{"id":"CVE-2025-39881","summary":"kernfs: Fix UAF in polling when open file is released","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: Fix UAF in polling when open file is released\n\nA use-after-free (UAF) vulnerability was identified in the PSI (Pressure\nStall Information) monitoring mechanism:\n\nBUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140\nRead of size 8 at addr ffff3de3d50bd308 by task systemd/1\n\npsi_trigger_poll+0x3c/0x140\ncgroup_pressure_poll+0x70/0xa0\ncgroup_file_poll+0x8c/0x100\nkernfs_fop_poll+0x11c/0x1c0\nep_item_poll.isra.0+0x188/0x2c0\n\nAllocated by task 1:\ncgroup_file_open+0x88/0x388\nkernfs_fop_open+0x73c/0xaf0\ndo_dentry_open+0x5fc/0x1200\nvfs_open+0xa0/0x3f0\ndo_open+0x7e8/0xd08\npath_openat+0x2fc/0x6b0\ndo_filp_open+0x174/0x368\n\nFreed by task 8462:\ncgroup_file_release+0x130/0x1f8\nkernfs_drain_open_files+0x17c/0x440\nkernfs_drain+0x2dc/0x360\nkernfs_show+0x1b8/0x288\ncgroup_file_show+0x150/0x268\ncgroup_pressure_write+0x1dc/0x340\ncgroup_file_write+0x274/0x548\n\nReproduction Steps:\n1. Open test/cpu.pressure and establish epoll monitoring\n2. Disable monitoring: echo 0 \u003e test/cgroup.pressure\n3. Re-enable monitoring: echo 1 \u003e test/cgroup.pressure\n\nThe race condition occurs because:\n1. When cgroup.pressure is disabled (echo 0 \u003e cgroup.pressure), it:\n   - Releases PSI triggers via cgroup_file_release()\n   - Frees of-\u003epriv through kernfs_drain_open_files()\n2. While epoll still holds reference to the file and continues polling\n3. Re-enabling (echo 1 \u003e cgroup.pressure) accesses freed of-\u003epriv\n\nepolling\t\t\tdisable/enable cgroup.pressure\nfd=open(cpu.pressure)\nwhile(1)\n...\nepoll_wait\nkernfs_fop_poll\nkernfs_get_active = true\techo 0 \u003e cgroup.pressure\n...\t\t\t\tcgroup_file_show\n\t\t\t\tkernfs_show\n\t\t\t\t// inactive kn\n\t\t\t\tkernfs_drain_open_files\n\t\t\t\tcft-\u003erelease(of);\n\t\t\t\tkfree(ctx);\n\t\t\t\t...\nkernfs_get_active = false\n\t\t\t\techo 1 \u003e cgroup.pressure\n\t\t\t\tkernfs_show\n\t\t\t\tkernfs_activate_one(kn);\nkernfs_fop_poll\nkernfs_get_active = true\ncgroup_file_poll\npsi_trigger_poll\n// UAF\n...\nend: close(fd)\n\nTo address this issue, introduce kernfs_get_active_of() for kernfs open\nfiles to obtain active references. This function will fail if the open file\nhas been released. Replace kernfs_get_active() with kernfs_get_active_of()\nto prevent further operations on released file descriptors.","modified":"2026-03-20T12:43:05.531846Z","published":"2025-09-23T06:00:50.496Z","related":["ALSA-2025:19469","MGASA-2025-0309","MGASA-2025-0310","SUSE-SU-2025:21040-1","SUSE-SU-2025:21052-1","SUSE-SU-2025:21056-1","SUSE-SU-2025:21064-1","SUSE-SU-2025:21080-1","SUSE-SU-2025:21147-1","SUSE-SU-2025:21180-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4128-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4140-1","SUSE-SU-2025:4141-1","SUSE-SU-2025:4301-1","openSUSE-SU-2025:20091-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39881.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/34d9cafd469c69ad85e6a36b4303c78382cf5c79"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7e64474aba78d240f7804f48f2d454dcca78b15f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/854baafc00c433cccbe0ab4231b77aeb9b637b77"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ac5cda4fae8818cf1963317bb699f7f2f85b60af"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39881.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39881"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"34f26a15611afb03c33df6819359d36f5b382589"},{"fixed":"34d9cafd469c69ad85e6a36b4303c78382cf5c79"},{"fixed":"854baafc00c433cccbe0ab4231b77aeb9b637b77"},{"fixed":"7e64474aba78d240f7804f48f2d454dcca78b15f"},{"fixed":"ac5cda4fae8818cf1963317bb699f7f2f85b60af"},{"fixed":"3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39881.json"}}],"schema_version":"1.7.5"}