+ ret = -ENODEV; -+ goto out_unlock; -+ } - - /* Allow only one trigger per file descriptor */ - if (ctx->psi.trigger) { -- cgroup_put(cgrp); -- return -EBUSY; -+ ret = -EBUSY; -+ goto out_unlock; - } - - psi = cgroup_ino(cgrp) == 1 ? &psi_system : &cgrp->psi; - new = psi_trigger_create(psi, buf, nbytes, res); - if (IS_ERR(new)) { -- cgroup_put(cgrp); -- return PTR_ERR(new); -+ ret = PTR_ERR(new); -+ goto out_unlock; - } - - smp_store_release(&ctx->psi.trigger, new); -- cgroup_put(cgrp); -+ -+out_unlock: -+ cgroup_kn_unlock(of->kn); -+ if (ret) -+ return ret; - - return nbytes; - } --- -2.53.0 - diff --git a/queue-5.10/series b/queue-5.10/series index f2c2518af1..0dc6bd55ba 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -462,7 +462,6 @@ rtc-introduce-features-bitfield.patch rtc-abx80x-disable-alarm-feature-if-no-interrupt-att.patch fbdev-offb-fix-pci-device-reference-leak-on-probe-fa.patch mailbox-mailbox-test-free-channels-on-probe-error.patch -sched-psi-fix-race-between-file-release-and-pressure.patch cgroup-rdma-fix-integer-overflow-in-rdmacg_try_charg.patch mailbox-add-sanity-check-for-channel-array.patch mailbox-mailbox-test-don-t-free-the-reused-channel.patch diff --git a/queue-5.15/sched-psi-fix-race-between-file-release-and-pressure.patch b/queue-5.15/sched-psi-fix-race-between-file-release-and-pressure.patch deleted file mode 100644 index 96ffe73370..0000000000 --- a/queue-5.15/sched-psi-fix-race-between-file-release-and-pressure.patch +++ /dev/null @@ -1,184 +0,0 @@ -From ee493c7f339cb2ff38fd005d3aeeb792e773e2c9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Apr 2026 14:15:43 +0800 -Subject: sched/psi: fix race between file release and pressure write - -From: Edward Adam Davis - -[ Upstream commit a5b98009f16d8a5fb4a8ff9a193f5735515c38fa ] - -A potential race condition exists between pressure write and cgroup file -release regarding the priv member of struct kernfs_open_file, which -triggers the uaf reported in [1]. - -Consider the following scenario involving execution on two separate CPUs: - - CPU0 CPU1 - ==== ==== - vfs_rmdir() - kernfs_iop_rmdir() - cgroup_rmdir() - cgroup_kn_lock_live() - cgroup_destroy_locked() - cgroup_addrm_files() - cgroup_rm_file() - kernfs_remove_by_name() - kernfs_remove_by_name_ns() - vfs_write() __kernfs_remove() - new_sync_write() kernfs_drain() - kernfs_fop_write_iter() kernfs_drain_open_files() - cgroup_file_write() kernfs_release_file() - pressure_write() cgroup_file_release() - ctx = of->priv; - kfree(ctx); - of->priv = NULL; - cgroup_kn_unlock() - cgroup_kn_lock_live() - cgroup_get(cgrp) - cgroup_kn_unlock() - if (ctx->psi.trigger) // here, trigger uaf for ctx, that is of->priv - -The cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards -the memory deallocation of of->priv performed within cgroup_file_release(). -However, the operations involving of->priv executed within pressure_write() -are not entirely covered by the protection of cgroup_mutex. Consequently, -if the code in pressure_write(), specifically the section handling the -ctx variable executes after cgroup_file_release() has completed, a uaf -vulnerability involving of->priv is triggered. - -Therefore, the issue can be resolved by extending the scope of the -cgroup_mutex lock within pressure_write() to encompass all code paths -involving of->priv, thereby properly synchronizing the race condition -occurring between cgroup_file_release() and pressure_write(). - -And, if an live kn lock can be successfully acquired while executing -the pressure write operation, it indicates that the cgroup deletion -process has not yet reached its final stage; consequently, the priv -pointer within open_file cannot be NULL. Therefore, the operation to -retrieve the ctx value must be moved to a point *after* the live kn -lock has been successfully acquired. - -In another situation, specifically after entering cgroup_kn_lock_live() -but before acquiring cgroup_mutex, there exists a different class of -race condition: - -CPU0: write memory.pressure CPU1: write cgroup.pressure=0 -=========================== ============================= - -kernfs_fop_write_iter() - kernfs_get_active_of(of) - pressure_write() - cgroup_kn_lock_live(memory.pressure) - cgroup_tryget(cgrp) - kernfs_break_active_protection(kn) - ... blocks on cgroup_mutex - - cgroup_pressure_write() - cgroup_kn_lock_live(cgroup.pressure) - cgroup_file_show(memory.pressure, false) - kernfs_show(false) - kernfs_drain_open_files() - cgroup_file_release(of) - kfree(ctx) - of->priv = NULL - cgroup_kn_unlock() - - ... acquires cgroup_mutex - ctx = of->priv; // may now be NULL - if (ctx->psi.trigger) // NULL dereference - -Consequently, there is a possibility that of->priv is NULL, the pressure -write needs to check for this. - -Now that the scope of the cgroup_mutex has been expanded, the original -explicit cgroup_get/put operations are no longer necessary, this is -because acquiring/releasing the live kn lock inherently executes a -cgroup get/put operation. - -[1] -BUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011 -Call Trace: - pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011 - cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:4311 - kernfs_fop_write_iter+0x3b0/0x540 fs/kernfs/file.c:352 - -Allocated by task 9352: - cgroup_file_open+0x90/0x3a0 kernel/cgroup/cgroup.c:4256 - kernfs_fop_open+0x9eb/0xcb0 fs/kernfs/file.c:724 - do_dentry_open+0x83d/0x13e0 fs/open.c:949 - -Freed by task 9353: - cgroup_file_release+0xd6/0x100 kernel/cgroup/cgroup.c:4283 - kernfs_release_file fs/kernfs/file.c:764 [inline] - kernfs_drain_open_files+0x392/0x720 fs/kernfs/file.c:834 - kernfs_drain+0x470/0x600 fs/kernfs/dir.c:525 - -Fixes: 0e94682b73bf ("psi: introduce psi monitor") -Reported-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=33e571025d88efd1312c -Tested-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com -Signed-off-by: Edward Adam Davis -Reviewed-by: Chen Ridong -Signed-off-by: Tejun Heo -Signed-off-by: Sasha Levin ---- - kernel/cgroup/cgroup.c | 24 ++++++++++++++++-------- - 1 file changed, 16 insertions(+), 8 deletions(-) - -diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c -index 2048fc3e22565..f131da1a8abfa 100644 ---- a/kernel/cgroup/cgroup.c -+++ b/kernel/cgroup/cgroup.c -@@ -3720,33 +3720,41 @@ static int cgroup_cpu_pressure_show(struct seq_file *seq, void *v) - static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf, - size_t nbytes, enum psi_res res) - { -- struct cgroup_file_ctx *ctx = of->priv; -+ struct cgroup_file_ctx *ctx; - struct psi_trigger *new; - struct cgroup *cgrp; - struct psi_group *psi; -+ ssize_t ret = 0; - - cgrp = cgroup_kn_lock_live(of->kn, false); - if (!cgrp) - return -ENODEV; - -- cgroup_get(cgrp); -- cgroup_kn_unlock(of->kn); -+ ctx = of->priv; -+ if (!ctx) { -+ ret = -ENODEV; -+ goto out_unlock; -+ } - - /* Allow only one trigger per file descriptor */ - if (ctx->psi.trigger) { -- cgroup_put(cgrp); -- return -EBUSY; -+ ret = -EBUSY; -+ goto out_unlock; - } - - psi = cgroup_ino(cgrp) == 1 ? &psi_system : &cgrp->psi; - new = psi_trigger_create(psi, buf, nbytes, res); - if (IS_ERR(new)) { -- cgroup_put(cgrp); -- return PTR_ERR(new); -+ ret = PTR_ERR(new); -+ goto out_unlock; - } - - smp_store_release(&ctx->psi.trigger, new); -- cgroup_put(cgrp); -+ -+out_unlock: -+ cgroup_kn_unlock(of->kn); -+ if (ret) -+ return ret; - - return nbytes; - } --- -2.53.0 - diff --git a/queue-5.15/series b/queue-5.15/series index 9a7919ca50..5d41863e3d 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -601,7 +601,6 @@ fs-adfs-validate-nzones-in-adfs_validate_bblk.patch rtc-abx80x-disable-alarm-feature-if-no-interrupt-att.patch fbdev-offb-fix-pci-device-reference-leak-on-probe-fa.patch mailbox-mailbox-test-free-channels-on-probe-error.patch -sched-psi-fix-race-between-file-release-and-pressure.patch cgroup-rdma-fix-integer-overflow-in-rdmacg_try_charg.patch mailbox-add-sanity-check-for-channel-array.patch mailbox-mailbox-test-don-t-free-the-reused-channel.patch diff --git a/queue-6.1/sched-psi-fix-race-between-file-release-and-pressure.patch b/queue-6.1/sched-psi-fix-race-between-file-release-and-pressure.patch deleted file mode 100644 index 9cc31d4127..0000000000 --- a/queue-6.1/sched-psi-fix-race-between-file-release-and-pressure.patch +++ /dev/null @@ -1,184 +0,0 @@ -From 2e2c61fbd84f62f4d4e13a22afe85e345d092aa4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Apr 2026 14:15:43 +0800 -Subject: sched/psi: fix race between file release and pressure write - -From: Edward Adam Davis - -[ Upstream commit a5b98009f16d8a5fb4a8ff9a193f5735515c38fa ] - -A potential race condition exists between pressure write and cgroup file -release regarding the priv member of struct kernfs_open_file, which -triggers the uaf reported in [1]. - -Consider the following scenario involving execution on two separate CPUs: - - CPU0 CPU1 - ==== ==== - vfs_rmdir() - kernfs_iop_rmdir() - cgroup_rmdir() - cgroup_kn_lock_live() - cgroup_destroy_locked() - cgroup_addrm_files() - cgroup_rm_file() - kernfs_remove_by_name() - kernfs_remove_by_name_ns() - vfs_write() __kernfs_remove() - new_sync_write() kernfs_drain() - kernfs_fop_write_iter() kernfs_drain_open_files() - cgroup_file_write() kernfs_release_file() - pressure_write() cgroup_file_release() - ctx = of->priv; - kfree(ctx); - of->priv = NULL; - cgroup_kn_unlock() - cgroup_kn_lock_live() - cgroup_get(cgrp) - cgroup_kn_unlock() - if (ctx->psi.trigger) // here, trigger uaf for ctx, that is of->priv - -The cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards -the memory deallocation of of->priv performed within cgroup_file_release(). -However, the operations involving of->priv executed within pressure_write() -are not entirely covered by the protection of cgroup_mutex. Consequently, -if the code in pressure_write(), specifically the section handling the -ctx variable executes after cgroup_file_release() has completed, a uaf -vulnerability involving of->priv is triggered. - -Therefore, the issue can be resolved by extending the scope of the -cgroup_mutex lock within pressure_write() to encompass all code paths -involving of->priv, thereby properly synchronizing the race condition -occurring between cgroup_file_release() and pressure_write(). - -And, if an live kn lock can be successfully acquired while executing -the pressure write operation, it indicates that the cgroup deletion -process has not yet reached its final stage; consequently, the priv -pointer within open_file cannot be NULL. Therefore, the operation to -retrieve the ctx value must be moved to a point *after* the live kn -lock has been successfully acquired. - -In another situation, specifically after entering cgroup_kn_lock_live() -but before acquiring cgroup_mutex, there exists a different class of -race condition: - -CPU0: write memory.pressure CPU1: write cgroup.pressure=0 -=========================== ============================= - -kernfs_fop_write_iter() - kernfs_get_active_of(of) - pressure_write() - cgroup_kn_lock_live(memory.pressure) - cgroup_tryget(cgrp) - kernfs_break_active_protection(kn) - ... blocks on cgroup_mutex - - cgroup_pressure_write() - cgroup_kn_lock_live(cgroup.pressure) - cgroup_file_show(memory.pressure, false) - kernfs_show(false) - kernfs_drain_open_files() - cgroup_file_release(of) - kfree(ctx) - of->priv = NULL - cgroup_kn_unlock() - - ... acquires cgroup_mutex - ctx = of->priv; // may now be NULL - if (ctx->psi.trigger) // NULL dereference - -Consequently, there is a possibility that of->priv is NULL, the pressure -write needs to check for this. - -Now that the scope of the cgroup_mutex has been expanded, the original -explicit cgroup_get/put operations are no longer necessary, this is -because acquiring/releasing the live kn lock inherently executes a -cgroup get/put operation. - -[1] -BUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011 -Call Trace: - pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011 - cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:4311 - kernfs_fop_write_iter+0x3b0/0x540 fs/kernfs/file.c:352 - -Allocated by task 9352: - cgroup_file_open+0x90/0x3a0 kernel/cgroup/cgroup.c:4256 - kernfs_fop_open+0x9eb/0xcb0 fs/kernfs/file.c:724 - do_dentry_open+0x83d/0x13e0 fs/open.c:949 - -Freed by task 9353: - cgroup_file_release+0xd6/0x100 kernel/cgroup/cgroup.c:4283 - kernfs_release_file fs/kernfs/file.c:764 [inline] - kernfs_drain_open_files+0x392/0x720 fs/kernfs/file.c:834 - kernfs_drain+0x470/0x600 fs/kernfs/dir.c:525 - -Fixes: 0e94682b73bf ("psi: introduce psi monitor") -Reported-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=33e571025d88efd1312c -Tested-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com -Signed-off-by: Edward Adam Davis -Reviewed-by: Chen Ridong -Signed-off-by: Tejun Heo -Signed-off-by: Sasha Levin ---- - kernel/cgroup/cgroup.c | 24 ++++++++++++++++-------- - 1 file changed, 16 insertions(+), 8 deletions(-) - -diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c -index 5ff7619301458..606d17021e3e1 100644 ---- a/kernel/cgroup/cgroup.c -+++ b/kernel/cgroup/cgroup.c -@@ -3786,33 +3786,41 @@ static int cgroup_cpu_pressure_show(struct seq_file *seq, void *v) - static ssize_t pressure_write(struct kernfs_open_file *of, char *buf, - size_t nbytes, enum psi_res res) - { -- struct cgroup_file_ctx *ctx = of->priv; -+ struct cgroup_file_ctx *ctx; - struct psi_trigger *new; - struct cgroup *cgrp; - struct psi_group *psi; -+ ssize_t ret = 0; - - cgrp = cgroup_kn_lock_live(of->kn, false); - if (!cgrp) - return -ENODEV; - -- cgroup_get(cgrp); -- cgroup_kn_unlock(of->kn); -+ ctx = of->priv; -+ if (!ctx) { -+ ret = -ENODEV; -+ goto out_unlock; -+ } - - /* Allow only one trigger per file descriptor */ - if (ctx->psi.trigger) { -- cgroup_put(cgrp); -- return -EBUSY; -+ ret = -EBUSY; -+ goto out_unlock; - } - - psi = cgroup_psi(cgrp); - new = psi_trigger_create(psi, buf, res, of->file, of); - if (IS_ERR(new)) { -- cgroup_put(cgrp); -- return PTR_ERR(new); -+ ret = PTR_ERR(new); -+ goto out_unlock; - } - - smp_store_release(&ctx->psi.trigger, new); -- cgroup_put(cgrp); -+ -+out_unlock: -+ cgroup_kn_unlock(of->kn); -+ if (ret) -+ return ret; - - return nbytes; - } --- -2.53.0 - diff --git a/queue-6.1/series b/queue-6.1/series index 1dbf800e27..3d3794e37d 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -724,7 +724,6 @@ fs-adfs-validate-nzones-in-adfs_validate_bblk.patch rtc-abx80x-disable-alarm-feature-if-no-interrupt-att.patch fbdev-offb-fix-pci-device-reference-leak-on-probe-fa.patch mailbox-mailbox-test-free-channels-on-probe-error.patch -sched-psi-fix-race-between-file-release-and-pressure.patch cgroup-rdma-fix-integer-overflow-in-rdmacg_try_charg.patch mailbox-add-sanity-check-for-channel-array.patch mailbox-mailbox-test-don-t-free-the-reused-channel.patch diff --git a/queue-6.12/cgroup-increment-nr_dying_subsys_-from-rmdir-context.patch b/queue-6.12/cgroup-increment-nr_dying_subsys_-from-rmdir-context.patch index 4648934e51..20e22b3d17 100644 --- a/queue-6.12/cgroup-increment-nr_dying_subsys_-from-rmdir-context.patch +++ b/queue-6.12/cgroup-increment-nr_dying_subsys_-from-rmdir-context.patch @@ -21,14 +21,12 @@ Signed-off-by: Petr Malat Signed-off-by: Tejun Heo Signed-off-by: Sasha Levin --- - kernel/cgroup/cgroup.c | 22 ++++++++++++---------- + kernel/cgroup/cgroup.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) -diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c -index 0914a1a189ee1..dfb93a201fc32 100644 --- a/kernel/cgroup/cgroup.c +++ b/kernel/cgroup/cgroup.c -@@ -5654,16 +5654,6 @@ static void offline_css(struct cgroup_subsys_state *css) +@@ -5646,16 +5646,6 @@ static void offline_css(struct cgroup_su RCU_INIT_POINTER(css->cgroup->subsys[ss->id], NULL); wake_up_all(&css->cgroup->offline_waitq); @@ -45,7 +43,7 @@ index 0914a1a189ee1..dfb93a201fc32 100644 } /** -@@ -5965,6 +5955,8 @@ static void css_killed_ref_fn(struct percpu_ref *ref) +@@ -5957,6 +5947,8 @@ static void css_killed_ref_fn(struct per */ static void kill_css(struct cgroup_subsys_state *css) { @@ -54,7 +52,7 @@ index 0914a1a189ee1..dfb93a201fc32 100644 lockdep_assert_held(&cgroup_mutex); if (css->flags & CSS_DYING) -@@ -6001,6 +5993,16 @@ static void kill_css(struct cgroup_subsys_state *css) +@@ -5993,6 +5985,16 @@ static void kill_css(struct cgroup_subsy * css is confirmed to be seen as killed on all CPUs. */ percpu_ref_kill_and_confirm(&css->refcnt, css_killed_ref_fn); @@ -71,6 +69,3 @@ index 0914a1a189ee1..dfb93a201fc32 100644 } /** --- -2.53.0 - diff --git a/queue-6.12/sched-psi-fix-race-between-file-release-and-pressure.patch b/queue-6.12/sched-psi-fix-race-between-file-release-and-pressure.patch deleted file mode 100644 index 8655a075b4..0000000000 --- a/queue-6.12/sched-psi-fix-race-between-file-release-and-pressure.patch +++ /dev/null @@ -1,184 +0,0 @@ -From 91e55e720471f5e138aff9beaf82a3a935007529 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Apr 2026 14:15:43 +0800 -Subject: sched/psi: fix race between file release and pressure write - -From: Edward Adam Davis - -[ Upstream commit a5b98009f16d8a5fb4a8ff9a193f5735515c38fa ] - -A potential race condition exists between pressure write and cgroup file -release regarding the priv member of struct kernfs_open_file, which -triggers the uaf reported in [1]. - -Consider the following scenario involving execution on two separate CPUs: - - CPU0 CPU1 - ==== ==== - vfs_rmdir() - kernfs_iop_rmdir() - cgroup_rmdir() - cgroup_kn_lock_live() - cgroup_destroy_locked() - cgroup_addrm_files() - cgroup_rm_file() - kernfs_remove_by_name() - kernfs_remove_by_name_ns() - vfs_write() __kernfs_remove() - new_sync_write() kernfs_drain() - kernfs_fop_write_iter() kernfs_drain_open_files() - cgroup_file_write() kernfs_release_file() - pressure_write() cgroup_file_release() - ctx = of->priv; - kfree(ctx); - of->priv = NULL; - cgroup_kn_unlock() - cgroup_kn_lock_live() - cgroup_get(cgrp) - cgroup_kn_unlock() - if (ctx->psi.trigger) // here, trigger uaf for ctx, that is of->priv - -The cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards -the memory deallocation of of->priv performed within cgroup_file_release(). -However, the operations involving of->priv executed within pressure_write() -are not entirely covered by the protection of cgroup_mutex. Consequently, -if the code in pressure_write(), specifically the section handling the -ctx variable executes after cgroup_file_release() has completed, a uaf -vulnerability involving of->priv is triggered. - -Therefore, the issue can be resolved by extending the scope of the -cgroup_mutex lock within pressure_write() to encompass all code paths -involving of->priv, thereby properly synchronizing the race condition -occurring between cgroup_file_release() and pressure_write(). - -And, if an live kn lock can be successfully acquired while executing -the pressure write operation, it indicates that the cgroup deletion -process has not yet reached its final stage; consequently, the priv -pointer within open_file cannot be NULL. Therefore, the operation to -retrieve the ctx value must be moved to a point *after* the live kn -lock has been successfully acquired. - -In another situation, specifically after entering cgroup_kn_lock_live() -but before acquiring cgroup_mutex, there exists a different class of -race condition: - -CPU0: write memory.pressure CPU1: write cgroup.pressure=0 -=========================== ============================= - -kernfs_fop_write_iter() - kernfs_get_active_of(of) - pressure_write() - cgroup_kn_lock_live(memory.pressure) - cgroup_tryget(cgrp) - kernfs_break_active_protection(kn) - ... blocks on cgroup_mutex - - cgroup_pressure_write() - cgroup_kn_lock_live(cgroup.pressure) - cgroup_file_show(memory.pressure, false) - kernfs_show(false) - kernfs_drain_open_files() - cgroup_file_release(of) - kfree(ctx) - of->priv = NULL - cgroup_kn_unlock() - - ... acquires cgroup_mutex - ctx = of->priv; // may now be NULL - if (ctx->psi.trigger) // NULL dereference - -Consequently, there is a possibility that of->priv is NULL, the pressure -write needs to check for this. - -Now that the scope of the cgroup_mutex has been expanded, the original -explicit cgroup_get/put operations are no longer necessary, this is -because acquiring/releasing the live kn lock inherently executes a -cgroup get/put operation. - -[1] -BUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011 -Call Trace: - pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011 - cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:4311 - kernfs_fop_write_iter+0x3b0/0x540 fs/kernfs/file.c:352 - -Allocated by task 9352: - cgroup_file_open+0x90/0x3a0 kernel/cgroup/cgroup.c:4256 - kernfs_fop_open+0x9eb/0xcb0 fs/kernfs/file.c:724 - do_dentry_open+0x83d/0x13e0 fs/open.c:949 - -Freed by task 9353: - cgroup_file_release+0xd6/0x100 kernel/cgroup/cgroup.c:4283 - kernfs_release_file fs/kernfs/file.c:764 [inline] - kernfs_drain_open_files+0x392/0x720 fs/kernfs/file.c:834 - kernfs_drain+0x470/0x600 fs/kernfs/dir.c:525 - -Fixes: 0e94682b73bf ("psi: introduce psi monitor") -Reported-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=33e571025d88efd1312c -Tested-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com -Signed-off-by: Edward Adam Davis -Reviewed-by: Chen Ridong -Signed-off-by: Tejun Heo -Signed-off-by: Sasha Levin ---- - kernel/cgroup/cgroup.c | 24 ++++++++++++++++-------- - 1 file changed, 16 insertions(+), 8 deletions(-) - -diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c -index 046f671532b04..0914a1a189ee1 100644 ---- a/kernel/cgroup/cgroup.c -+++ b/kernel/cgroup/cgroup.c -@@ -3876,33 +3876,41 @@ static int cgroup_cpu_pressure_show(struct seq_file *seq, void *v) - static ssize_t pressure_write(struct kernfs_open_file *of, char *buf, - size_t nbytes, enum psi_res res) - { -- struct cgroup_file_ctx *ctx = of->priv; -+ struct cgroup_file_ctx *ctx; - struct psi_trigger *new; - struct cgroup *cgrp; - struct psi_group *psi; -+ ssize_t ret = 0; - - cgrp = cgroup_kn_lock_live(of->kn, false); - if (!cgrp) - return -ENODEV; - -- cgroup_get(cgrp); -- cgroup_kn_unlock(of->kn); -+ ctx = of->priv; -+ if (!ctx) { -+ ret = -ENODEV; -+ goto out_unlock; -+ } - - /* Allow only one trigger per file descriptor */ - if (ctx->psi.trigger) { -- cgroup_put(cgrp); -- return -EBUSY; -+ ret = -EBUSY; -+ goto out_unlock; - } - - psi = cgroup_psi(cgrp); - new = psi_trigger_create(psi, buf, res, of->file, of); - if (IS_ERR(new)) { -- cgroup_put(cgrp); -- return PTR_ERR(new); -+ ret = PTR_ERR(new); -+ goto out_unlock; - } - - smp_store_release(&ctx->psi.trigger, new); -- cgroup_put(cgrp); -+ -+out_unlock: -+ cgroup_kn_unlock(of->kn); -+ if (ret) -+ return ret; - - return nbytes; - } --- -2.53.0 - diff --git a/queue-6.12/series b/queue-6.12/series index 56e5acbd71..7420ef7a80 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -496,7 +496,6 @@ kbuild-builddeb-avoid-recompiles-for-non-cross-compi.patch fbdev-offb-fix-pci-device-reference-leak-on-probe-fa.patch mailbox-mtk-cmdq-fix-curr-and-end-addr-for-task-inse.patch mailbox-mailbox-test-free-channels-on-probe-error.patch -sched-psi-fix-race-between-file-release-and-pressure.patch cgroup-rdma-fix-integer-overflow-in-rdmacg_try_charg.patch mailbox-add-sanity-check-for-channel-array.patch mailbox-mailbox-test-don-t-free-the-reused-channel.patch diff --git a/queue-6.6/sched-psi-fix-race-between-file-release-and-pressure.patch b/queue-6.6/sched-psi-fix-race-between-file-release-and-pressure.patch deleted file mode 100644 index 307a63d60c..0000000000 --- a/queue-6.6/sched-psi-fix-race-between-file-release-and-pressure.patch +++ /dev/null @@ -1,184 +0,0 @@ -From 9f1f225c06def48af6e2401809a56061e4ef9672 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Apr 2026 14:15:43 +0800 -Subject: sched/psi: fix race between file release and pressure write - -From: Edward Adam Davis - -[ Upstream commit a5b98009f16d8a5fb4a8ff9a193f5735515c38fa ] - -A potential race condition exists between pressure write and cgroup file -release regarding the priv member of struct kernfs_open_file, which -triggers the uaf reported in [1]. - -Consider the following scenario involving execution on two separate CPUs: - - CPU0 CPU1 - ==== ==== - vfs_rmdir() - kernfs_iop_rmdir() - cgroup_rmdir() - cgroup_kn_lock_live() - cgroup_destroy_locked() - cgroup_addrm_files() - cgroup_rm_file() - kernfs_remove_by_name() - kernfs_remove_by_name_ns() - vfs_write() __kernfs_remove() - new_sync_write() kernfs_drain() - kernfs_fop_write_iter() kernfs_drain_open_files() - cgroup_file_write() kernfs_release_file() - pressure_write() cgroup_file_release() - ctx = of->priv; - kfree(ctx); - of->priv = NULL; - cgroup_kn_unlock() - cgroup_kn_lock_live() - cgroup_get(cgrp) - cgroup_kn_unlock() - if (ctx->psi.trigger) // here, trigger uaf for ctx, that is of->priv - -The cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards -the memory deallocation of of->priv performed within cgroup_file_release(). -However, the operations involving of->priv executed within pressure_write() -are not entirely covered by the protection of cgroup_mutex. Consequently, -if the code in pressure_write(), specifically the section handling the -ctx variable executes after cgroup_file_release() has completed, a uaf -vulnerability involving of->priv is triggered. - -Therefore, the issue can be resolved by extending the scope of the -cgroup_mutex lock within pressure_write() to encompass all code paths -involving of->priv, thereby properly synchronizing the race condition -occurring between cgroup_file_release() and pressure_write(). - -And, if an live kn lock can be successfully acquired while executing -the pressure write operation, it indicates that the cgroup deletion -process has not yet reached its final stage; consequently, the priv -pointer within open_file cannot be NULL. Therefore, the operation to -retrieve the ctx value must be moved to a point *after* the live kn -lock has been successfully acquired. - -In another situation, specifically after entering cgroup_kn_lock_live() -but before acquiring cgroup_mutex, there exists a different class of -race condition: - -CPU0: write memory.pressure CPU1: write cgroup.pressure=0 -=========================== ============================= - -kernfs_fop_write_iter() - kernfs_get_active_of(of) - pressure_write() - cgroup_kn_lock_live(memory.pressure) - cgroup_tryget(cgrp) - kernfs_break_active_protection(kn) - ... blocks on cgroup_mutex - - cgroup_pressure_write() - cgroup_kn_lock_live(cgroup.pressure) - cgroup_file_show(memory.pressure, false) - kernfs_show(false) - kernfs_drain_open_files() - cgroup_file_release(of) - kfree(ctx) - of->priv = NULL - cgroup_kn_unlock() - - ... acquires cgroup_mutex - ctx = of->priv; // may now be NULL - if (ctx->psi.trigger) // NULL dereference - -Consequently, there is a possibility that of->priv is NULL, the pressure -write needs to check for this. - -Now that the scope of the cgroup_mutex has been expanded, the original -explicit cgroup_get/put operations are no longer necessary, this is -because acquiring/releasing the live kn lock inherently executes a -cgroup get/put operation. - -[1] -BUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011 -Call Trace: - pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011 - cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:4311 - kernfs_fop_write_iter+0x3b0/0x540 fs/kernfs/file.c:352 - -Allocated by task 9352: - cgroup_file_open+0x90/0x3a0 kernel/cgroup/cgroup.c:4256 - kernfs_fop_open+0x9eb/0xcb0 fs/kernfs/file.c:724 - do_dentry_open+0x83d/0x13e0 fs/open.c:949 - -Freed by task 9353: - cgroup_file_release+0xd6/0x100 kernel/cgroup/cgroup.c:4283 - kernfs_release_file fs/kernfs/file.c:764 [inline] - kernfs_drain_open_files+0x392/0x720 fs/kernfs/file.c:834 - kernfs_drain+0x470/0x600 fs/kernfs/dir.c:525 - -Fixes: 0e94682b73bf ("psi: introduce psi monitor") -Reported-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=33e571025d88efd1312c -Tested-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com -Signed-off-by: Edward Adam Davis -Reviewed-by: Chen Ridong -Signed-off-by: Tejun Heo -Signed-off-by: Sasha Levin ---- - kernel/cgroup/cgroup.c | 24 ++++++++++++++++-------- - 1 file changed, 16 insertions(+), 8 deletions(-) - -diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c -index e787dc0eacd7d..97812c0b04dd6 100644 ---- a/kernel/cgroup/cgroup.c -+++ b/kernel/cgroup/cgroup.c -@@ -3775,33 +3775,41 @@ static int cgroup_cpu_pressure_show(struct seq_file *seq, void *v) - static ssize_t pressure_write(struct kernfs_open_file *of, char *buf, - size_t nbytes, enum psi_res res) - { -- struct cgroup_file_ctx *ctx = of->priv; -+ struct cgroup_file_ctx *ctx; - struct psi_trigger *new; - struct cgroup *cgrp; - struct psi_group *psi; -+ ssize_t ret = 0; - - cgrp = cgroup_kn_lock_live(of->kn, false); - if (!cgrp) - return -ENODEV; - -- cgroup_get(cgrp); -- cgroup_kn_unlock(of->kn); -+ ctx = of->priv; -+ if (!ctx) { -+ ret = -ENODEV; -+ goto out_unlock; -+ } - - /* Allow only one trigger per file descriptor */ - if (ctx->psi.trigger) { -- cgroup_put(cgrp); -- return -EBUSY; -+ ret = -EBUSY; -+ goto out_unlock; - } - - psi = cgroup_psi(cgrp); - new = psi_trigger_create(psi, buf, res, of->file, of); - if (IS_ERR(new)) { -- cgroup_put(cgrp); -- return PTR_ERR(new); -+ ret = PTR_ERR(new); -+ goto out_unlock; - } - - smp_store_release(&ctx->psi.trigger, new); -- cgroup_put(cgrp); -+ -+out_unlock: -+ cgroup_kn_unlock(of->kn); -+ if (ret) -+ return ret; - - return nbytes; - } --- -2.53.0 - diff --git a/queue-6.6/series b/queue-6.6/series index 6bd51a1cc0..81515b336a 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -353,7 +353,6 @@ fs-adfs-validate-nzones-in-adfs_validate_bblk.patch rtc-abx80x-disable-alarm-feature-if-no-interrupt-att.patch fbdev-offb-fix-pci-device-reference-leak-on-probe-fa.patch mailbox-mailbox-test-free-channels-on-probe-error.patch -sched-psi-fix-race-between-file-release-and-pressure.patch cgroup-rdma-fix-integer-overflow-in-rdmacg_try_charg.patch mailbox-add-sanity-check-for-channel-array.patch mailbox-mailbox-test-don-t-free-the-reused-channel.patch