io_uring/epoll: disallow adding an epoll file to an epoll context

One of the nastier things about epoll is how it allows adding epoll
files to epoll contexts. This leads to all sorts of loop detection
code, and has been a source of issues in the past.

Arguably adding IORING_EPOLL_CTL is a historical mistake on the
io_uring side, but we're kind of stuck with it now as it does seem
to be in use according to code searches. But we can at least minimize
the damage a bit and just disallow this part of epoll, where nesting
issues can arise.

Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/epoll.c b/io_uring/epoll.c
index b9db8bde27ec8c708a3e0b5e7b176e4201599a84..eecd748cad018e392fd66c382df44197ebba7e48 100644 (file)
--- a/io_uring/epoll.c
+++ b/io_uring/epoll.c
@@ -62,6 +62,9 @@ int io_epoll_ctl(struct io_kiocb *req, unsigned int issue_flags)
        CLASS(fd, tf)(ie->fd);
        if (fd_empty(tf))
                return -EBADF;
+       /* disallow adding an epoll context to another epoll context */
+       if (ie->op == EPOLL_CTL_ADD && is_file_epoll(fd_file(tf)))
+               return -EINVAL;
 
        key.file = fd_file(tf);
        key.fd = ie->fd;