Re: [PATCH] sched/psi: fix race between file release and pressure write

[Edward Adam Davis]

On Fri, 10 Apr 2026 17:00:55 +0800, Chen Ridong wrote:
> > A potential race condition exists between pressure write and cgroup file
> > release regarding the priv member of struct kernfs_open_file, which
> > triggers the uaf reported in [1].
> > 
> > The scope of the cgroup_mutex protection in pressure write has been
> > expanded to prevent the uaf described in [1].
> > 
> > [1]
> > BUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
> > Call Trace:
> >  pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
> >  cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:4311
> >  kernfs_fop_write_iter+0x3b0/0x540 fs/kernfs/file.c:352
> > 
> > Allocated by task 9352:
> >  cgroup_file_open+0x90/0x3a0 kernel/cgroup/cgroup.c:4256
> >  kernfs_fop_open+0x9eb/0xcb0 fs/kernfs/file.c:724
> >  do_dentry_open+0x83d/0x13e0 fs/open.c:949
> > 
> > Freed by task 9353:
> >  cgroup_file_release+0xd6/0x100 kernel/cgroup/cgroup.c:4283
> >  kernfs_release_file fs/kernfs/file.c:764 [inline]
> >  kernfs_drain_open_files+0x392/0x720 fs/kernfs/file.c:834
> >  kernfs_drain+0x470/0x600 fs/kernfs/dir.c:525
> > 
> > Fixes: 0e94682b73bf ("psi: introduce psi monitor")
> > Reported-by: syzbot+33e571025d88efd1312c@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Closes: https://syzkaller.appspot.com/bug?extid=33e571025d88efd1312c
> > Tested-by: syzbot+33e571025d88efd1312c@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
> > ---
> >  kernel/cgroup/cgroup.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> > 
> 
> Hi Edward,
> 
> Thank you for fixing this issue. The patch looks plausible, but the root cause
> is not entirely clear from the diff alone. Could you please add more details to
> the commit message explaining how the issue occurs and why this change resolves it?
Consider the following scenario involving execution on two separate CPUs:

   CPU0					CPU1
   ====					====
					vfs_rmdir()
					kernfs_iop_rmdir()
					cgroup_rmdir()
					cgroup_kn_lock_live()
					cgroup_destroy_locked()
					cgroup_addrm_files()
					cgroup_rm_file()
					kernfs_remove_by_name()
					kernfs_remove_by_name_ns()
 vfs_write()				__kernfs_remove()
 new_sync_write()			kernfs_drain()
 kernfs_fop_write_iter()		kernfs_drain_open_files()
 cgroup_file_write()			kernfs_release_file()
 pressure_write()			cgroup_file_release()
 ctx = of->priv;
					kfree(ctx);
 					of->priv = NULL;
					cgroup_kn_unlock()
 cgroup_kn_lock_live()
 if (ctx->psi.trigger)  // here, trigger uaf for ctx, that is of->priv

The cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards
the memory deallocation of of->priv performed within cgroup_file_release().
However, the operations involving of->priv executed within pressure_write()
are not entirely covered by the protection of cgroup_mutex. Consequently,
if the code in pressure_write(), specifically the section handling the
ctx variable executes after cgroup_file_release() has completed, a uaf
vulnerability involving of->priv is triggered.

Therefore, the issue can be resolved simply by extending the scope of
the cgroup_mutex lock within pressure_write() to encompass all code
paths involving of->priv, thereby properly synchronizing the race condition
occurring between cgroup_file_release() and pressure_write().

Edward
BR