From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 938681A8F84 for ; Sun, 5 Apr 2026 02:47:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=96.67.55.147 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775357276; cv=none; b=UWINguGjnOMnKX4ihdGNrXH3tO/Btycq8lG7QQk4U9DcJgrWwDQWvJlq+wQERkGERoz+C95jd/if8vwmzMfZrsRucoHW8+n8PbOFmH0XzUhLaP611KI/nu9uG40N0/e/5LnmQmI4qpt/4w9B4wo2+B8TUss7tPBwG3a158BOYsM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775357276; c=relaxed/simple; bh=0Foz7SVfJDv2QDaLT/b4QSWoC+WT1nklt+PT75aW6Ck=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type; b=Q2KxFUmfHY2YE2G/XYM7i2I/3BPmpjekbT6qjFvDcjLC6NLa0c+t8W1MjWIhZm3W2WDoKd4H6v9u3/G+wLp4hAWJD4c5aJeFMSCj4E7/YKzRgo5V3YPhWl9/d2fY82NrEUp7wYVbD4txH3ji4AWN/H2jMeelPOwkEkhSgjmaDt8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=surriel.com; spf=pass smtp.mailfrom=surriel.com; dkim=pass (2048-bit key) header.d=surriel.com header.i=@surriel.com header.b=S/ip1rCv; arc=none smtp.client-ip=96.67.55.147 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=surriel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=surriel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=surriel.com header.i=@surriel.com header.b="S/ip1rCv" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=surriel.com ; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=fPBozDBdr3SldmFs9vW6RF5hTSIzUwgkve3gPANnGII=; b=S/ip1rCvEkj5W7rvXaSBof7vx9 3vm4DFcd6RbuGxaVYbIfgP9iQOBEAFtJncK+eneXosOBvgQKyhQFV7yImj60VxYpxee59GnquyXoL xZfWIakORgAXjS5kLUy3bXKy56uMhS2JOKGk3VAyAGo5/Tw3OWn/e4VhqNh6xbGj0WGcpEKX9/NSJ Q3bHC9RGvr2VXWxCOUYzKehrCay4EQYaA6EhcNfoD9Nk/WPj2TWo84+YXwjXwUZSJOCy7f8TSDJgJ xl2aIh4yUjOx8iidZGsNXEqgOWJr3cxsjXy8sP000F0+i1USOgyVQKnMyRVfu/sDD3aodKZEm0t42 WqrvGmiA==; Received: from [2601:18c:8180:83cc::4801] (helo=fangorn) by shelob.surriel.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.97.1) (envelope-from ) id 1w9DWY-000000006uJ-2qRb; Sat, 04 Apr 2026 22:47:42 -0400 Date: Sat, 4 Apr 2026 22:47:42 -0400 From: Rik van Riel To: linux-kernel@vger.kernel.org Cc: kernel-team@meta.com, Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Steven Rostedt Subject: [PATCH] sched/cpuacct: fix use-after-free in cpuacct_account_field() Message-ID: <20260404224742.56d8df3e@fangorn> X-Mailer: Claws Mail 4.3.1 (GTK 3.24.49; x86_64-redhat-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cpuacct_css_free() calls free_percpu() on ca->cpustat and ca->cpuusage, then kfree(ca). However, a timer interrupt on another CPU can concurrently access this data through cpuacct_account_field(), which walks the cpuacct hierarchy via task_ca()/parent_ca() and performs __this_cpu_add(ca->cpustat->cpustat[index], val). The race window exists because put_css_set_locked() drops the CSS reference (css_put) before the css_set is RCU-freed (kfree_rcu). This means the CSS percpu_ref can reach zero and trigger the css_free chain while readers obtained the CSS pointer from the old css_set that is still visible via RCU. Although css_free_rwork_fn is already called after one RCU grace period, the css_set -> CSS reference drop in put_css_set_locked() creates a window where the CSS free chain races with readers still holding the old css_set reference. With KASAN enabled, free_percpu() unmaps shadow pages, so the KASAN-instrumented __this_cpu_add hits an unmapped shadow page (PMD=0), causing a page fault in IRQ context that cascades into an IRQ stack overflow. Fix this by deferring the actual freeing of percpu data and the cpuacct struct to an RCU callback via call_rcu(), ensuring that all concurrent readers in RCU read-side critical sections (including timer tick handlers) have completed before the memory is freed. Found in an AI driven syzkaller run. The bug did not repeat in the 14 hours since this patch was applied. Signed-off-by: Rik van Riel Assisted-by: Claude:claude-opus-4.6 syzkaller Fixes: 3eba0505d03a ("sched/cpuacct: Remove redundant RCU read lock") Cc: stable@kernel.org --- kernel/sched/cpuacct.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/kernel/sched/cpuacct.c b/kernel/sched/cpuacct.c index ca9d52cb1ebb..b6e7b34de616 100644 --- a/kernel/sched/cpuacct.c +++ b/kernel/sched/cpuacct.c @@ -28,6 +28,7 @@ struct cpuacct { /* cpuusage holds pointer to a u64-type object on every CPU */ u64 __percpu *cpuusage; struct kernel_cpustat __percpu *cpustat; + struct rcu_head rcu; }; static inline struct cpuacct *css_ca(struct cgroup_subsys_state *css) @@ -84,15 +85,22 @@ cpuacct_css_alloc(struct cgroup_subsys_state *parent_css) } /* Destroy an existing CPU accounting group */ -static void cpuacct_css_free(struct cgroup_subsys_state *css) +static void cpuacct_free_rcu(struct rcu_head *rcu) { - struct cpuacct *ca = css_ca(css); + struct cpuacct *ca = container_of(rcu, struct cpuacct, rcu); free_percpu(ca->cpustat); free_percpu(ca->cpuusage); kfree(ca); } +static void cpuacct_css_free(struct cgroup_subsys_state *css) +{ + struct cpuacct *ca = css_ca(css); + + call_rcu(&ca->rcu, cpuacct_free_rcu); +} + static u64 cpuacct_cpuusage_read(struct cpuacct *ca, int cpu, enum cpuacct_stat_index index) { -- 2.52.0