1. Patchew
  2. linux
  3. View series

[PATCH v2] eventpoll: fix use-after-free in clear_tfile_check_list()

Deepanshu Kartikey posted 1 patch 1 week, 3 days ago
There is a newer version of this series
fs/eventpoll.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
[PATCH v2] eventpoll: fix use-after-free in clear_tfile_check_list()
Posted by Deepanshu Kartikey 1 week, 3 days ago 
syzbot reports a slab-use-after-free read in clear_tfile_check_list()
during EPOLL_CTL_ADD when ep_insert() takes an error path that calls
ep_remove() before do_epoll_ctl_file() drains ctx->tfile_check_list.

ep_remove_file() decides whether to kmem_cache_free() a struct
epitems_head by testing v->next == NULL, on the convention that NULL
means "this head is not linked on any check list". list_file() pushes
a head onto ctx->tfile_check_list by storing the previous list head
into head->next; when the list is empty that store is NULL, so the
head that ends up at the tail of the check list also has next == NULL.
ep_remove_file() then misreads the tail as "not linked" and frees it.
clear_tfile_check_list() later walks the list and dereferences
head->next on the freed object:

  BUG: KASAN: slab-use-after-free in
       clear_tfile_check_list+0x114/0x380 fs/eventpoll.c:2443
  Allocated by task 5985:
    ep_attach_file fs/eventpoll.c:1751 [inline]
    ep_register_epitem fs/eventpoll.c:1833 [inline]
    ep_insert+0x512/0x1820 fs/eventpoll.c:1876
  Freed by task 5985:
    ep_remove+0x155/0x2a0 fs/eventpoll.c:1135
    ep_insert+0x1372/0x1820

Terminate ctx->tfile_check_list with EP_UNACTIVE_PTR (the existing
non-NULL sentinel used elsewhere in this file for inactive list
slots) so that next == NULL unambiguously means "not on any check
list". list_file() stores the sentinel when the list is empty,
reverse_path_check() and clear_tfile_check_list() stop the walk on
the sentinel, and do_epoll_ctl_file() seeds ctx->tfile_check_list
with it. The guard in ep_remove_file() then correctly refuses to
free a head while it remains on the check list.

Reported-by: syzbot+69a3d7738ad3aa175caf@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=69a3d7738ad3aa175caf
Link: https://lore.kernel.org/all/20260523091107.61880-1-kartikey406@gmail.com/T/ [v1]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
v2: Reuse the existing EP_UNACTIVE_PTR sentinel instead of adding a
    new EP_TFILE_LIST_END define, per review feedback.
---
 fs/eventpoll.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index a569e98d4a99..2fc3b14d7ab2 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -472,7 +472,13 @@ static void list_file(struct file *file, struct ep_ctl_ctx *ctx)
 
 	head = container_of(file->f_ep, struct epitems_head, epitems);
 	if (!head->next) {
-		head->next = ctx->tfile_check_list;
+		/*
+		 * Terminate the check list with EP_UNACTIVE_PTR (non-NULL)
+		 * so that head->next == NULL unambiguously means "not on
+		 * any check list". ep_remove_file() relies on that
+		 * invariant to decide whether the head is safe to free.
+		 */
+		head->next = ctx->tfile_check_list ? : (struct epitems_head *)EP_UNACTIVE_PTR;
 		ctx->tfile_check_list = head;
 	}
 }
@@ -1685,7 +1691,7 @@ static int reverse_path_check(struct ep_ctl_ctx *ctx)
 {
 	struct epitems_head *p;
 
-	for (p = ctx->tfile_check_list; p; p = p->next) {
+	for (p = ctx->tfile_check_list; p != (struct epitems_head *)EP_UNACTIVE_PTR; p = p->next) {
 		int error;
 		path_count_init(ctx);
 		rcu_read_lock();
@@ -2438,11 +2444,12 @@ static int ep_loop_check(struct ep_ctl_ctx *ctx, struct eventpoll *ep,
 static void clear_tfile_check_list(struct ep_ctl_ctx *ctx)
 {
 	rcu_read_lock();
-	while (ctx->tfile_check_list) {
+	while (ctx->tfile_check_list != (struct epitems_head *)EP_UNACTIVE_PTR) {
 		struct epitems_head *head = ctx->tfile_check_list;
 		ctx->tfile_check_list = head->next;
 		unlist_file(head);
 	}
+	ctx->tfile_check_list = (struct epitems_head *)EP_UNACTIVE_PTR;
 	rcu_read_unlock();
 }
 
@@ -2601,7 +2608,8 @@ int do_epoll_ctl_file(struct file *f, int op, struct epoll_key *tf,
 	int full_check;
 	struct eventpoll *ep;
 	struct epitem *epi;
-	struct ep_ctl_ctx ctx = { };
+	struct ep_ctl_ctx ctx = {.tfile_check_list =
+				 (struct epitems_head *)EP_UNACTIVE_PTR };
 
 	/* The target file descriptor must support poll */
 	if (!file_can_poll(tf->file))
-- 
2.43.0
Re: [PATCH v2] eventpoll: fix use-after-free in clear_tfile_check_list()
Posted by Christian Brauner 1 week, 3 days ago 
On Fri, May 29, 2026 at 09:55:07AM +0530, Deepanshu Kartikey wrote:
> syzbot reports a slab-use-after-free read in clear_tfile_check_list()
> during EPOLL_CTL_ADD when ep_insert() takes an error path that calls
> ep_remove() before do_epoll_ctl_file() drains ctx->tfile_check_list.
> 
> ep_remove_file() decides whether to kmem_cache_free() a struct
> epitems_head by testing v->next == NULL, on the convention that NULL
> means "this head is not linked on any check list". list_file() pushes
> a head onto ctx->tfile_check_list by storing the previous list head
> into head->next; when the list is empty that store is NULL, so the
> head that ends up at the tail of the check list also has next == NULL.
> ep_remove_file() then misreads the tail as "not linked" and frees it.
> clear_tfile_check_list() later walks the list and dereferences
> head->next on the freed object:
> 
>   BUG: KASAN: slab-use-after-free in
>        clear_tfile_check_list+0x114/0x380 fs/eventpoll.c:2443
>   Allocated by task 5985:
>     ep_attach_file fs/eventpoll.c:1751 [inline]
>     ep_register_epitem fs/eventpoll.c:1833 [inline]
>     ep_insert+0x512/0x1820 fs/eventpoll.c:1876
>   Freed by task 5985:
>     ep_remove+0x155/0x2a0 fs/eventpoll.c:1135
>     ep_insert+0x1372/0x1820
> 
> Terminate ctx->tfile_check_list with EP_UNACTIVE_PTR (the existing
> non-NULL sentinel used elsewhere in this file for inactive list
> slots) so that next == NULL unambiguously means "not on any check
> list". list_file() stores the sentinel when the list is empty,
> reverse_path_check() and clear_tfile_check_list() stop the walk on
> the sentinel, and do_epoll_ctl_file() seeds ctx->tfile_check_list
> with it. The guard in ep_remove_file() then correctly refuses to
> free a head while it remains on the check list.
> 
> Reported-by: syzbot+69a3d7738ad3aa175caf@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=69a3d7738ad3aa175caf
> Link: https://lore.kernel.org/all/20260523091107.61880-1-kartikey406@gmail.com/T/ [v1]
> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
> ---
> v2: Reuse the existing EP_UNACTIVE_PTR sentinel instead of adding a
>     new EP_TFILE_LIST_END define, per review feedback.
> ---
>  fs/eventpoll.c | 16 ++++++++++++----
>  1 file changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/eventpoll.c b/fs/eventpoll.c
> index a569e98d4a99..2fc3b14d7ab2 100644
> --- a/fs/eventpoll.c
> +++ b/fs/eventpoll.c
> @@ -472,7 +472,13 @@ static void list_file(struct file *file, struct ep_ctl_ctx *ctx)
>  
>  	head = container_of(file->f_ep, struct epitems_head, epitems);
>  	if (!head->next) {
> -		head->next = ctx->tfile_check_list;
> +		/*
> +		 * Terminate the check list with EP_UNACTIVE_PTR (non-NULL)
> +		 * so that head->next == NULL unambiguously means "not on
> +		 * any check list". ep_remove_file() relies on that
> +		 * invariant to decide whether the head is safe to free.
> +		 */
> +		head->next = ctx->tfile_check_list ? : (struct epitems_head *)EP_UNACTIVE_PTR;

I'm still confused why all the casts are needed...
Re: [PATCH v2] eventpoll: fix use-after-free in clear_tfile_check_list()
Posted by Deepanshu Kartikey 1 week, 2 days ago 
On Fri, May 29, 2026 at 1:15 PM Christian Brauner <brauner@kernel.org> wrote:
>
> I'm still confused why all the casts are needed...

I have sent patch v3.

Thanks

Deepanshu

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.