// AFTER (fixed):
mutex_unlock(&ep->mtx);
if (ep_refcount_dec_and_test(ep))
ep_free(ep);
```
This is a classic use-after-free that could be exploited for:
- Privilege escalation
- System crashes/DoS
- Potential arbitrary code execution
### 3. **Race Condition in Common Code Path**
The vulnerable code is in frequently used functions:
- `__ep_remove()` - called when removing epoll items
- `ep_remove_safe()` - wrapper for safe removal
- `ep_clear_and_put()` - called during epoll cleanup
- `eventpoll_release_file()` - called when files are closed
These are not obscure edge cases but core epoll operations that happen
during normal system operation.
### 4. **Affects Systems Using Refcounted epoll**
The refcounting mechanism was introduced in commit 4f04cbaf128 ("epoll:
use refcount to reduce ep_mutex contention") to improve performance. Any
kernel with this commit is vulnerable to the use-after-free bug.
### 5. **Simple and Safe Fix**
The fix is minimal and low-risk:
- Simply reorders operations to move refcount decrement after mutex
unlock
- No new features or architectural changes
- The refcount is atomic and doesn't need mutex protection
- Follows the documented mutex semantics
### 6. **Matches Stable Criteria**
Per stable kernel rules, this fix:
- â?? Fixes a real bug (use-after-free)
- â?? Small and contained change
- â?? No side effects beyond fixing the issue
- â?? Critical for system stability/security
- â?? Already tested (committed by Linus himself)
### 7. **Documentation Reference**
The commit explicitly references kernel documentation about mutex
semantics that explains why this ordering is critical. This shows it's
fixing a well-understood concurrency issue, not experimental behavior.
The simplicity of the fix combined with the severity of the bug (use-
after-free in core kernel code) makes this an ideal candidate for stable
backporting. Systems running kernels with the epoll refcounting feature
need this fix to prevent potential security vulnerabilities and system
crashes.
fs/eventpoll.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index d4dbffdedd08e..0fbf5dfedb24e 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -883,7 +883,7 @@ static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force)
kfree_rcu(epi, rcu);
percpu_counter_dec(&ep->user->epoll_watches);
- return ep_refcount_dec_and_test(ep);
+ return true;
}
/*
@@ -891,14 +891,14 @@ static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force)
*/
static void ep_remove_safe(struct eventpoll *ep, struct epitem *epi)
{
- WARN_ON_ONCE(__ep_remove(ep, epi, false));
+ if (__ep_remove(ep, epi, false))
+ WARN_ON_ONCE(ep_refcount_dec_and_test(ep));
}
static void ep_clear_and_put(struct eventpoll *ep)
{
struct rb_node *rbp, *next;
struct epitem *epi;
- bool dispose;
/* We need to release all tasks waiting for these file */
if (waitqueue_active(&ep->poll_wait))
@@ -931,10 +931,8 @@ static void ep_clear_and_put(struct eventpoll *ep)
cond_resched();
}
- dispose = ep_refcount_dec_and_test(ep);
mutex_unlock(&ep->mtx);
-
- if (dispose)
+ if (ep_refcount_dec_and_test(ep))
ep_free(ep);
}
@@ -1137,7 +1135,7 @@ void eventpoll_release_file(struct file *file)
dispose = __ep_remove(ep, epi, true);
mutex_unlock(&ep->mtx);
- if (dispose)
+ if (dispose && ep_refcount_dec_and_test(ep))
ep_free(ep);
goto again;
}
--
2.39.5
