nit: Please send CVE related patches to vzlin-dev mailing list.

On 7/8/26 15:15, Eva Kurchatova wrote:
> From: Nicholas Carlini <[email protected]>
> 
> [ Upstream commit 07712db80857d5d09ae08f3df85a708ecfc3b61f ]
> 
> In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
> eventpoll struct while it still being used by another concurrent thread.
> Defer the kfree() to an RCU callback to prevent UAF.
> 
> Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion")
> Signed-off-by: Nicholas Carlini <[email protected]>
> Signed-off-by: Christian Brauner <[email protected]>
> Signed-off-by: Sasha Levin <[email protected]>
> (cherry picked from commit a6566cd33f6f967a7651ebf2ce0dd31572e319cf)
> Signed-off-by: Eva Kurchatova <[email protected]>
> 
> https://virtuozzo.atlassian.net/browse/VSTOR-137490
> Feature: fix epoll cve
> ---
>  fs/eventpoll.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/eventpoll.c b/fs/eventpoll.c
> index 54c7f6422f5a..836dae2c5b45 100644
> --- a/fs/eventpoll.c
> +++ b/fs/eventpoll.c
> @@ -225,6 +225,9 @@ struct eventpoll {
>        */
>       refcount_t refcount;
>  
> +     /* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */
> +     struct rcu_head rcu;

Definitely not applicable via RK. Structure changes are not allowed.

> +
>  #ifdef CONFIG_NET_RX_BUSY_POLL
>       /* used to track busy poll napi_id */
>       unsigned int napi_id;
> @@ -708,7 +711,8 @@ static void ep_free(struct eventpoll *ep)
>       mutex_destroy(&ep->mtx);
>       free_uid(ep->user);
>       wakeup_source_unregister(ep->ws);
> -     kfree(ep);
> +     /* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */
> +     kfree_rcu(ep, rcu);
>  }
>  
>  /*

-- 
Best regards, Pavel Tikhomirov
Senior Software Developer, Virtuozzo.

_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to