From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 24 Aug 2020 08:06:45 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.234~21
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d486f2e0c53d2d296437443a53928edc09ceb0df;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	do_epoll_ctl-clean-the-failure-exits-up-a-bit.patch
	epoll-keep-a-reference-on-files-added-to-the-check-list.patch
---

diff --git a/queue-4.4/do_epoll_ctl-clean-the-failure-exits-up-a-bit.patch b/queue-4.4/do_epoll_ctl-clean-the-failure-exits-up-a-bit.patch
new file mode 100644
index 00000000000..e0f40d6d203
--- /dev/null
+++ b/queue-4.4/do_epoll_ctl-clean-the-failure-exits-up-a-bit.patch
@@ -0,0 +1,51 @@
+From 52c479697c9b73f628140dcdfcd39ea302d05482 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 22 Aug 2020 18:25:52 -0400
+Subject: do_epoll_ctl(): clean the failure exits up a bit
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 52c479697c9b73f628140dcdfcd39ea302d05482 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/eventpoll.c |   10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -1905,10 +1905,8 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, in
+ 			mutex_lock(&epmutex);
+ 			if (is_file_epoll(tf.file)) {
+ 				error = -ELOOP;
+-				if (ep_loop_check(ep, tf.file) != 0) {
+-					clear_tfile_check_list();
++				if (ep_loop_check(ep, tf.file) != 0)
+ 					goto error_tgt_fput;
+-				}
+ 			} else {
+ 				get_file(tf.file);
+ 				list_add(&tf.file->f_tfile_llink,
+@@ -1937,8 +1935,6 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, in
+ 			error = ep_insert(ep, &epds, tf.file, fd, full_check);
+ 		} else
+ 			error = -EEXIST;
+-		if (full_check)
+-			clear_tfile_check_list();
+ 		break;
+ 	case EPOLL_CTL_DEL:
+ 		if (epi)
+@@ -1959,8 +1955,10 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, in
+ 	mutex_unlock(&ep->mtx);
+ 
+ error_tgt_fput:
+-	if (full_check)
++	if (full_check) {
++		clear_tfile_check_list();
+ 		mutex_unlock(&epmutex);
++	}
+ 
+ 	fdput(tf);
+ error_fput:
diff --git a/queue-4.4/epoll-keep-a-reference-on-files-added-to-the-check-list.patch b/queue-4.4/epoll-keep-a-reference-on-files-added-to-the-check-list.patch
new file mode 100644
index 00000000000..680e7aac56b
--- /dev/null
+++ b/queue-4.4/epoll-keep-a-reference-on-files-added-to-the-check-list.patch
@@ -0,0 +1,66 @@
+From a9ed4a6560b8562b7e2e2bed9527e88001f7b682 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Wed, 19 Aug 2020 17:12:17 +0100
+Subject: epoll: Keep a reference on files added to the check list
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682 upstream.
+
+When adding a new fd to an epoll, and that this new fd is an
+epoll fd itself, we recursively scan the fds attached to it
+to detect cycles, and add non-epool files to a "check list"
+that gets subsequently parsed.
+
+However, this check list isn't completely safe when deletions
+can happen concurrently. To sidestep the issue, make sure that
+a struct file placed on the check list sees its f_count increased,
+ensuring that a concurrent deletion won't result in the file
+disapearing from under our feet.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/eventpoll.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -1719,9 +1719,11 @@ static int ep_loop_check_proc(void *priv
+ 			 * not already there, and calling reverse_path_check()
+ 			 * during ep_insert().
+ 			 */
+-			if (list_empty(&epi->ffd.file->f_tfile_llink))
++			if (list_empty(&epi->ffd.file->f_tfile_llink)) {
++				get_file(epi->ffd.file);
+ 				list_add(&epi->ffd.file->f_tfile_llink,
+ 					 &tfile_check_list);
++			}
+ 		}
+ 	}
+ 	mutex_unlock(&ep->mtx);
+@@ -1765,6 +1767,7 @@ static void clear_tfile_check_list(void)
+ 		file = list_first_entry(&tfile_check_list, struct file,
+ 					f_tfile_llink);
+ 		list_del_init(&file->f_tfile_llink);
++		fput(file);
+ 	}
+ 	INIT_LIST_HEAD(&tfile_check_list);
+ }
+@@ -1906,9 +1909,11 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, in
+ 					clear_tfile_check_list();
+ 					goto error_tgt_fput;
+ 				}
+-			} else
++			} else {
++				get_file(tf.file);
+ 				list_add(&tf.file->f_tfile_llink,
+ 							&tfile_check_list);
++			}
+ 			mutex_lock_nested(&ep->mtx, 0);
+ 			if (is_file_epoll(tf.file)) {
+ 				tep = tf.file->private_data;
diff --git a/queue-4.4/series b/queue-4.4/series
index a96c1d66472..f1db6226c34 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -26,3 +26,5 @@ alpha-fix-annotation-of-io-read-write-16-32-be.patch
 ext4-fix-potential-negative-array-index-in-do_split.patch
 asoc-intel-fix-memleak-in-sst_media_open.patch
 powerpc-allow-4224-bytes-of-stack-expansion-for-the-signal-frame.patch
+epoll-keep-a-reference-on-files-added-to-the-check-list.patch
+do_epoll_ctl-clean-the-failure-exits-up-a-bit.patch