fs/eventpoll.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-)
syzbot reports a slab-use-after-free read in
clear_tfile_check_list() during EPOLL_CTL_ADD when ep_insert()
takes an error path that calls ep_remove() before
do_epoll_ctl_file() drains ctx->tfile_check_list.
ep_remove_file() decides whether to kmem_cache_free() a struct
epitems_head by testing v->next == NULL, on the convention that
NULL means "this head is not linked on any check list".
list_file() pushes a head onto ctx->tfile_check_list by storing
the previous list head into head->next; when the list is empty
that store is NULL, so the head that ends up at the tail of the
check list also has next == NULL. ep_remove_file() then misreads
the tail as "not linked" and frees it. clear_tfile_check_list()
later walks the list and dereferences head->next on the freed
object:
BUG: KASAN: slab-use-after-free in
clear_tfile_check_list+0x114/0x380 fs/eventpoll.c:2443
Allocated by task 5985:
ep_attach_file fs/eventpoll.c:1751 [inline]
ep_register_epitem fs/eventpoll.c:1833 [inline]
ep_insert+0x512/0x1820 fs/eventpoll.c:1876
Freed by task 5985:
ep_remove+0x155/0x2a0 fs/eventpoll.c:1135
ep_insert+0x1372/0x1820
Terminate ctx->tfile_check_list with a non-NULL sentinel
(EP_TFILE_LIST_END) so that next == NULL unambiguously means
"not on any check list". list_file() stores the sentinel when
the list is empty, reverse_path_check() and
clear_tfile_check_list() stop the walk on the sentinel, and
do_epoll_ctl_file() seeds ctx->tfile_check_list with it. The
guard in ep_remove_file() then correctly refuses to free a head
while it remains on the check list.
Reported-by: syzbot+69a3d7738ad3aa175caf@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=69a3d7738ad3aa175caf
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
fs/eventpoll.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index a569e98d4a99..349d79e8ddc8 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -222,6 +222,15 @@
#define EP_UNACTIVE_PTR ((void *) -1L)
+/* Non-NULL sentinel terminating ctx->tfile_check_list, so that
+ * "head->next == NULL" unambiguously means "this head is not on any
+ * check list" -- the invariant ep_remove_file() and list_file() rely
+ * on. Without this, the tail of the check list aliases the
+ * "not linked" state and ep_remove_file() may free a head that
+ * clear_tfile_check_list() still references.
+ */
+#define EP_TFILE_LIST_END ((struct epitems_head *)EP_UNACTIVE_PTR)
+
#define EP_ITEM_COST (sizeof(struct epitem) + sizeof(struct eppoll_entry))
/* Wait structure used by the poll hooks */
@@ -472,7 +481,7 @@ static void list_file(struct file *file, struct ep_ctl_ctx *ctx)
head = container_of(file->f_ep, struct epitems_head, epitems);
if (!head->next) {
- head->next = ctx->tfile_check_list;
+ head->next = ctx->tfile_check_list ? : EP_TFILE_LIST_END;
ctx->tfile_check_list = head;
}
}
@@ -1685,7 +1694,7 @@ static int reverse_path_check(struct ep_ctl_ctx *ctx)
{
struct epitems_head *p;
- for (p = ctx->tfile_check_list; p; p = p->next) {
+ for (p = ctx->tfile_check_list; p != EP_TFILE_LIST_END; p = p->next) {
int error;
path_count_init(ctx);
rcu_read_lock();
@@ -2438,11 +2447,12 @@ static int ep_loop_check(struct ep_ctl_ctx *ctx, struct eventpoll *ep,
static void clear_tfile_check_list(struct ep_ctl_ctx *ctx)
{
rcu_read_lock();
- while (ctx->tfile_check_list) {
+ while (ctx->tfile_check_list != EP_TFILE_LIST_END) {
struct epitems_head *head = ctx->tfile_check_list;
ctx->tfile_check_list = head->next;
unlist_file(head);
}
+ ctx->tfile_check_list = NULL;
rcu_read_unlock();
}
@@ -2601,7 +2611,7 @@ int do_epoll_ctl_file(struct file *f, int op, struct epoll_key *tf,
int full_check;
struct eventpoll *ep;
struct epitem *epi;
- struct ep_ctl_ctx ctx = { };
+ struct ep_ctl_ctx ctx = {.tfile_check_list = EP_TFILE_LIST_END };
/* The target file descriptor must support poll */
if (!file_can_poll(tf->file))
--
2.43.0© 2016 - 2026 Red Hat, Inc.