diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698-1.patch')
| -rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698-1.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698-1.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698-1.patch new file mode 100644 index 000000000..444fb1035 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698-1.patch @@ -0,0 +1,47 @@ +From 8d6760fd5d1604df29dd7651033167ef99a7698d Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Wed, 8 Dec 2021 17:04:53 -0800 +Subject: [PATCH] signalfd: use wake_up_pollfree() + +commit 9537bae0da1f8d1e2361ab6d0479e8af7824e160 upstream. + +wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up +all exclusive waiters. Yet, POLLFREE *must* wake up all waiters. epoll +and aio poll are fortunately not affected by this, but it's very +fragile. Thus, the new function wake_up_pollfree() has been introduced. + +Convert signalfd to use wake_up_pollfree(). + +Reported-by: Linus Torvalds <torvalds@linux-foundation.org> +Fixes: d80e731ecab4 ("epoll: introduce POLLFREE to flush ->signalfd_wqh before kfree()") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211209010455.42744-4-ebiggers@kernel.org +Signed-off-by: Eric Biggers <ebiggers@google.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/signalfd.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +diff --git a/fs/signalfd.c b/fs/signalfd.c +index 040e1cf9052826..65ce0e72e7b958 100644 +--- a/fs/signalfd.c ++++ b/fs/signalfd.c +@@ -35,17 +35,7 @@ + + void signalfd_cleanup(struct sighand_struct *sighand) + { +- wait_queue_head_t *wqh = &sighand->signalfd_wqh; +- /* +- * The lockless check can race with remove_wait_queue() in progress, +- * but in this case its caller should run under rcu_read_lock() and +- * sighand_cachep is SLAB_TYPESAFE_BY_RCU, we can safely return. +- */ +- if (likely(!waitqueue_active(wqh))) +- return; +- +- /* wait_queue_entry_t->func(POLLFREE) should do remove_wait_queue() */ +- wake_up_poll(wqh, EPOLLHUP | POLLFREE); ++ wake_up_pollfree(&sighand->signalfd_wqh); + } + + struct signalfd_ctx { |