Linux Kernel PSI Trigger Polling Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's handling of Pressure Stall Information (PSI) triggers within control groups (cgroups). This issue arises when a cgroup is removed while a polling process is still accessing its associated PSI trigger file. The removal triggers a call to release the cgroup file, but if the file is still in use, it can lead to a use-after-free condition by freeing a pointer that is still being accessed by the polling process. Although a previous patch addressed this issue for epoll cases, the same vulnerability persists for synchronous poll() operations. The root cause lies in the mismatched lifecycles of the PSI trigger's waitqueue and the corresponding file, creating a vulnerability that can be exploited during cgroup removal processes.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, allowing for potential arbitrary code execution or memory corruption.

Reproduction

To reproduce this vulnerability, create a cgroup and initiate a polling process on a PSI trigger file associated with that cgroup. While the polling process is active, remove the cgroup. This will trigger a call to release the cgroup file before the polling process has finished, causing the polling process to access a freed pointer, which can lead to a use-after-free vulnerability.

Remediation

The vulnerability has been fixed in the upstream Linux kernel. Users should upgrade to the latest version.