diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-0466/0001-epoll-Keep-a-reference-on-files-added-to-the-check-l.patch')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-0466/0001-epoll-Keep-a-reference-on-files-added-to-the-check-l.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-0466/0001-epoll-Keep-a-reference-on-files-added-to-the-check-l.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-0466/0001-epoll-Keep-a-reference-on-files-added-to-the-check-l.patch new file mode 100644 index 000000000..0e2d0c53f --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-0466/0001-epoll-Keep-a-reference-on-files-added-to-the-check-l.patch @@ -0,0 +1,68 @@ +From b158e91610c76c5d9c61c4e990d56405b62bf05a Mon Sep 17 00:00:00 2001 +From: Marc Zyngier <maz@kernel.org> +Date: Wed, 19 Aug 2020 17:12:17 +0100 +Subject: [PATCH] epoll: Keep a reference on files added to the check list + +commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682 upstream. + +When adding a new fd to an epoll, and that this new fd is an +epoll fd itself, we recursively scan the fds attached to it +to detect cycles, and add non-epool files to a "check list" +that gets subsequently parsed. + +However, this check list isn't completely safe when deletions +can happen concurrently. To sidestep the issue, make sure that +a struct file placed on the check list sees its f_count increased, +ensuring that a concurrent deletion won't result in the file +disapearing from under our feet. + +Cc: stable@vger.kernel.org +Signed-off-by: Marc Zyngier <maz@kernel.org> +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Marc Zyngier <maz@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/eventpoll.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index 6307c1d883e0..b53ae571f064 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1991,9 +1991,11 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests) + * not already there, and calling reverse_path_check() + * during ep_insert(). + */ +- if (list_empty(&epi->ffd.file->f_tfile_llink)) ++ if (list_empty(&epi->ffd.file->f_tfile_llink)) { ++ get_file(epi->ffd.file); + list_add(&epi->ffd.file->f_tfile_llink, + &tfile_check_list); ++ } + } + } + mutex_unlock(&ep->mtx); +@@ -2037,6 +2039,7 @@ static void clear_tfile_check_list(void) + file = list_first_entry(&tfile_check_list, struct file, + f_tfile_llink); + list_del_init(&file->f_tfile_llink); ++ fput(file); + } + INIT_LIST_HEAD(&tfile_check_list); + } +@@ -2196,9 +2199,11 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd, + clear_tfile_check_list(); + goto error_tgt_fput; + } +- } else ++ } else { ++ get_file(tf.file); + list_add(&tf.file->f_tfile_llink, + &tfile_check_list); ++ } + mutex_lock_nested(&ep->mtx, 0); + if (is_file_epoll(tf.file)) { + tep = tf.file->private_data; +-- +2.17.1 + |