nit: Please send CVE related patches to vzlin-dev mailing list. On 7/8/26 15:15, Eva Kurchatova wrote: > From: Nicholas Carlini <[email protected]> > > [ Upstream commit 07712db80857d5d09ae08f3df85a708ecfc3b61f ] > > In certain situations, ep_free() in eventpoll.c will kfree the epi->ep > eventpoll struct while it still being used by another concurrent thread. > Defer the kfree() to an RCU callback to prevent UAF. > > Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion") > Signed-off-by: Nicholas Carlini <[email protected]> > Signed-off-by: Christian Brauner <[email protected]> > Signed-off-by: Sasha Levin <[email protected]> > (cherry picked from commit a6566cd33f6f967a7651ebf2ce0dd31572e319cf) > Signed-off-by: Eva Kurchatova <[email protected]> > > https://virtuozzo.atlassian.net/browse/VSTOR-137490 > Feature: fix epoll cve > --- > fs/eventpoll.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/fs/eventpoll.c b/fs/eventpoll.c > index 54c7f6422f5a..836dae2c5b45 100644 > --- a/fs/eventpoll.c > +++ b/fs/eventpoll.c > @@ -225,6 +225,9 @@ struct eventpoll { > */ > refcount_t refcount; > > + /* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */ > + struct rcu_head rcu;
Definitely not applicable via RK. Structure changes are not allowed. > + > #ifdef CONFIG_NET_RX_BUSY_POLL > /* used to track busy poll napi_id */ > unsigned int napi_id; > @@ -708,7 +711,8 @@ static void ep_free(struct eventpoll *ep) > mutex_destroy(&ep->mtx); > free_uid(ep->user); > wakeup_source_unregister(ep->ws); > - kfree(ep); > + /* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */ > + kfree_rcu(ep, rcu); > } > > /* -- Best regards, Pavel Tikhomirov Senior Software Developer, Virtuozzo. _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
