1. Patchew
  2. linux
  3. View series

[PATCH] eventpoll: restore EP_UNACTIVE_PTR sentinel for ctx->tfile_check_list

Zhan Wei posted 1 patch 1 week, 2 days ago 
fs/eventpoll.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
[PATCH] eventpoll: restore EP_UNACTIVE_PTR sentinel for ctx->tfile_check_list
Posted by Zhan Wei 1 week, 2 days ago 
Commit e09c77d94003 ("eventpoll: hoist CTL_ADD scratch state into
struct ep_ctl_ctx") moved tfile_check_list from a file-scope global into
the stack-allocated struct ep_ctl_ctx, and in doing so replaced the
EP_UNACTIVE_PTR sentinel with NULL on the grounds that "NULL is the
obvious 'empty' value and zero-init handles it for free", describing the
change as "No functional change". It is not.

epitems_head->next is overloaded with two roles:

  1. the "next" pointer that threads a head onto ctx->tfile_check_list;
  2. a membership flag: ep_remove_file() uses
     !smp_load_acquire(&v->next) to mean "this head is not on any
     pending ctx->tfile_check_list and is therefore safe to free".

Before that change the EP_UNACTIVE_PTR sentinel kept the two roles
disjoint: a head on the list always had a non-NULL ->next (another head,
or the sentinel at the tail), so ->next == NULL was equivalent to "never
listed". With the sentinel gone the list is NULL-terminated, so the tail
head's ->next is NULL as well. ep_remove_file()'s gate can no longer
distinguish "never listed" from "listed at the tail", and misfires on
the tail head.

The reader (reverse_path_check_proc) holds epnested_mutex +
rcu_read_lock; the freer (ep_remove_file) holds ep->mtx + file->f_lock.
The two sides share no mutex -- the sentinel was the invariant the gate
relied on to know it could skip the read side. With it gone,
ep_remove_file() frees the tail head while reverse_path_check_proc() is
still walking it, producing the slab-use-after-free read. The syzbot
reproducer hits this within seconds on a multi-CPU VM.

Restore the sentinel: initialize ctx.tfile_check_list to EP_UNACTIVE_PTR
in do_epoll_ctl_file(), and terminate the walk on "!= EP_UNACTIVE_PTR"
in reverse_path_check() and clear_tfile_check_list(). The tail head's
->next becomes the sentinel again rather than NULL, so
ep_remove_file()'s gate regains its exclusivity and stops misfiring on
the tail. ep_remove_file() itself is unchanged.

This restores the invariant the file-scope tfile_check_list relied on
before that change while preserving the ctx packaging it introduced.

Reported-by: syzbot+e70e1b6cba8714543f7c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e70e1b6cba8714543f7c
Fixes: e09c77d94003 ("eventpoll: hoist CTL_ADD scratch state into struct ep_ctl_ctx")
Suggested-by: Christian Brauner <brauner@kernel.org>
Link: https://lore.kernel.org/all/20260528-rotwild-summt-kuhhandel-7276ef4c33b7@brauner.io/
Signed-off-by: Zhan Wei <zhanwei919@gmail.com>
---
 fs/eventpoll.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index a569e98d4a99..abef3bc48cc4 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -429,7 +429,11 @@ struct ep_ctl_ctx {
 	/*
 	 * Singly-linked list of epitems_head objects collected during
 	 * ep_loop_check_proc(), then walked by reverse_path_check().
-	 * NULL means empty.
+	 * Terminated by EP_UNACTIVE_PTR, not NULL: epitems_head->next
+	 * doubles as a membership flag (a NULL ->next means "not on this
+	 * list", see ep_remove_file()), so the list uses a non-NULL
+	 * sentinel to keep the tail head distinguishable from an unlisted
+	 * one.
 	 */
 	struct epitems_head *tfile_check_list;
 
@@ -1685,7 +1689,7 @@ static int reverse_path_check(struct ep_ctl_ctx *ctx)
 {
 	struct epitems_head *p;
 
-	for (p = ctx->tfile_check_list; p; p = p->next) {
+	for (p = ctx->tfile_check_list; p != EP_UNACTIVE_PTR; p = p->next) {
 		int error;
 		path_count_init(ctx);
 		rcu_read_lock();
@@ -2438,7 +2442,7 @@ static int ep_loop_check(struct ep_ctl_ctx *ctx, struct eventpoll *ep,
 static void clear_tfile_check_list(struct ep_ctl_ctx *ctx)
 {
 	rcu_read_lock();
-	while (ctx->tfile_check_list) {
+	while (ctx->tfile_check_list != EP_UNACTIVE_PTR) {
 		struct epitems_head *head = ctx->tfile_check_list;
 		ctx->tfile_check_list = head->next;
 		unlist_file(head);
@@ -2601,7 +2605,9 @@ int do_epoll_ctl_file(struct file *f, int op, struct epoll_key *tf,
 	int full_check;
 	struct eventpoll *ep;
 	struct epitem *epi;
-	struct ep_ctl_ctx ctx = { };
+	struct ep_ctl_ctx ctx = {
+		.tfile_check_list = EP_UNACTIVE_PTR,
+	};
 
 	/* The target file descriptor must support poll */
 	if (!file_can_poll(tf->file))
-- 
2.43.0
Re: [PATCH] eventpoll: restore EP_UNACTIVE_PTR sentinel for ctx->tfile_check_list
Posted by Christian Brauner 3 days, 21 hours ago 
On Fri, 29 May 2026 22:25:33 +0800, Zhan Wei wrote:
> Commit e09c77d94003 ("eventpoll: hoist CTL_ADD scratch state into
> struct ep_ctl_ctx") moved tfile_check_list from a file-scope global into
> the stack-allocated struct ep_ctl_ctx, and in doing so replaced the
> EP_UNACTIVE_PTR sentinel with NULL on the grounds that "NULL is the
> obvious 'empty' value and zero-init handles it for free", describing the
> change as "No functional change". It is not.
> 
> [...]

Applied to the vfs-7.2.eventpoll branch of the vfs/vfs.git tree.
Patches in the vfs-7.2.eventpoll branch should appear in linux-next soon.

Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.

It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.

Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs-7.2.eventpoll

[1/1] eventpoll: restore EP_UNACTIVE_PTR sentinel for ctx->tfile_check_list
      https://git.kernel.org/vfs/vfs/c/a1e9718b406b

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.