Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]kernfs: Fix UAF in polling when open file is released[EOL][EOL]A use-after-free (UAF) vulnerability was identified in the PSI (Pressure[EOL]Stall Information) monitoring mechanism:[EOL][EOL]BUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140[EOL]Read of size 8 at addr ffff3de3d50bd308 by task systemd/1[EOL][EOL]psi_trigger_poll+0x3c/0x140[EOL]cgroup_pressure_poll+0x70/0xa0[EOL]cgroup_file_poll+0x8c/0x100[EOL]kernfs_fop_poll+0x11c/0x1c0[EOL]ep_item_poll.isra.0+0x188/0x2c0[EOL][EOL]Allocated by task 1:[EOL]cgroup_file_open+0x88/0x388[EOL]kernfs_fop_open+0x73c/0xaf0[EOL]do_dentry_open+0x5fc/0x1200[EOL]vfs_open+0xa0/0x3f0[EOL]do_open+0x7e8/0xd08[EOL]path_openat+0x2fc/0x6b0[EOL]do_filp_open+0x174/0x368[EOL][EOL]Freed by task 8462:[EOL]cgroup_file_release+0x130/0x1f8[EOL]kernfs_drain_open_files+0x17c/0x440[EOL]kernfs_drain+0x2dc/0x360[EOL]kernfs_show+0x1b8/0x288[EOL]cgroup_file_show+0x150/0x268[EOL]cgroup_pressure_write+0x1dc/0x340[EOL]cgroup_file_write+0x274/0x548[EOL][EOL]Reproduction Steps:[EOL]1. Open test/cpu.pressure and establish epoll monitoring[EOL]2. Disable monitoring: echo 0 > test/cgroup.pressure[EOL]3. Re-enable monitoring: echo 1 > test/cgroup.pressure[EOL][EOL]The race condition occurs because:[EOL]1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it:[EOL]   - Releases PSI triggers via cgroup_file_release()[EOL]   - Frees of->priv through kernfs_drain_open_files()[EOL]2. While epoll still holds reference to the file and continues polling[EOL]3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->priv[EOL][EOL]epolling\t\t\tdisable/enable cgroup.pressure[EOL]fd=open(cpu.pressure)[EOL]while(1)[EOL]...[EOL]epoll_wait[EOL]kernfs_fop_poll[EOL]kernfs_get_active = true\techo 0 > cgroup.pressure[EOL]...\t\t\t\tcgroup_file_show[EOL]\t\t\t\tkernfs_show[EOL]\t\t\t\t// inactive kn[EOL]\t\t\t\tkernfs_drain_open_files[EOL]\t\t\t\tcft->release(of);[EOL]\t\t\t\tkfree(ctx);[EOL]\t\t\t\t...[EOL]kernfs_get_active = false[EOL]\t\t\t\techo 1 > cgroup.pressure[EOL]\t\t\t\tkernfs_show[EOL]\t\t\t\tkernfs_activate_one(kn);[EOL]kernfs_fop_poll[EOL]kernfs_get_active = true[EOL]cgroup_file_poll[EOL]psi_trigger_poll[EOL]// UAF[EOL]...[EOL]end: close(fd)[EOL][EOL]To address this issue, introduce kernfs_get_active_of() for kernfs open[EOL]files to obtain active references. This function will fail if the open file[EOL]has been released. Replace kernfs_get_active() with kernfs_get_active_of()[EOL]to prevent further operations on released file descriptors.