Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
eventpoll: defer struct eventpoll free to RCU grace period
In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
eventpoll struct while it still being used by another concurrent thread.
Defer the kfree() to an RCU callback to prevent UAF.
Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion")
Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
authored by
Nicholas Carlini
and committed by
Christian Brauner
07712db8
1635c2ac
+5
-1
+5
-1
fs/eventpoll.c
+5
-1
fs/eventpoll.c
···
226
226
*/
227
227
refcount_t refcount;
228
228
229
+
/* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */
230
+
struct rcu_head rcu;
231
+
229
232
#ifdef CONFIG_NET_RX_BUSY_POLL
230
233
/* used to track busy poll napi_id */
231
234
unsigned int napi_id;
···
822
819
mutex_destroy(&ep->mtx);
823
820
free_uid(ep->user);
824
821
wakeup_source_unregister(ep->ws);
825
-
kfree(ep);
822
+
/* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */
823
+
kfree_rcu(ep, rcu);
826
824
}
827
825
828
826
/*