Unverified Commit 07712db8 authored by Nicholas Carlini's avatar Nicholas Carlini Committed by Christian Brauner
Browse files

eventpoll: defer struct eventpoll free to RCU grace period 



In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
eventpoll struct while it still being used by another concurrent thread.
Defer the kfree() to an RCU callback to prevent UAF.

Fixes: f2e467a4 ("eventpoll: Fix semi-unbounded recursion")
Signed-off-by: default avatarNicholas Carlini <nicholas@carlini.com>
Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
parent 1635c2ac

fs/eventpoll.c

+5 −1
Original line number Diff line number Diff line
@@ -226,6 +226,9 @@ struct eventpoll { 
	 */

	refcount_t refcount;



	/* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */

	struct rcu_head rcu;



#ifdef CONFIG_NET_RX_BUSY_POLL

	/* used to track busy poll napi_id */

	unsigned int napi_id;
@@ -819,7 +822,8 @@ static void ep_free(struct eventpoll *ep) 
	mutex_destroy(&ep->mtx);

	free_uid(ep->user);

	wakeup_source_unregister(ep->ws);

	kfree(ep);

	/* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */

	kfree_rcu(ep, rcu);

}



/*