github - ghsa-j7pj-g3hv-5hcw

GHSA-J7PJ-G3HV-5HCW

Vulnerability from github – Published: 2025-12-24 12:30 – Updated: 2025-12-24 12:30

Details

In the Linux kernel, the following vulnerability has been resolved:

sched/psi: use kernfs polling functions for PSI trigger polling

Destroying psi trigger in cgroup_file_release causes UAF issues when a cgroup is removed from under a polling process. This is happening because cgroup removal causes a call to cgroup_file_release while the actual file is still alive. Destroying the trigger at this point would also destroy its waitqueue head and if there is still a polling process on that file accessing the waitqueue, it will step on the freed pointer:

do_select vfs_poll do_rmdir cgroup_rmdir kernfs_drain_open_files cgroup_file_release cgroup_pressure_release psi_trigger_destroy wake_up_pollfree(&t->event_wait) // vfs_poll is unblocked synchronize_rcu kfree(t) poll_freewait -> UAF access to the trigger's waitqueue head

Patch [1] fixed this issue for epoll() case using wake_up_pollfree(), however the same issue exists for synchronous poll() case. The root cause of this issue is that the lifecycles of the psi trigger's waitqueue and of the file associated with the trigger are different. Fix this by using kernfs_generic_poll function when polling on cgroup-specific psi triggers. It internally uses kernfs_open_node->poll waitqueue head with its lifecycle tied to the file's lifecycle. This also renders the fix in [1] obsolete, so revert it.

[1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()")

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-54019"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-24T11:15:54Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: use kernfs polling functions for PSI trigger polling\n\nDestroying psi trigger in cgroup_file_release causes UAF issues when\na cgroup is removed from under a polling process. This is happening\nbecause cgroup removal causes a call to cgroup_file_release while the\nactual file is still alive. Destroying the trigger at this point would\nalso destroy its waitqueue head and if there is still a polling process\non that file accessing the waitqueue, it will step on the freed pointer:\n\ndo_select\n  vfs_poll\n                           do_rmdir\n                             cgroup_rmdir\n                               kernfs_drain_open_files\n                                 cgroup_file_release\n                                   cgroup_pressure_release\n                                     psi_trigger_destroy\n                                       wake_up_pollfree(\u0026t-\u003eevent_wait)\n// vfs_poll is unblocked\n                                       synchronize_rcu\n                                       kfree(t)\n  poll_freewait -\u003e UAF access to the trigger\u0027s waitqueue head\n\nPatch [1] fixed this issue for epoll() case using wake_up_pollfree(),\nhowever the same issue exists for synchronous poll() case.\nThe root cause of this issue is that the lifecycles of the psi trigger\u0027s\nwaitqueue and of the file associated with the trigger are different. Fix\nthis by using kernfs_generic_poll function when polling on cgroup-specific\npsi triggers. It internally uses kernfs_open_node-\u003epoll waitqueue head\nwith its lifecycle tied to the file\u0027s lifecycle. This also renders the\nfix in [1] obsolete, so revert it.\n\n[1] commit c2dbe32d5db5 (\"sched/psi: Fix use-after-free in ep_remove_wait_queue()\")",
  "id": "GHSA-j7pj-g3hv-5hcw",
  "modified": "2025-12-24T12:30:28Z",
  "published": "2025-12-24T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54019"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aff037078ecaecf34a7c2afab1341815f90fba5e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d124ab17024cc85a1079b7810a018a497ebc13da"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2023-54019 (GCVE-0-2023-54019)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55

Title

sched/psi: use kernfs polling functions for PSI trigger polling

Summary

In the Linux kernel, the following vulnerability has been resolved: sched/psi: use kernfs polling functions for PSI trigger polling Destroying psi trigger in cgroup_file_release causes UAF issues when a cgroup is removed from under a polling process. This is happening because cgroup removal causes a call to cgroup_file_release while the actual file is still alive. Destroying the trigger at this point would also destroy its waitqueue head and if there is still a polling process on that file accessing the waitqueue, it will step on the freed pointer: do_select vfs_poll do_rmdir cgroup_rmdir kernfs_drain_open_files cgroup_file_release cgroup_pressure_release psi_trigger_destroy wake_up_pollfree(&t->event_wait) // vfs_poll is unblocked synchronize_rcu kfree(t) poll_freewait -> UAF access to the trigger's waitqueue head Patch [1] fixed this issue for epoll() case using wake_up_pollfree(), however the same issue exists for synchronous poll() case. The root cause of this issue is that the lifecycles of the psi trigger's waitqueue and of the file associated with the trigger are different. Fix this by using kernfs_generic_poll function when polling on cgroup-specific psi triggers. It internally uses kernfs_open_node->poll waitqueue head with its lifecycle tied to the file's lifecycle. This also renders the fix in [1] obsolete, so revert it. [1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()")

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/92cc0153324b6ae85…
	https://git.kernel.org/stable/c/d124ab17024cc85a1…
	https://git.kernel.org/stable/c/aff037078ecaecf34…

Impacted products

Vendor

Product

Version

Linux

Affected: 0e94682b73bfa6c44c98af7a26771c9c08c055d5 , < 92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a (git)
Affected: 0e94682b73bfa6c44c98af7a26771c9c08c055d5 , < d124ab17024cc85a1079b7810a018a497ebc13da (git)
Affected: 0e94682b73bfa6c44c98af7a26771c9c08c055d5 , < aff037078ecaecf34a7c2afab1341815f90fba5e (git)

Linux

Affected: 5.2
Unaffected: 0 , < 5.2 (semver)
Unaffected: 6.1.42 , ≤ 6.1.* (semver)
Unaffected: 6.4.7 , ≤ 6.4.* (semver)
Unaffected: 6.5 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/psi.h",
            "include/linux/psi_types.h",
            "kernel/cgroup/cgroup.c",
            "kernel/sched/psi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a",
              "status": "affected",
              "version": "0e94682b73bfa6c44c98af7a26771c9c08c055d5",
              "versionType": "git"
            },
            {
              "lessThan": "d124ab17024cc85a1079b7810a018a497ebc13da",
              "status": "affected",
              "version": "0e94682b73bfa6c44c98af7a26771c9c08c055d5",
              "versionType": "git"
            },
            {
              "lessThan": "aff037078ecaecf34a7c2afab1341815f90fba5e",
              "status": "affected",
              "version": "0e94682b73bfa6c44c98af7a26771c9c08c055d5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/psi.h",
            "include/linux/psi_types.h",
            "kernel/cgroup/cgroup.c",
            "kernel/sched/psi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.42",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.7",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: use kernfs polling functions for PSI trigger polling\n\nDestroying psi trigger in cgroup_file_release causes UAF issues when\na cgroup is removed from under a polling process. This is happening\nbecause cgroup removal causes a call to cgroup_file_release while the\nactual file is still alive. Destroying the trigger at this point would\nalso destroy its waitqueue head and if there is still a polling process\non that file accessing the waitqueue, it will step on the freed pointer:\n\ndo_select\n  vfs_poll\n                           do_rmdir\n                             cgroup_rmdir\n                               kernfs_drain_open_files\n                                 cgroup_file_release\n                                   cgroup_pressure_release\n                                     psi_trigger_destroy\n                                       wake_up_pollfree(\u0026t-\u003eevent_wait)\n// vfs_poll is unblocked\n                                       synchronize_rcu\n                                       kfree(t)\n  poll_freewait -\u003e UAF access to the trigger\u0027s waitqueue head\n\nPatch [1] fixed this issue for epoll() case using wake_up_pollfree(),\nhowever the same issue exists for synchronous poll() case.\nThe root cause of this issue is that the lifecycles of the psi trigger\u0027s\nwaitqueue and of the file associated with the trigger are different. Fix\nthis by using kernfs_generic_poll function when polling on cgroup-specific\npsi triggers. It internally uses kernfs_open_node-\u003epoll waitqueue head\nwith its lifecycle tied to the file\u0027s lifecycle. This also renders the\nfix in [1] obsolete, so revert it.\n\n[1] commit c2dbe32d5db5 (\"sched/psi: Fix use-after-free in ep_remove_wait_queue()\")"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T10:55:49.840Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d124ab17024cc85a1079b7810a018a497ebc13da"
        },
        {
          "url": "https://git.kernel.org/stable/c/aff037078ecaecf34a7c2afab1341815f90fba5e"
        }
      ],
      "title": "sched/psi: use kernfs polling functions for PSI trigger polling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54019",
    "datePublished": "2025-12-24T10:55:49.840Z",
    "dateReserved": "2025-12-24T10:53:46.179Z",
    "dateUpdated": "2025-12-24T10:55:49.840Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-J7PJ-G3HV-5HCW

CVE-2023-54019 (GCVE-0-2023-54019)

Tags

Sightings

Nomenclature