From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from r3-11.sinamail.sina.com.cn (r3-11.sinamail.sina.com.cn [202.108.3.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E36CA81732 for ; Sun, 12 Apr 2026 06:50:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.108.3.11 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775976659; cv=none; b=onFsuVSPotoq6+D110l1unQ/u/J9lQJ27a3kGloJscyRn8xVvr16fgY90386CbbwepqSo7bdOatcWYOFx1twz5mpf+QafsFKqFTf+1BFd9l/IQON83oTjh+WDTKHsJSa7py2/wF30MebD/OLMlQ3WPFppAd55TkPXSWpiY2f4ds= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775976659; c=relaxed/simple; bh=34nD4eQsStfun3rY61LqgXdbt5XyBizkqGn5oXfNWWw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lgrtNADF5b7Q/Vjx/8Se9IEKvpVojvJI2nOZQ/PArDhxD+PlRoYb7gtPSj0oeRDe0rmAnC5BMIFBQzDKK41Q7+Qr6t7jzg3H3z3+bhYL8wUq+sOKsvELku1sdcEjJXSiVXn17jmnKO/KwUKqUQv0WG6FJzZwmotWsTVDPk33+rI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sina.com; spf=pass smtp.mailfrom=sina.com; dkim=pass (1024-bit key) header.d=sina.com header.i=@sina.com header.b=XkzXzFXG; arc=none smtp.client-ip=202.108.3.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sina.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=sina.com header.i=@sina.com header.b="XkzXzFXG" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sina.com; s=201208; t=1775976655; bh=7AhDfBI11PnUXAT4rpMs6iRvOFywHZn3hfO2cFJcpV4=; h=From:Subject:Date:Message-ID; b=XkzXzFXG6qehjdcS9fCuZKjh7Dc9MuzorcOVdQZNtxMpR3gPKg6Z/TbH23adYUuva QI2fMynEXmGbHLLPdyr5B48j7/uRaMz5B10W2jQbK6gw/8KJqjcW1cPKdKYXqOJ0Wk uToiftun/3TE1tNc2RmlixM6u06RbRzTzOShQsho= X-SMAIL-HELO: localhost.localdomain Received: from unknown (HELO localhost.localdomain)([114.249.62.144]) by sina.com (10.54.253.34) with ESMTP id 69DB40A500007922; Sun, 12 Apr 2026 14:50:16 +0800 (CST) X-Sender: hdanton@sina.com X-Auth-ID: hdanton@sina.com Authentication-Results: sina.com; spf=none smtp.mailfrom=hdanton@sina.com; dkim=none header.i=none; dmarc=none action=none header.from=hdanton@sina.com X-SMAIL-MID: 2500816292060 X-SMAIL-UIID: B1D1C92800B84E07848874AB62538170-20260412-145016-1 From: Hillf Danton To: syzbot Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [cgroups?] KASAN: slab-use-after-free Read in pressure_write Date: Sun, 12 Apr 2026 14:50:04 +0800 Message-ID: <20260412065005.1749-1-hdanton@sina.com> In-Reply-To: <69d779b0.a00a0220.468cb.0018.GAE@google.com> References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit > Date: Thu, 09 Apr 2026 03:04:32 -0700 [thread overview] > Hello, > > syzbot found the following issue on: > > HEAD commit: 591cd656a1bf Linux 7.0-rc7 > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=114a36ba580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=45cb3c58fd963c27 > dashboard link: https://syzkaller.appspot.com/bug?extid=33e571025d88efd1312c > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16cb33da580000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12648bd6580000 #syz test --- x/kernel/cgroup/cgroup.c +++ y/kernel/cgroup/cgroup.c @@ -3995,7 +3995,7 @@ static int cgroup_cpu_pressure_show(stru static ssize_t pressure_write(struct kernfs_open_file *of, char *buf, size_t nbytes, enum psi_res res) { - struct cgroup_file_ctx *ctx = of->priv; + struct cgroup_file_ctx *ctx; struct psi_trigger *new; struct cgroup *cgrp; struct psi_group *psi; @@ -4004,14 +4004,18 @@ static ssize_t pressure_write(struct ker if (!cgrp) return -ENODEV; - cgroup_get(cgrp); - cgroup_kn_unlock(of->kn); - + ctx = of->priv; + if (!ctx) { + cgroup_kn_unlock(of->kn); + return -ENODEV; + } /* Allow only one trigger per file descriptor */ if (ctx->psi.trigger) { - cgroup_put(cgrp); + cgroup_kn_unlock(of->kn); return -EBUSY; } + cgroup_get(cgrp); + cgroup_kn_unlock(of->kn); psi = cgroup_psi(cgrp); new = psi_trigger_create(psi, buf, res, of->file, of); @@ -4019,9 +4023,27 @@ static ssize_t pressure_write(struct ker cgroup_put(cgrp); return PTR_ERR(new); } + cgroup_put(cgrp); + cgrp = cgroup_kn_lock_live(of->kn, false); + if (!cgrp) { + psi_trigger_destroy(new); + return -ENODEV; + } + ctx = of->priv; + if (!ctx) { + cgroup_kn_unlock(of->kn); + psi_trigger_destroy(new); + return -ENODEV; + } + /* Allow only one trigger per file descriptor */ + if (ctx->psi.trigger) { + cgroup_kn_unlock(of->kn); + psi_trigger_destroy(new); + return -EBUSY; + } smp_store_release(&ctx->psi.trigger, new); - cgroup_put(cgrp); + cgroup_kn_unlock(of->kn); return nbytes; } --