From patchwork Tue Mar  2 19:56:37 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim Gardner <tim.gardner@canonical.com>
X-Patchwork-Id: 1446236
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4Dqnvn2DJ5z9sRf;
	Wed,  3 Mar 2021 06:56:53 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1lHB8U-0000Zx-I1; Tue, 02 Mar 2021 19:56:50 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <tim.gardner@canonical.com>) id 1lHB8S-0000ZO-HY
 for kernel-team@lists.ubuntu.com; Tue, 02 Mar 2021 19:56:48 +0000
Received: from mail-pg1-f197.google.com ([209.85.215.197])
 by youngberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <tim.gardner@canonical.com>) id 1lHB8S-0007UJ-4q
 for kernel-team@lists.ubuntu.com; Tue, 02 Mar 2021 19:56:48 +0000
Received: by mail-pg1-f197.google.com with SMTP id l2so12438150pgi.5
 for <kernel-team@lists.ubuntu.com>; Tue, 02 Mar 2021 11:56:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=1W5cCUVaXeEGVImziVA4gRPdk3ryAeo2gwfdWVqLmgI=;
 b=bQW4bLR5CbyzP00ok09Fz4jCtQ/oazQbc3aOdb6N9C5XSDWLqSkRlUHKKTMxuLi2XZ
 MpPi8MGR2kXXwYAQIndo/tH89pxp+P8P5WvBDZoZPl3pF0F9m9FxEQ64069eVCAnrp1r
 Y8zzZVfP+FG6vwNEdVueZVq/vJC4XNc6p6TDnsyVM6mJitgSPaRqlXHsoWIkQ5XPvsem
 XIIGnZQvnIAGcGsFymxNFig0qx7MdiXwzxLLWB1+D/kNmELSIiQINSVXeTNsb7Qbzj0n
 decb0d6QDkcncKEXHegKZlpVTji7y3oAbMZnQDs70bqMJM9ePevSdVEyG/blh0L7NEAN
 LGDw==
X-Gm-Message-State: AOAM531jCilTilvQjg9Gfln9Dba8f6mmZYnJAvBmGSGZhfoANtrBJkK2
 QSJEXozRqYZO6y7vVG7qFnORG7MtUTpZExPQsYVt/JFiSmv4vvezSq8FL4PaoCWZrdnz8V5GvQJ
 ndjttC4sJqmCiztXdaAATwgX3mKEeMP8lIfA5V9e8Aw==
X-Received: by 2002:a17:90a:aa05:: with SMTP id
 k5mr6072075pjq.106.1614715006419;
 Tue, 02 Mar 2021 11:56:46 -0800 (PST)
X-Google-Smtp-Source: 
 ABdhPJxgpIxfQ1cOm8q6vt/6ae4WfnwyL0uF28bZccjbXajOCzGZU1JpvrUpF2pcRIMcZSuDlMX37g==
X-Received: by 2002:a17:90a:aa05:: with SMTP id
 k5mr6072063pjq.106.1614715006184;
 Tue, 02 Mar 2021 11:56:46 -0800 (PST)
Received: from localhost.localdomain ([69.163.84.166])
 by smtp.gmail.com with ESMTPSA id q66sm3257118pja.27.2021.03.02.11.56.45
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 02 Mar 2021 11:56:45 -0800 (PST)
From: Tim Gardner <tim.gardner@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 1/3] epoll: Keep a reference on files added to the check list
Date: Tue,  2 Mar 2021 12:56:37 -0700
Message-Id: <20210302195639.12604-2-tim.gardner@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20210302195639.12604-1-tim.gardner@canonical.com>
References: <20210302195639.12604-1-tim.gardner@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Marc Zyngier <maz@kernel.org>

CVE-2020-0466

commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682 upstream.

When adding a new fd to an epoll, and that this new fd is an
epoll fd itself, we recursively scan the fds attached to it
to detect cycles, and add non-epool files to a "check list"
that gets subsequently parsed.

However, this check list isn't completely safe when deletions
can happen concurrently. To sidestep the issue, make sure that
a struct file placed on the check list sees its f_count increased,
ensuring that a concurrent deletion won't result in the file
disapearing from under our feet.

Cc: stable@vger.kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

(back ported from commit b158e91610c76c5d9c61c4e990d56405b62bf05a linux-5.4.y)
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 fs/eventpoll.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index f5a481089893..1676b8b25074 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1972,9 +1972,11 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
 			 * not already there, and calling reverse_path_check()
 			 * during ep_insert().
 			 */
-			if (list_empty(&epi->ffd.file->f_tfile_llink))
+			if (list_empty(&epi->ffd.file->f_tfile_llink)) {
+				get_file(epi->ffd.file);
 				list_add(&epi->ffd.file->f_tfile_llink,
 					 &tfile_check_list);
+			}
 		}
 	}
 	mutex_unlock(&ep->mtx);
@@ -2018,6 +2020,7 @@ static void clear_tfile_check_list(void)
 		file = list_first_entry(&tfile_check_list, struct file,
 					f_tfile_llink);
 		list_del_init(&file->f_tfile_llink);
+		fput(file);
 	}
 	INIT_LIST_HEAD(&tfile_check_list);
 }
@@ -2182,9 +2185,11 @@ int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds,
 					clear_tfile_check_list();
 					goto error_tgt_fput;
 				}
-			} else
+			} else {
+				get_file(tf.file);
 				list_add(&tf.file->f_tfile_llink,
 							&tfile_check_list);
+			}
 			error = epoll_mutex_lock(&ep->mtx, 0, nonblock);
 			if (error) {
 out_del:

From patchwork Tue Mar  2 19:56:38 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim Gardner <tim.gardner@canonical.com>
X-Patchwork-Id: 1446237
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4Dqnvq0ZzHz9sSC;
	Wed,  3 Mar 2021 06:56:55 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1lHB8V-0000bI-Uz; Tue, 02 Mar 2021 19:56:51 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <tim.gardner@canonical.com>) id 1lHB8T-0000Zm-Lg
 for kernel-team@lists.ubuntu.com; Tue, 02 Mar 2021 19:56:49 +0000
Received: from mail-pf1-f198.google.com ([209.85.210.198])
 by youngberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <tim.gardner@canonical.com>) id 1lHB8T-0007UT-8v
 for kernel-team@lists.ubuntu.com; Tue, 02 Mar 2021 19:56:49 +0000
Received: by mail-pf1-f198.google.com with SMTP id f17so14050621pfj.3
 for <kernel-team@lists.ubuntu.com>; Tue, 02 Mar 2021 11:56:49 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=RDElAxeF/SDhFO7Cv1w8Ci4WYIyl7tL/0VrbcdcaVao=;
 b=a2N48BoJ0/vHztwH3Sa3dG4W44+Lvu3XDbtcKj4kDY3UUi8BmKDNvV5+8izf2jWH+9
 ZEw8iT9dPbu9mR4Ua6oqO36w5ts6GfTGGOeyGu28zt8/qnkjfUTz/6pmjboU4Wh/fBb9
 0NKdXJgmowy37RBRwn8+48PtnHpmyNzQiRwK9P17Y3lgxL7b9LRET+fpNFNPssbMDhOF
 pMh7ms07X/9ZS3M+die8zmzR08+AtpFAGWGm/M0eI44R715lCiUY38eTSP5a6bW8jHUs
 Z1EN6Bl6eGtSCXklCM5G13VpcOhhDB4AvGX95ddoXCRcIwHHlMB+4C6n9kETqbH8mofn
 Ogzg==
X-Gm-Message-State: AOAM531E3JqnBuZowFrvbwNhHc/sytSyOiGtv6GYYC12Q6NN7e3+9Vv3
 3vMQ6uy6lFwNbaC6/60gui2ajKnYuBSgLV9QJOV2a3H9vmH5H3SJL3lMz6MCRNcirkoHItPZA08
 k4QVoQAlq1QXniv3HmSUAAYwK6xAeP3ElRc0mnPOJYw==
X-Received: by 2002:a17:90a:7e94:: with SMTP id
 j20mr6179888pjl.218.1614715007490;
 Tue, 02 Mar 2021 11:56:47 -0800 (PST)
X-Google-Smtp-Source: 
 ABdhPJz3xPLV/CwdS2hhFHvinn/0RpFIu3J1xTuSYoZkfkvYvj3IgwFAM8DLc1V0dQ2rD2/T49es9w==
X-Received: by 2002:a17:90a:7e94:: with SMTP id
 j20mr6179879pjl.218.1614715007340;
 Tue, 02 Mar 2021 11:56:47 -0800 (PST)
Received: from localhost.localdomain ([69.163.84.166])
 by smtp.gmail.com with ESMTPSA id q66sm3257118pja.27.2021.03.02.11.56.46
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 02 Mar 2021 11:56:46 -0800 (PST)
From: Tim Gardner <tim.gardner@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 2/3] do_epoll_ctl(): clean the failure exits up a bit
Date: Tue,  2 Mar 2021 12:56:38 -0700
Message-Id: <20210302195639.12604-3-tim.gardner@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20210302195639.12604-1-tim.gardner@canonical.com>
References: <20210302195639.12604-1-tim.gardner@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Al Viro <viro@zeniv.linux.org.uk>

CVE-2020-0466

commit 52c479697c9b73f628140dcdfcd39ea302d05482 upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 42694912aaf1d7fa426bd02b0b313f05601b6488 linux-5.4.y)
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
v2: Added linux-5.4.y to the cherry picked line.
---
 fs/eventpoll.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 1676b8b25074..74fa6dc98c8b 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -2181,10 +2181,8 @@ int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds,
 			full_check = 1;
 			if (is_file_epoll(tf.file)) {
 				error = -ELOOP;
-				if (ep_loop_check(ep, tf.file) != 0) {
-					clear_tfile_check_list();
+				if (ep_loop_check(ep, tf.file) != 0)
 					goto error_tgt_fput;
-				}
 			} else {
 				get_file(tf.file);
 				list_add(&tf.file->f_tfile_llink,
@@ -2222,8 +2220,6 @@ int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds,
 			error = ep_insert(ep, epds, tf.file, fd, full_check);
 		} else
 			error = -EEXIST;
-		if (full_check)
-			clear_tfile_check_list();
 		break;
 	case EPOLL_CTL_DEL:
 		if (epi)
@@ -2246,8 +2242,10 @@ int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds,
 	mutex_unlock(&ep->mtx);
 
 error_tgt_fput:
-	if (full_check)
+	if (full_check) {
+		clear_tfile_check_list();
 		mutex_unlock(&epmutex);
+	}
 
 	fdput(tf);
 error_fput:

From patchwork Tue Mar  2 19:56:39 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim Gardner <tim.gardner@canonical.com>
X-Patchwork-Id: 1446238
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4Dqnvr17mtz9sRR;
	Wed,  3 Mar 2021 06:56:56 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1lHB8X-0000cW-9Z; Tue, 02 Mar 2021 19:56:53 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <tim.gardner@canonical.com>) id 1lHB8U-0000a7-Pd
 for kernel-team@lists.ubuntu.com; Tue, 02 Mar 2021 19:56:50 +0000
Received: from mail-pl1-f199.google.com ([209.85.214.199])
 by youngberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <tim.gardner@canonical.com>) id 1lHB8U-0007UX-Bz
 for kernel-team@lists.ubuntu.com; Tue, 02 Mar 2021 19:56:50 +0000
Received: by mail-pl1-f199.google.com with SMTP id d11so1429432plc.19
 for <kernel-team@lists.ubuntu.com>; Tue, 02 Mar 2021 11:56:50 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=3YYvIQgeeRnJ9xouNEnSPSqA92lCsI7+juqqXahidGs=;
 b=JdbLFgm8YyKzvZnSD45Vv6E2tgAw548ktvYJFdNxAEWWY+6x+sxGhyRSHy1oiu5kWm
 1/hwNGbV4Wn3Ew0TfdWCg2m5XQdmLumoOh051cPlnaI29IeuySxJe4v+R4a6qyfCkFqG
 jnBIrmr8lKnkCCxuZWWlCoLD6OlpLeBIq9yJoOa2xLbn38iK86ZehXjHtHWHrWFZeRFd
 QUTWHm7ufTCW/UY5OqCCkV9WqzSN6ctGaZ5HnUIi9RSgbRqpAzZXI6j8iYphxngAhTR6
 hFK8VO58Vm+5I7iECVOoPGM7arRugAk5rwcmVGJOVoq2bzmOFsp7HJNLSbhY/cnEkjus
 CW8Q==
X-Gm-Message-State: AOAM530BtY/Cyb5nTOWvZeD1aLVEOP+U4BzpXyX2KxYKsFNofcMPvo97
 NWFuUIa+rqZEYLPfQNTPm316G61spYe9oUddNN3ZhSUosNlhbNKs2TOdavLClceCsTHIN8g2dRB
 udxGNovM11EQRFDMSVreqVU2fejIXi3gDUI0y+y7oCA==
X-Received: by 2002:a17:90b:390b:: with SMTP id
 ob11mr6182200pjb.50.1614715008656;
 Tue, 02 Mar 2021 11:56:48 -0800 (PST)
X-Google-Smtp-Source: 
 ABdhPJxQqOVATPMaXG2Z1KkGo6vxoEApJ3wlUvVFy40MW5RBXNyGuKMoHzsQKqo0HMiPrw/kNS+uIA==
X-Received: by 2002:a17:90b:390b:: with SMTP id
 ob11mr6182189pjb.50.1614715008458;
 Tue, 02 Mar 2021 11:56:48 -0800 (PST)
Received: from localhost.localdomain ([69.163.84.166])
 by smtp.gmail.com with ESMTPSA id q66sm3257118pja.27.2021.03.02.11.56.47
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 02 Mar 2021 11:56:47 -0800 (PST)
From: Tim Gardner <tim.gardner@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 3/3] fix regression in "epoll: Keep a reference on files added
 to the check list"
Date: Tue,  2 Mar 2021 12:56:39 -0700
Message-Id: <20210302195639.12604-4-tim.gardner@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20210302195639.12604-1-tim.gardner@canonical.com>
References: <20210302195639.12604-1-tim.gardner@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Al Viro <viro@zeniv.linux.org.uk>

CVE-2020-0466

[ Upstream commit 77f4689de17c0887775bb77896f4cc11a39bf848 ]

epoll_loop_check_proc() can run into a file already committed to destruction;
we can't grab a reference on those and don't need to add them to the set for
reverse path check anyway.

Tested-by: Marc Zyngier <maz@kernel.org>
Fixes: a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list")
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 88405cf0f2bd771670b76c42b169527ff86048da linux-5.4.y)
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 fs/eventpoll.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 74fa6dc98c8b..e8730acb3fea 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1973,9 +1973,9 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
 			 * during ep_insert().
 			 */
 			if (list_empty(&epi->ffd.file->f_tfile_llink)) {
-				get_file(epi->ffd.file);
-				list_add(&epi->ffd.file->f_tfile_llink,
-					 &tfile_check_list);
+				if (get_file_rcu(epi->ffd.file))
+					list_add(&epi->ffd.file->f_tfile_llink,
+						 &tfile_check_list);
 			}
 		}
 	}