Re: [PATCH] eventpoll: fix use-after-free in clear_tfile_check_list()

[Christian Brauner]

On Sat, May 23, 2026 at 02:41:07PM +0530, Deepanshu Kartikey wrote:
> syzbot reports a slab-use-after-free read in
> clear_tfile_check_list() during EPOLL_CTL_ADD when ep_insert()
> takes an error path that calls ep_remove() before
> do_epoll_ctl_file() drains ctx->tfile_check_list.
> 
> ep_remove_file() decides whether to kmem_cache_free() a struct
> epitems_head by testing v->next == NULL, on the convention that
> NULL means "this head is not linked on any check list".
> list_file() pushes a head onto ctx->tfile_check_list by storing
> the previous list head into head->next; when the list is empty
> that store is NULL, so the head that ends up at the tail of the
> check list also has next == NULL. ep_remove_file() then misreads
> the tail as "not linked" and frees it. clear_tfile_check_list()
> later walks the list and dereferences head->next on the freed
> object:
> 
>   BUG: KASAN: slab-use-after-free in
>        clear_tfile_check_list+0x114/0x380 fs/eventpoll.c:2443
>   Allocated by task 5985:
>     ep_attach_file fs/eventpoll.c:1751 [inline]
>     ep_register_epitem fs/eventpoll.c:1833 [inline]
>     ep_insert+0x512/0x1820 fs/eventpoll.c:1876
>   Freed by task 5985:
>     ep_remove+0x155/0x2a0 fs/eventpoll.c:1135
>     ep_insert+0x1372/0x1820
> 
> Terminate ctx->tfile_check_list with a non-NULL sentinel
> (EP_TFILE_LIST_END) so that next == NULL unambiguously means
> "not on any check list". list_file() stores the sentinel when
> the list is empty, reverse_path_check() and
> clear_tfile_check_list() stop the walk on the sentinel, and
> do_epoll_ctl_file() seeds ctx->tfile_check_list with it. The
> guard in ep_remove_file() then correctly refuses to free a head
> while it remains on the check list.
> 
> Reported-by: syzbot+69a3d7738ad3aa175caf@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=69a3d7738ad3aa175caf
> Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>
> ---
>  fs/eventpoll.c | 18 ++++++++++++++----
>  1 file changed, 14 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/eventpoll.c b/fs/eventpoll.c
> index a569e98d4a99..349d79e8ddc8 100644
> --- a/fs/eventpoll.c
> +++ b/fs/eventpoll.c
> @@ -222,6 +222,15 @@
>  
>  #define EP_UNACTIVE_PTR ((void *) -1L)
>  
> +/* Non-NULL sentinel terminating ctx->tfile_check_list, so that
> + * "head->next == NULL" unambiguously means "this head is not on any
> + * check list" -- the invariant ep_remove_file() and list_file() rely
> + * on. Without this, the tail of the check list aliases the
> + * "not linked" state and ep_remove_file() may free a head that
> + * clear_tfile_check_list() still references.
> + */
> +#define EP_TFILE_LIST_END ((struct epitems_head *)EP_UNACTIVE_PTR)

Better than the other fix but I'm really confused about this define...