--- /dev/null
+From 52c479697c9b73f628140dcdfcd39ea302d05482 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 22 Aug 2020 18:25:52 -0400
+Subject: do_epoll_ctl(): clean the failure exits up a bit
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 52c479697c9b73f628140dcdfcd39ea302d05482 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/eventpoll.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -1905,10 +1905,8 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, in
+ mutex_lock(&epmutex);
+ if (is_file_epoll(tf.file)) {
+ error = -ELOOP;
+- if (ep_loop_check(ep, tf.file) != 0) {
+- clear_tfile_check_list();
++ if (ep_loop_check(ep, tf.file) != 0)
+ goto error_tgt_fput;
+- }
+ } else {
+ get_file(tf.file);
+ list_add(&tf.file->f_tfile_llink,
+@@ -1937,8 +1935,6 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, in
+ error = ep_insert(ep, &epds, tf.file, fd, full_check);
+ } else
+ error = -EEXIST;
+- if (full_check)
+- clear_tfile_check_list();
+ break;
+ case EPOLL_CTL_DEL:
+ if (epi)
+@@ -1959,8 +1955,10 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, in
+ mutex_unlock(&ep->mtx);
+
+ error_tgt_fput:
+- if (full_check)
++ if (full_check) {
++ clear_tfile_check_list();
+ mutex_unlock(&epmutex);
++ }
+
+ fdput(tf);
+ error_fput:
--- /dev/null
+From a9ed4a6560b8562b7e2e2bed9527e88001f7b682 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Wed, 19 Aug 2020 17:12:17 +0100
+Subject: epoll: Keep a reference on files added to the check list
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682 upstream.
+
+When adding a new fd to an epoll, and that this new fd is an
+epoll fd itself, we recursively scan the fds attached to it
+to detect cycles, and add non-epool files to a "check list"
+that gets subsequently parsed.
+
+However, this check list isn't completely safe when deletions
+can happen concurrently. To sidestep the issue, make sure that
+a struct file placed on the check list sees its f_count increased,
+ensuring that a concurrent deletion won't result in the file
+disapearing from under our feet.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/eventpoll.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -1719,9 +1719,11 @@ static int ep_loop_check_proc(void *priv
+ * not already there, and calling reverse_path_check()
+ * during ep_insert().
+ */
+- if (list_empty(&epi->ffd.file->f_tfile_llink))
++ if (list_empty(&epi->ffd.file->f_tfile_llink)) {
++ get_file(epi->ffd.file);
+ list_add(&epi->ffd.file->f_tfile_llink,
+ &tfile_check_list);
++ }
+ }
+ }
+ mutex_unlock(&ep->mtx);
+@@ -1765,6 +1767,7 @@ static void clear_tfile_check_list(void)
+ file = list_first_entry(&tfile_check_list, struct file,
+ f_tfile_llink);
+ list_del_init(&file->f_tfile_llink);
++ fput(file);
+ }
+ INIT_LIST_HEAD(&tfile_check_list);
+ }
+@@ -1906,9 +1909,11 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, in
+ clear_tfile_check_list();
+ goto error_tgt_fput;
+ }
+- } else
++ } else {
++ get_file(tf.file);
+ list_add(&tf.file->f_tfile_llink,
+ &tfile_check_list);
++ }
+ mutex_lock_nested(&ep->mtx, 0);
+ if (is_file_epoll(tf.file)) {
+ tep = tf.file->private_data;
projects / thirdparty / kernel / stable-queue.git / commitdiff
