Re: [PATCH v3] eventpoll: fix use-after-free in clear_tfile_check_list()

[Deepanshu Kartikey]

On Fri, May 29, 2026 at 6:42 PM Deepanshu Kartikey
<kartikey406@xxxxxxxxx> wrote:
>
> syzbot reports a slab-use-after-free read in clear_tfile_check_list()
> during EPOLL_CTL_ADD when ep_insert() takes an error path that calls
> ep_remove() before do_epoll_ctl_file() drains ctx->tfile_check_list.
>
> ep_remove_file() decides whether to kmem_cache_free() a struct
> epitems_head by testing v->next == NULL, on the convention that NULL
> means "this head is not linked on any check list". list_file() pushes
> a head onto ctx->tfile_check_list by storing the previous list head
> into head->next; when the list is empty that store is NULL, so the
> head that ends up at the tail of the check list also has next == NULL.
> ep_remove_file() then misreads the tail as "not linked" and frees it.
> clear_tfile_check_list() later walks the list and dereferences
> head->next on the freed object:
>
>   BUG: KASAN: slab-use-after-free in
>        clear_tfile_check_list+0x114/0x380 fs/eventpoll.c:2443
>   Allocated by task 5985:
>     ep_attach_file fs/eventpoll.c:1751 [inline]
>     ep_register_epitem fs/eventpoll.c:1833 [inline]
>     ep_insert+0x512/0x1820 fs/eventpoll.c:1876
>   Freed by task 5985:
>     ep_remove+0x155/0x2a0 fs/eventpoll.c:1135
>     ep_insert+0x1372/0x1820
>
> Terminate ctx->tfile_check_list with EP_UNACTIVE_PTR (the existing
> non-NULL sentinel used elsewhere in this file for inactive list
> slots) so that next == NULL unambiguously means "not on any check
> list". list_file() stores the sentinel when the list is empty,
> reverse_path_check() and clear_tfile_check_list() stop the walk on
> the sentinel, and do_epoll_ctl_file() seeds ctx->tfile_check_list
> with it. The guard in ep_remove_file() then correctly refuses to
> free a head while it remains on the check list.
>
> Reported-by: syzbot+69a3d7738ad3aa175caf@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=69a3d7738ad3aa175caf
> Link: https://lore.kernel.org/all/20260523091107.61880-1-kartikey406@xxxxxxxxx/T/ [v1]
> Link: https://lore.kernel.org/all/20260529042507.87593-1-kartikey406@xxxxxxxxx/T/ [v2]
> Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>
> ---
> v3: Drop the (struct epitems_head *) casts on EP_UNACTIVE_PTR.
>     void * converts implicitly to typed pointers in C; the casts
>     were noise.
> v2: Reuse the existing EP_UNACTIVE_PTR sentinel instead of adding a
>     new EP_TFILE_LIST_END define, per review feedback.
> ---
>  fs/eventpoll.c | 15 +++++++++++----
>  1 file changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/fs/eventpoll.c b/fs/eventpoll.c
> index a569e98d4a99..1756c5f489a0 100644
> --- a/fs/eventpoll.c
> +++ b/fs/eventpoll.c
> @@ -472,7 +472,13 @@ static void list_file(struct file *file, struct ep_ctl_ctx *ctx)
>
>         head = container_of(file->f_ep, struct epitems_head, epitems);
>         if (!head->next) {
> -               head->next = ctx->tfile_check_list;
> +               /*
> +                * Terminate the check list with EP_UNACTIVE_PTR (non-NULL)
> +                * so that head->next == NULL unambiguously means "not on
> +                * any check list". ep_remove_file() relies on that
> +                * invariant to decide whether the head is safe to free.
> +                */
> +               head->next = ctx->tfile_check_list ? : EP_UNACTIVE_PTR;
>                 ctx->tfile_check_list = head;
>         }
>  }
> @@ -1685,7 +1691,7 @@ static int reverse_path_check(struct ep_ctl_ctx *ctx)
>  {
>         struct epitems_head *p;
>
> -       for (p = ctx->tfile_check_list; p; p = p->next) {
> +       for (p = ctx->tfile_check_list; p != EP_UNACTIVE_PTR; p = p->next) {
>                 int error;
>                 path_count_init(ctx);
>                 rcu_read_lock();
> @@ -2438,11 +2444,12 @@ static int ep_loop_check(struct ep_ctl_ctx *ctx, struct eventpoll *ep,
>  static void clear_tfile_check_list(struct ep_ctl_ctx *ctx)
>  {
>         rcu_read_lock();
> -       while (ctx->tfile_check_list) {
> +       while (ctx->tfile_check_list != EP_UNACTIVE_PTR) {
>                 struct epitems_head *head = ctx->tfile_check_list;
>                 ctx->tfile_check_list = head->next;
>                 unlist_file(head);
>         }
> +       ctx->tfile_check_list = EP_UNACTIVE_PTR;
>         rcu_read_unlock();
>  }
>
> @@ -2601,7 +2608,7 @@ int do_epoll_ctl_file(struct file *f, int op, struct epoll_key *tf,
>         int full_check;
>         struct eventpoll *ep;
>         struct epitem *epi;
> -       struct ep_ctl_ctx ctx = { };
> +       struct ep_ctl_ctx ctx = { .tfile_check_list = EP_UNACTIVE_PTR };
>
>         /* The target file descriptor must support poll */
>         if (!file_can_poll(tf->file))
> --
> 2.43.0
>

Hi Christian,

Gentle reminder on this patch. Please let me know if anything else
needed from my side

Thanks

Deepanshu