fix regression in "epoll: Keep a reference on files added to the check list"

[ Upstream commit 77f4689de17c0887775bb77896f4cc11a39bf848 ]

epoll_loop_check_proc() can run into a file already committed to destruction;
we can't grab a reference on those and don't need to add them to the set for
reverse path check anyway.

Mot-CRs-fixed: (CR)
CVE-Fixed: CVE-2020-0466
Bug: 147802478

Change-Id: I24d3b8c878f5ef49f9ff5922d2364b59844fd8b8
Tested-by: Marc Zyngier <maz@kernel.org>
Fixes: a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list")
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Jignesh Patel <jignesh@motorola.com>
Reviewed-on: https://gerrit.mot.com/1796974
SLTApproved: Slta Waiver
SME-Granted: SME Approvals Granted
Tested-by: Jira Key
Reviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>
Submit-Approved: Jira Key

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index e6fd4b9874a39ad9e96e1b7c2a84d9d9abb40ba4..a10c6081e48fd953c5a86731c6047c5e8dcb96bf 100644 (file)
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1903,9 +1903,9 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
                         * during ep_insert().
                         */
                        if (list_empty(&epi->ffd.file->f_tfile_llink)) {
-                               get_file(epi->ffd.file);
-                               list_add(&epi->ffd.file->f_tfile_llink,
-                                        &tfile_check_list);
+                               if (get_file_rcu(epi->ffd.file))
+                                       list_add(&epi->ffd.file->f_tfile_llink,
+                                                &tfile_check_list);
                        }
                }
        }