Re: [PATCH] sched/psi: fix race between file release and pressure write

[Chen Ridong]

On 2026/4/10 12:00, Edward Adam Davis wrote:
> A potential race condition exists between pressure write and cgroup file
> release regarding the priv member of struct kernfs_open_file, which
> triggers the uaf reported in [1].
> 
> The scope of the cgroup_mutex protection in pressure write has been
> expanded to prevent the uaf described in [1].
> 
> [1]
> BUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
> Call Trace:
>  pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
>  cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:4311
>  kernfs_fop_write_iter+0x3b0/0x540 fs/kernfs/file.c:352
> 
> Allocated by task 9352:
>  cgroup_file_open+0x90/0x3a0 kernel/cgroup/cgroup.c:4256
>  kernfs_fop_open+0x9eb/0xcb0 fs/kernfs/file.c:724
>  do_dentry_open+0x83d/0x13e0 fs/open.c:949
> 
> Freed by task 9353:
>  cgroup_file_release+0xd6/0x100 kernel/cgroup/cgroup.c:4283
>  kernfs_release_file fs/kernfs/file.c:764 [inline]
>  kernfs_drain_open_files+0x392/0x720 fs/kernfs/file.c:834
>  kernfs_drain+0x470/0x600 fs/kernfs/dir.c:525
> 
> Fixes: 0e94682b73bf ("psi: introduce psi monitor")
> Reported-by: syzbot+33e571025d88efd1312c@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=33e571025d88efd1312c
> Tested-by: syzbot+33e571025d88efd1312c@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
> ---
>  kernel/cgroup/cgroup.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 

Hi Edward,

Thank you for fixing this issue. The patch looks plausible, but the root cause
is not entirely clear from the diff alone. Could you please add more details to
the commit message explaining how the issue occurs and why this change resolves it?

Thanks.

> diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
> index 4ca3cb993da2..c0cfe91c2991 100644
> --- a/kernel/cgroup/cgroup.c
> +++ b/kernel/cgroup/cgroup.c
> @@ -4005,11 +4005,11 @@ static ssize_t pressure_write(struct kernfs_open_file *of, char *buf,
>  		return -ENODEV;
>  
>  	cgroup_get(cgrp);
> -	cgroup_kn_unlock(of->kn);
>  
>  	/* Allow only one trigger per file descriptor */
>  	if (ctx->psi.trigger) {
>  		cgroup_put(cgrp);
> +		cgroup_kn_unlock(of->kn);
>  		return -EBUSY;
>  	}
>  
> @@ -4017,12 +4017,14 @@ static ssize_t pressure_write(struct kernfs_open_file *of, char *buf,
>  	new = psi_trigger_create(psi, buf, res, of->file, of);
>  	if (IS_ERR(new)) {
>  		cgroup_put(cgrp);
> +		cgroup_kn_unlock(of->kn);
>  		return PTR_ERR(new);
>  	}
>  
>  	smp_store_release(&ctx->psi.trigger, new);
>  	cgroup_put(cgrp);
>  
> +	cgroup_kn_unlock(of->kn);
>  	return nbytes;
>  }
>  

-- 
Best regards,
Ridong