CVE-2023-54019
Description
In the Linux kernel, the following vulnerability has been resolved:
sched/psi: use kernfs polling functions for PSI trigger polling
Destroying psi trigger in cgroup_file_release causes UAF issues when a cgroup is removed from under a polling process. This is happening because cgroup removal causes a call to cgroup_file_release while the actual file is still alive. Destroying the trigger at this point would also destroy its waitqueue head and if there is still a polling process on that file accessing the waitqueue, it will step on the freed pointer:
do_select vfs_poll do_rmdir cgroup_rmdir kernfs_drain_open_files cgroup_file_release cgroup_pressure_release psi_trigger_destroy wake_up_pollfree(&t->event_wait) // vfs_poll is unblocked synchronize_rcu kfree(t) poll_freewait -> UAF access to the trigger's waitqueue head
Patch [1] fixed this issue for epoll() case using wake_up_pollfree(), however the same issue exists for synchronous poll() case. The root cause of this issue is that the lifecycles of the psi trigger's waitqueue and of the file associated with the trigger are different. Fix this by using kernfs_generic_poll function when polling on cgroup-specific psi triggers. It internally uses kernfs_open_node->poll waitqueue head with its lifecycle tied to the file's lifecycle. This also renders the fix in [1] obsolete, so revert it.
[1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()")
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in Linux kernel's PSI trigger polling allows local attackers to corrupt memory when a cgroup is removed while a process polls on its pressure file.
Root
Cause
The vulnerability resides in the Linux kernel's PSI (Pressure Stall Information) subsystem. When a cgroup is removed, the kernel calls cgroup_file_release, which destroys the PSI trigger associated with the pressure file. However, if a userspace process is actively polling (via poll() or epoll()) on that file, the trigger's waitqueue head is freed while the polling process still holds a reference to it. This leads to a use-after-free condition when the polling process later accesses the waitqueue [1].
Exploitation
An attacker with local access to a system can trigger this by creating a cgroup, opening its memory.pressure or cpu.pressure file, and initiating a polling operation (e.g., using poll() or select()). Simultaneously, the attacker removes the cgroup. The kernel will free the PSI trigger's waitqueue while the polling process is still blocked on it, causing a use-after-free when the poll completes [2]. No special privileges are required beyond the ability to create and remove cgroups.
Impact
A successful exploit results in a use-after-free condition, which can lead to memory corruption, kernel crashes (denial of service), or potentially arbitrary code execution in the kernel context. The severity is high, as it allows a local unprivileged user to compromise system stability or escalate privileges.
Mitigation
The fix is included in Linux kernel stable releases. It replaces the PSI trigger's own waitqueue with the kernfs file's waitqueue, whose lifecycle is tied to the file's open count, thus avoiding the race condition. The previous partial fix (commit c2dbe32d5db5) has been reverted as obsolete [1]. Users should update to a patched kernel version.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
392cc0153324bd124ab17024caff037078ecaVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.