mirror/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
98e93e968e4947cd71c2eb69e323682daa453ee7
linux/fs
History
Oleg Nesterov 138e4ad67a epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove() 
The race was introduced by me in commit 971316f050 ("epoll:
ep_unregister_pollwait() can use the freed pwq->whead").  I did not
realize that nothing can protect eventpoll after ep_poll_callback() sets
->whead = NULL, only whead->lock can save us from the race with
ep_free() or ep_remove().

Move ->whead = NULL to the end of ep_poll_callback() and add the
necessary barriers.

TODO: cleanup the ewake/EPOLLEXCLUSIVE logic, it was confusing even
before this patch.

Hopefully this explains use-after-free reported by syzcaller:

	BUG: KASAN: use-after-free in debug_spin_lock_before
	...
	 _raw_spin_lock_irqsave+0x4a/0x60 kernel/locking/spinlock.c:159
	 ep_poll_callback+0x29f/0xff0 fs/eventpoll.c:1148

this is spin_lock(eventpoll->lock),

	...
	Freed by task 17774:
	...
	 kfree+0xe8/0x2c0 mm/slub.c:3883
	 ep_free+0x22c/0x2a0 fs/eventpoll.c:865

Fixes: 971316f050 ("epoll: ep_unregister_pollwait() can use the freed pwq->whead")
Reported-by: 范龙飞 <long7573@126.com>
Cc: stable@vger.kernel.org
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-09-01 13:07:35 -07:00
..
9p
9p: Implement show_options
2017-07-11 06:08:58 -04:00
adfs
affs
affs: Implement show_options
2017-07-11 06:06:17 -04:00
afs
Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-15 12:00:42 -07:00
autofs4
Fix up over-eager 'wait_queue_t' renaming
2017-07-10 11:40:19 -07:00
befs
Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-15 12:00:42 -07:00
bfs
bfs: fix sanity checks for empty files
2017-07-12 16:26:00 -07:00
btrfs
Btrfs: fix blk_status_t/errno confusion
2017-08-24 17:19:02 +02:00
cachefiles
sched/wait: Disambiguate wq_entry->task_list and wq_head->task_list naming
2017-06-20 12:19:14 +02:00
ceph
ceph: fix readpage from fscache
2017-09-01 00:04:26 +02:00
cifs
CIFS: remove endian related sparse warning
2017-08-30 14:43:11 -05:00
coda
fs: implement vfs_iter_write using do_iter_write
2017-06-29 17:49:23 -04:00
configfs
configfs: Introduce config_item_get_unless_zero()
2017-06-12 13:20:20 +02:00
cramfs
crypto
Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
2017-07-09 09:31:22 -07:00
debugfs
Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-15 12:00:42 -07:00
devpts
pty: Repair TIOCGPTPEER
2017-08-24 13:23:03 -07:00
dlm
net: Work around lockdep limitation in sockets that use sockets
2017-03-09 18:23:27 -08:00
ecryptfs
ecryptfs: Convert to separately allocated bdi
2017-04-20 12:09:55 -06:00
efivarfs
VFS: Kill off s_options and helpers
2017-07-11 06:09:21 -04:00
efs
exofs
mm: drop "wait" parameter from write_one_page()
2017-07-05 18:44:22 -04:00
exportfs
Merge branch 'rebased-statx' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-03-03 11:38:56 -08:00
ext2
ext2: preserve i_mode if ext2_set_acl() fails
2017-07-18 11:23:56 +02:00
ext4
ext4: add missing xattr hash update
2017-08-14 08:30:06 -04:00
f2fs
f2fs: avoid cpu lockup
2017-07-17 19:23:18 -07:00
fat
fat: fix using uninitialized fields of fat_inode/fsinfo_inode
2017-03-09 17:01:10 -08:00
freevxfs
fscache
fuse
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse
2017-08-11 11:20:48 -07:00
gfs2
Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-15 12:00:42 -07:00
hfs
fs: semove set but not checked AOP_FLAG_UNINTERRUPTIBLE flag
2017-05-08 17:15:14 -07:00
hfsplus
hfsplus: Don't clear SGID when inheriting ACLs
2017-07-18 18:23:39 +02:00
hostfs
hpfs
hugetlbfs
Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-15 12:00:42 -07:00
isofs
isofs: Fix off-by-one in 'session' mount option parsing
2017-07-18 12:33:16 +02:00
jbd2
Merge tag 'for-linus-v4.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux
2017-07-07 19:38:17 -07:00
jffs2
jffs2: fix spelling mistake: "requestied" -> "requested"
2017-04-19 11:35:55 -07:00
jfs
jfs should use MAX_LFS_FILESIZE when calculating s_maxbytes
2017-08-31 17:02:21 -07:00
kernfs
kernfs: Check KERNFS_HAS_RELEASE before calling kernfs_release_file()
2017-03-17 10:25:59 +09:00
lockd
sunrpc: mark all struct svc_version instances as const
2017-07-13 15:58:03 -04:00
minix
Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-08 10:50:54 -07:00
ncpfs
mm: per-cgroup memory reclaim stats
2017-07-06 16:24:35 -07:00
nfs
Merge tag 'nfs-for-4.13-5' of git://git.linux-nfs.org/projects/anna/linux-nfs
2017-08-11 13:54:09 -07:00
nfs_common
nfsd
nfsd: Limit end of page list when decoding NFSv4 WRITE
2017-08-24 18:05:30 -04:00
nilfs2
Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2017-07-03 13:08:04 -07:00
nls
notify
dentry name snapshots
2017-07-07 20:09:10 -04:00
ntfs
ntfs: Use ERR_CAST() to avoid cross-structure cast
2017-05-28 10:11:48 -07:00
ocfs2
ocfs2: don't clear SGID when inheriting ACLs
2017-08-02 17:16:13 -07:00
omfs
omfs: Implement show_options
2017-07-06 03:31:46 -04:00
openpromfs
orangefs
Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-15 12:00:42 -07:00
overlayfs
ovl: check for bad and whiteout index on lookup
2017-07-20 11:08:21 +02:00
proc
mm: fix KSM data corruption
2017-08-10 15:54:07 -07:00
pstore
Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-15 12:00:42 -07:00
qnx4
qnx6
quota
quota: correct space limit check
2017-08-07 16:51:28 +02:00
ramfs
ramfs: Implement show_options
2017-07-06 03:31:46 -04:00
reiserfs
reiserfs: preserve i_mode if __reiserfs_set_acl() fails
2017-07-18 11:24:08 +02:00
romfs
squashfs
sysfs
sysfs: be careful of error returns from ops->show()
2017-04-08 17:33:32 +02:00
sysv
mm: drop "wait" parameter from write_one_page()
2017-07-05 18:44:22 -04:00
tracefs
VFS: Don't use save/replace_mount_options if not using generic_show_options
2017-07-06 03:31:46 -04:00
ubifs
ubifs: Set double hash cookie also for RENAME_EXCHANGE
2017-07-14 22:50:57 +02:00
udf
udf: Convert udf_disk_stamp_to_time() to use mktime64()
2017-06-14 11:21:02 +02:00
ufs
Merge tag 'for-linus-v4.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux
2017-07-07 18:39:15 -07:00
xfs
xfs: don't leak quotacheck dquots when cow recovery
2017-08-17 12:40:33 -07:00
aio.c
fs: add O_DIRECT and aio support for sending down write life time hints
2017-06-27 12:05:36 -06:00
anon_inodes.c
attr.c
bad_inode.c
statx: Add a system call to make enhanced file info available
2017-03-02 20:51:15 -05:00
binfmt_aout.c
sched/headers: Prepare for new header dependencies before moving code to <linux/sched/task_stack.h>
2017-03-02 08:42:36 +01:00
binfmt_elf_fdpic.c
sched/headers: Prepare to move cputime functionality from <linux/sched.h> into <linux/sched/cputime.h>
2017-03-02 08:42:39 +01:00
binfmt_elf.c
x86/elf: Remove the unnecessary ADDR_NO_RANDOMIZE checks
2017-08-16 20:32:02 +02:00
binfmt_em86.c
binfmt_flat.c
binfmt_flat: Use %u to format u32
2017-07-16 09:24:05 -07:00
binfmt_misc.c
fs: constify tree_descr arrays passed to simple_fill_super()
2017-04-26 23:54:06 -04:00
binfmt_script.c
block_dev.c
Merge tag 'for-linus-v4.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux
2017-07-07 19:38:17 -07:00
buffer.c
fs/buffer.c: make bh_lru_install() more efficient
2017-07-10 16:32:30 -07:00
char_dev.c
chardev: add helper function to register char devs with a struct device
2017-03-21 06:44:32 +01:00
compat_binfmt_elf.c
compat_ioctl.c
Merge branch 'work.__copy_in_user' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-08 10:15:02 -07:00
compat.c
fs/compat.c: trim unused includes
2017-04-17 12:52:27 -04:00
coredump.c
sched/headers: Prepare for new header dependencies before moving code to <linux/sched/task_stack.h>
2017-03-02 08:42:36 +01:00
dax.c
dax: update to new mmu_notifier semantic
2017-08-31 16:12:59 -07:00
dcache.c
Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-15 12:00:42 -07:00
dcookies.c
direct-io.c
fs: add O_DIRECT and aio support for sending down write life time hints
2017-06-27 12:05:36 -06:00
drop_caches.c
eventfd.c
Merge tag 'docs-4.13' of git://git.lwn.net/linux
2017-07-03 21:13:25 -07:00
eventpoll.c
epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove()
2017-09-01 13:07:35 -07:00
exec.c
exec: Limit arg stack to at most 75% of _STK_LIM
2017-07-07 20:05:08 -07:00
fcntl.c
vfs: fix flock compat thinko
2017-07-07 13:48:18 -07:00
fhandle.c
fhandle: move compat syscalls from compat.c
2017-04-17 12:52:26 -04:00
file_table.c
fs: new infrastructure for writeback error handling and reporting
2017-07-06 07:02:25 -04:00
file.c
fs/file.c: replace alloc_fdmem() with kvmalloc() alternative
2017-07-06 16:24:30 -07:00
filesystems.c
Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-15 12:00:42 -07:00
fs_pin.c
sched/wait: Disambiguate wq_entry->task_list and wq_head->task_list naming
2017-06-20 12:19:14 +02:00
fs_struct.c
sched/headers: Prepare for new header dependencies before moving code to <linux/sched/task.h>
2017-03-02 08:42:35 +01:00
fs-writeback.c
writeback: rework wb_[dec|inc]_stat family of functions
2017-07-12 16:26:05 -07:00
inode.c
Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-08 10:50:54 -07:00
internal.h
Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-05-09 09:12:53 -07:00
ioctl.c
sched/headers: Prepare for the reduction of <linux/sched.h>'s signal API dependency
2017-03-02 08:42:37 +01:00
iomap.c
iomap: fix integer truncation issues in the zeroing and dirtying helpers
2017-08-11 16:56:33 -07:00
Kconfig
fs/Kconfig: kill CONFIG_PERCPU_RWSEM some more
2017-07-12 16:26:00 -07:00
Kconfig.binfmt
libfs.c
fs: convert __generic_file_fsync to use errseq_t based reporting
2017-07-06 07:02:29 -04:00
locks.c
fs/locks: pass kernel struct flock to fcntl_getlk/setlk
2017-05-27 06:07:19 -04:00
Makefile
mbcache.c
ext4: xattr inode deduplication
2017-06-22 11:44:55 -04:00
mount.h
Merge tag 'gcc-plugins-v4.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
2017-07-19 08:55:18 -07:00
mpage.c
Merge tag 'docs-4.13' of git://git.lwn.net/linux
2017-07-03 21:13:25 -07:00
namei.c
Merge tag 'gcc-plugins-v4.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
2017-07-19 08:55:18 -07:00
namespace.c
Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-15 12:00:42 -07:00
no-block.c
nsfs.c
VFS: Provide empty name qstr
2017-07-06 03:27:09 -04:00
open.c
Merge tag 'for-linus-v4.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux
2017-07-07 19:38:17 -07:00
pipe.c
VFS: Provide empty name qstr
2017-07-06 03:27:09 -04:00
pnode.c
mnt: Make propagate_umount less slow for overlapping mount propagation trees
2017-05-23 08:41:17 -05:00
pnode.h
posix_acl.c
proc_namespace.c
sched/headers: Prepare to move the task_lock()/unlock() APIs to <linux/sched/task.h>
2017-03-02 08:42:38 +01:00
read_write.c
Merge branch 'work.read_write' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-07 21:48:15 -07:00
readdir.c
readdir: move compat syscalls from compat.c
2017-04-17 12:52:24 -04:00
select.c
fs/select: Fix memory corruption in compat_get_fd_set()
2017-08-28 16:09:19 -07:00
seq_file.c
mm: introduce kv[mz]alloc helpers
2017-05-08 17:15:12 -07:00
signalfd.c
sched/wait: Rename wait_queue_t => wait_queue_entry_t
2017-06-20 12:18:27 +02:00
splice.c
fs: implement vfs_iter_write using do_iter_write
2017-06-29 17:49:23 -04:00
stack.c
stat.c
ufs: restore maintaining ->i_blocks
2017-06-09 16:28:01 -04:00
statfs.c
Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-08 10:50:54 -07:00
super.c
VFS: Kill off s_options and helpers
2017-07-11 06:09:21 -04:00
sync.c
fs: remove call_fsync helper function
2017-07-05 18:44:23 -04:00
timerfd.c
timerfd: Use get_itimerspec64() and put_itimerspec64()
2017-06-30 04:14:38 -04:00
userfaultfd.c
userfaultfd: replace ENOSPC with ESRCH in case mm has gone during copy/zeropage
2017-08-10 15:54:07 -07:00
utimes.c
utimes: move compat syscalls from compat.c
2017-04-17 12:52:23 -04:00
xattr.c
treewide: use kv[mz]alloc* rather than opencoded variants
2017-05-08 17:15:13 -07:00