fix regression in "epoll: Keep a reference on files added to the check list"

[ Upstream commit 77f4689de17c0887775bb77896f4cc11a39bf848 ]

epoll_loop_check_proc() can run into a file already committed to destruction;
we can't grab a reference on those and don't need to add them to the set for
reverse path check anyway.

Mot-CRs-fixed: (CR)
CVE-Fixed: CVE-2021-1048

Change-Id: I8cb3c5c466ef0169ebc466125a516e305f91682c
Tested-by: Marc Zyngier <maz@kernel.org>
Fixes: a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list")
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Gajjala Chakradhar <gajjalac@motorola.com>
Reviewed-on: https://gerrit.mot.com/2123625
SME-Granted: SME Approvals Granted
SLTApproved: Slta Waiver
Tested-by: Jira Key
Reviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>
Submit-Approved: Jira Key
(cherry picked from commit 007a0c2ffdb9096bcc99f0a49da67ad8e2e114bf)

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index e6fd4b9874a39ad9e96e1b7c2a84d9d9abb40ba4..a10c6081e48fd953c5a86731c6047c5e8dcb96bf 100644 (file)
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1903,9 +1903,9 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
                         * during ep_insert().
                         */
                        if (list_empty(&epi->ffd.file->f_tfile_llink)) {
-                               get_file(epi->ffd.file);
-                               list_add(&epi->ffd.file->f_tfile_llink,
-                                        &tfile_check_list);
+                               if (get_file_rcu(epi->ffd.file))
+                                       list_add(&epi->ffd.file->f_tfile_llink,
+                                                &tfile_check_list);
                        }
                }
        }