CVE-2025-39881

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kernfs: Fix UAF in polling when open file is released<br /> <br /> A use-after-free (UAF) vulnerability was identified in the PSI (Pressure<br /> Stall Information) monitoring mechanism:<br /> <br /> BUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140<br /> Read of size 8 at addr ffff3de3d50bd308 by task systemd/1<br /> <br /> psi_trigger_poll+0x3c/0x140<br /> cgroup_pressure_poll+0x70/0xa0<br /> cgroup_file_poll+0x8c/0x100<br /> kernfs_fop_poll+0x11c/0x1c0<br /> ep_item_poll.isra.0+0x188/0x2c0<br /> <br /> Allocated by task 1:<br /> cgroup_file_open+0x88/0x388<br /> kernfs_fop_open+0x73c/0xaf0<br /> do_dentry_open+0x5fc/0x1200<br /> vfs_open+0xa0/0x3f0<br /> do_open+0x7e8/0xd08<br /> path_openat+0x2fc/0x6b0<br /> do_filp_open+0x174/0x368<br /> <br /> Freed by task 8462:<br /> cgroup_file_release+0x130/0x1f8<br /> kernfs_drain_open_files+0x17c/0x440<br /> kernfs_drain+0x2dc/0x360<br /> kernfs_show+0x1b8/0x288<br /> cgroup_file_show+0x150/0x268<br /> cgroup_pressure_write+0x1dc/0x340<br /> cgroup_file_write+0x274/0x548<br /> <br /> Reproduction Steps:<br /> 1. Open test/cpu.pressure and establish epoll monitoring<br /> 2. Disable monitoring: echo 0 &gt; test/cgroup.pressure<br /> 3. Re-enable monitoring: echo 1 &gt; test/cgroup.pressure<br /> <br /> The race condition occurs because:<br /> 1. When cgroup.pressure is disabled (echo 0 &gt; cgroup.pressure), it:<br /> - Releases PSI triggers via cgroup_file_release()<br /> - Frees of-&gt;priv through kernfs_drain_open_files()<br /> 2. While epoll still holds reference to the file and continues polling<br /> 3. Re-enabling (echo 1 &gt; cgroup.pressure) accesses freed of-&gt;priv<br /> <br /> epolling disable/enable cgroup.pressure<br /> fd=open(cpu.pressure)<br /> while(1)<br /> ...<br /> epoll_wait<br /> kernfs_fop_poll<br /> kernfs_get_active = true echo 0 &gt; cgroup.pressure<br /> ... cgroup_file_show<br /> kernfs_show<br /> // inactive kn<br /> kernfs_drain_open_files<br /> cft-&gt;release(of);<br /> kfree(ctx);<br /> ...<br /> kernfs_get_active = false<br /> echo 1 &gt; cgroup.pressure<br /> kernfs_show<br /> kernfs_activate_one(kn);<br /> kernfs_fop_poll<br /> kernfs_get_active = true<br /> cgroup_file_poll<br /> psi_trigger_poll<br /> // UAF<br /> ...<br /> end: close(fd)<br /> <br /> To address this issue, introduce kernfs_get_active_of() for kernfs open<br /> files to obtain active references. This function will fail if the open file<br /> has been released. Replace kernfs_get_active() with kernfs_get_active_of()<br /> to prevent further operations on released file descriptors.