Forwarded: [PATCH] eventpoll: fix use-after-free in clear_tfile_check_list()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.

***

Subject: [PATCH] eventpoll: fix use-after-free in clear_tfile_check_list()
Author: kartikey406@xxxxxxxxx

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

syzbot reports a slab-use-after-free read in
clear_tfile_check_list() during EPOLL_CTL_ADD when ep_insert()
takes an error path that calls ep_remove() before
do_epoll_ctl_file() drains ctx->tfile_check_list.

ep_remove_file() decides whether to kmem_cache_free() a struct
epitems_head by testing v->next == NULL, on the convention that
NULL means "this head is not linked on any check list".
list_file() pushes a head onto ctx->tfile_check_list by storing
the previous list head into head->next; when the list is empty
that store is NULL, so the head that ends up at the tail of the
check list also has next == NULL. ep_remove_file() then misreads
the tail as "not linked" and frees it. clear_tfile_check_list()
later walks the list and dereferences head->next on the freed
object:

  BUG: KASAN: slab-use-after-free in
       clear_tfile_check_list+0x114/0x380 fs/eventpoll.c:2443
  Allocated by task 5985:
    ep_attach_file fs/eventpoll.c:1751 [inline]
    ep_register_epitem fs/eventpoll.c:1833 [inline]
    ep_insert+0x512/0x1820 fs/eventpoll.c:1876
  Freed by task 5985:
    ep_remove+0x155/0x2a0 fs/eventpoll.c:1135
    ep_insert+0x1372/0x1820

Terminate ctx->tfile_check_list with a non-NULL sentinel
(EP_TFILE_LIST_END) so that next == NULL unambiguously means
"not on any check list". list_file() stores the sentinel when
the list is empty, reverse_path_check() and
clear_tfile_check_list() stop the walk on the sentinel, and
do_epoll_ctl_file() seeds ctx->tfile_check_list with it. The
guard in ep_remove_file() then correctly refuses to free a head
while it remains on the check list.

Reported-by: syzbot+f83fa2cf571bd7650422@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=f83fa2cf571bd7650422
Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>
---
 fs/eventpoll.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index a569e98d4a99..349d79e8ddc8 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -222,6 +222,15 @@
 
 #define EP_UNACTIVE_PTR ((void *) -1L)
 
+/* Non-NULL sentinel terminating ctx->tfile_check_list, so that
+ * "head->next == NULL" unambiguously means "this head is not on any
+ * check list" -- the invariant ep_remove_file() and list_file() rely
+ * on. Without this, the tail of the check list aliases the
+ * "not linked" state and ep_remove_file() may free a head that
+ * clear_tfile_check_list() still references.
+ */
+#define EP_TFILE_LIST_END ((struct epitems_head *)EP_UNACTIVE_PTR)
+
 #define EP_ITEM_COST (sizeof(struct epitem) + sizeof(struct eppoll_entry))
 
 /* Wait structure used by the poll hooks */
@@ -472,7 +481,7 @@ static void list_file(struct file *file, struct ep_ctl_ctx *ctx)
 
 	head = container_of(file->f_ep, struct epitems_head, epitems);
 	if (!head->next) {
-		head->next = ctx->tfile_check_list;
+		head->next = ctx->tfile_check_list ? : EP_TFILE_LIST_END;
 		ctx->tfile_check_list = head;
 	}
 }
@@ -1685,7 +1694,7 @@ static int reverse_path_check(struct ep_ctl_ctx *ctx)
 {
 	struct epitems_head *p;
 
-	for (p = ctx->tfile_check_list; p; p = p->next) {
+	for (p = ctx->tfile_check_list; p != EP_TFILE_LIST_END; p = p->next) {
 		int error;
 		path_count_init(ctx);
 		rcu_read_lock();
@@ -2438,11 +2447,12 @@ static int ep_loop_check(struct ep_ctl_ctx *ctx, struct eventpoll *ep,
 static void clear_tfile_check_list(struct ep_ctl_ctx *ctx)
 {
 	rcu_read_lock();
-	while (ctx->tfile_check_list) {
+	while (ctx->tfile_check_list != EP_TFILE_LIST_END) {
 		struct epitems_head *head = ctx->tfile_check_list;
 		ctx->tfile_check_list = head->next;
 		unlist_file(head);
 	}
+	ctx->tfile_check_list = NULL;
 	rcu_read_unlock();
 }
 
@@ -2601,7 +2611,7 @@ int do_epoll_ctl_file(struct file *f, int op, struct epoll_key *tf,
 	int full_check;
 	struct eventpoll *ep;
 	struct epitem *epi;
-	struct ep_ctl_ctx ctx = { };
+	struct ep_ctl_ctx ctx = {.tfile_check_list = EP_TFILE_LIST_END };
 
 	/* The target file descriptor must support poll */
 	if (!file_can_poll(tf->file))
-- 
2.43.0