eventpoll: defer struct eventpoll free to RCU grace period

[ Upstream commit 07712db80857d5d09ae08f3df85a708ecfc3b61f ]

In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
eventpoll struct while it still being used by another concurrent thread.
Defer the kfree() to an RCU callback to prevent UAF.

Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion")
Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index d20917b03161b095ea20f0997287513a276767aa..3bdbaf202d4dba2cd671fd2a79d160cf145809e9 100644 (file)
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -226,6 +226,9 @@ struct eventpoll {
         */
        refcount_t refcount;
 
+       /* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */
+       struct rcu_head rcu;
+
 #ifdef CONFIG_NET_RX_BUSY_POLL
        /* used to track busy poll napi_id */
        unsigned int napi_id;
@@ -819,7 +822,8 @@ static void ep_free(struct eventpoll *ep)
        mutex_destroy(&ep->mtx);
        free_uid(ep->user);
        wakeup_source_unregister(ep->ws);
-       kfree(ep);
+       /* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */
+       kfree_rcu(ep, rcu);
 }
 
 /*