{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-54019", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-24T10:53:46.179Z", "datePublished": "2025-12-24T10:55:49.840Z", "dateUpdated": "2025-12-24T10:55:49.840Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-24T10:55:49.840Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: use kernfs polling functions for PSI trigger polling\n\nDestroying psi trigger in cgroup_file_release causes UAF issues when\na cgroup is removed from under a polling process. This is happening\nbecause cgroup removal causes a call to cgroup_file_release while the\nactual file is still alive. Destroying the trigger at this point would\nalso destroy its waitqueue head and if there is still a polling process\non that file accessing the waitqueue, it will step on the freed pointer:\n\ndo_select\n vfs_poll\n do_rmdir\n cgroup_rmdir\n kernfs_drain_open_files\n cgroup_file_release\n cgroup_pressure_release\n psi_trigger_destroy\n wake_up_pollfree(&t->event_wait)\n// vfs_poll is unblocked\n synchronize_rcu\n kfree(t)\n poll_freewait -> UAF access to the trigger's waitqueue head\n\nPatch [1] fixed this issue for epoll() case using wake_up_pollfree(),\nhowever the same issue exists for synchronous poll() case.\nThe root cause of this issue is that the lifecycles of the psi trigger's\nwaitqueue and of the file associated with the trigger are different. Fix\nthis by using kernfs_generic_poll function when polling on cgroup-specific\npsi triggers. It internally uses kernfs_open_node->poll waitqueue head\nwith its lifecycle tied to the file's lifecycle. This also renders the\nfix in [1] obsolete, so revert it.\n\n[1] commit c2dbe32d5db5 (\"sched/psi: Fix use-after-free in ep_remove_wait_queue()\")"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/psi.h", "include/linux/psi_types.h", "kernel/cgroup/cgroup.c", "kernel/sched/psi.c"], "versions": [{"version": "0e94682b73bfa6c44c98af7a26771c9c08c055d5", "lessThan": "92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a", "status": "affected", "versionType": "git"}, {"version": "0e94682b73bfa6c44c98af7a26771c9c08c055d5", "lessThan": "d124ab17024cc85a1079b7810a018a497ebc13da", "status": "affected", "versionType": "git"}, {"version": "0e94682b73bfa6c44c98af7a26771c9c08c055d5", "lessThan": "aff037078ecaecf34a7c2afab1341815f90fba5e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/psi.h", "include/linux/psi_types.h", "kernel/cgroup/cgroup.c", "kernel/sched/psi.c"], "versions": [{"version": "5.2", "status": "affected"}, {"version": "0", "lessThan": "5.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.42", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.4.7", "lessThanOrEqual": "6.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2", "versionEndExcluding": "6.1.42"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2", "versionEndExcluding": "6.4.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2", "versionEndExcluding": "6.5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a"}, {"url": "https://git.kernel.org/stable/c/d124ab17024cc85a1079b7810a018a497ebc13da"}, {"url": "https://git.kernel.org/stable/c/aff037078ecaecf34a7c2afab1341815f90fba5e"}], "title": "sched/psi: use kernfs polling functions for PSI trigger polling", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: use kernfs polling functions for PSI trigger polling\n\nDestroying psi trigger in cgroup_file_release causes UAF issues when\na cgroup is removed from under a polling process. This is happening\nbecause cgroup removal causes a call to cgroup_file_release while the\nactual file is still alive. Destroying the trigger at this point would\nalso destroy its waitqueue head and if there is still a polling process\non that file accessing the waitqueue, it will step on the freed pointer:\n\ndo_select\n vfs_poll\n do_rmdir\n cgroup_rmdir\n kernfs_drain_open_files\n cgroup_file_release\n cgroup_pressure_release\n psi_trigger_destroy\n wake_up_pollfree(&t->event_wait)\n// vfs_poll is unblocked\n synchronize_rcu\n kfree(t)\n poll_freewait -> UAF access to the trigger's waitqueue head\n\nPatch [1] fixed this issue for epoll() case using wake_up_pollfree(),\nhowever the same issue exists for synchronous poll() case.\nThe root cause of this issue is that the lifecycles of the psi trigger's\nwaitqueue and of the file associated with the trigger are different. Fix\nthis by using kernfs_generic_poll function when polling on cgroup-specific\npsi triggers. It internally uses kernfs_open_node->poll waitqueue head\nwith its lifecycle tied to the file's lifecycle. This also renders the\nfix in [1] obsolete, so revert it.\n\n[1] commit c2dbe32d5db5 (\"sched/psi: Fix use-after-free in ep_remove_wait_queue()\")"}], "id": "CVE-2023-54019", "lastModified": "2025-12-24T11:15:54.903", "metrics": {}, "published": "2025-12-24T11:15:54.903", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/aff037078ecaecf34a7c2afab1341815f90fba5e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d124ab17024cc85a1079b7810a018a497ebc13da"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}