[PATCH v2] eventpoll: fix use-after-free in clear_tfile_check_list()
From: Deepanshu Kartikey
Date: Fri May 29 2026 - 00:26:18 EST
syzbot reports a slab-use-after-free read in clear_tfile_check_list()
during EPOLL_CTL_ADD when ep_insert() takes an error path that calls
ep_remove() before do_epoll_ctl_file() drains ctx->tfile_check_list.
ep_remove_file() decides whether to kmem_cache_free() a struct
epitems_head by testing v->next == NULL, on the convention that NULL
means "this head is not linked on any check list". list_file() pushes
a head onto ctx->tfile_check_list by storing the previous list head
into head->next; when the list is empty that store is NULL, so the
head that ends up at the tail of the check list also has next == NULL.
ep_remove_file() then misreads the tail as "not linked" and frees it.
clear_tfile_check_list() later walks the list and dereferences
head->next on the freed object:
BUG: KASAN: slab-use-after-free in
clear_tfile_check_list+0x114/0x380 fs/eventpoll.c:2443
Allocated by task 5985:
ep_attach_file fs/eventpoll.c:1751 [inline]
ep_register_epitem fs/eventpoll.c:1833 [inline]
ep_insert+0x512/0x1820 fs/eventpoll.c:1876
Freed by task 5985:
ep_remove+0x155/0x2a0 fs/eventpoll.c:1135
ep_insert+0x1372/0x1820
Terminate ctx->tfile_check_list with EP_UNACTIVE_PTR (the existing
non-NULL sentinel used elsewhere in this file for inactive list
slots) so that next == NULL unambiguously means "not on any check
list". list_file() stores the sentinel when the list is empty,
reverse_path_check() and clear_tfile_check_list() stop the walk on
the sentinel, and do_epoll_ctl_file() seeds ctx->tfile_check_list
with it. The guard in ep_remove_file() then correctly refuses to
free a head while it remains on the check list.
Reported-by: syzbot+69a3d7738ad3aa175caf@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=69a3d7738ad3aa175caf
Link: https://lore.kernel.org/all/20260523091107.61880-1-kartikey406@xxxxxxxxx/T/ [v1]
Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>
---
v2: Reuse the existing EP_UNACTIVE_PTR sentinel instead of adding a
new EP_TFILE_LIST_END define, per review feedback.
---
fs/eventpoll.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index a569e98d4a99..2fc3b14d7ab2 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -472,7 +472,13 @@ static void list_file(struct file *file, struct ep_ctl_ctx *ctx)
head = container_of(file->f_ep, struct epitems_head, epitems);
if (!head->next) {
- head->next = ctx->tfile_check_list;
+ /*
+ * Terminate the check list with EP_UNACTIVE_PTR (non-NULL)
+ * so that head->next == NULL unambiguously means "not on
+ * any check list". ep_remove_file() relies on that
+ * invariant to decide whether the head is safe to free.
+ */
+ head->next = ctx->tfile_check_list ? : (struct epitems_head *)EP_UNACTIVE_PTR;
ctx->tfile_check_list = head;
}
}
@@ -1685,7 +1691,7 @@ static int reverse_path_check(struct ep_ctl_ctx *ctx)
{
struct epitems_head *p;
- for (p = ctx->tfile_check_list; p; p = p->next) {
+ for (p = ctx->tfile_check_list; p != (struct epitems_head *)EP_UNACTIVE_PTR; p = p->next) {
int error;
path_count_init(ctx);
rcu_read_lock();
@@ -2438,11 +2444,12 @@ static int ep_loop_check(struct ep_ctl_ctx *ctx, struct eventpoll *ep,
static void clear_tfile_check_list(struct ep_ctl_ctx *ctx)
{
rcu_read_lock();
- while (ctx->tfile_check_list) {
+ while (ctx->tfile_check_list != (struct epitems_head *)EP_UNACTIVE_PTR) {
struct epitems_head *head = ctx->tfile_check_list;
ctx->tfile_check_list = head->next;
unlist_file(head);
}
+ ctx->tfile_check_list = (struct epitems_head *)EP_UNACTIVE_PTR;
rcu_read_unlock();
}
@@ -2601,7 +2608,8 @@ int do_epoll_ctl_file(struct file *f, int op, struct epoll_key *tf,
int full_check;
struct eventpoll *ep;
struct epitem *epi;
- struct ep_ctl_ctx ctx = { };
+ struct ep_ctl_ctx ctx = {.tfile_check_list =
+ (struct epitems_head *)EP_UNACTIVE_PTR };
/* The target file descriptor must support poll */
if (!file_can_poll(tf->file))
--
2.43.0