epoll: fix use-after-free in eventpoll_release_file

back port upstream patch
ebe06187bf

the epi is removed from list by list_del_rcu(&epi->fllink);
under list_for_each_entry_rcu() without rcu_read_lock.

if the rcu grace-period thread free epi before next list_for_each loop,
the content of epi will be corrupted.

Change-Id: I75dbf8ada5ca4734761efe260ca6d6f85886b180
Closes-Bug: 1837430
Suggested-by: daniel.badea@windriver.com
Signed-off-by: Bin Yang <bin.yang@intel.com>

kernel/kernel-rt/centos/build_srpm.data

@@ -1,4 +1,4 @@
 COPY_LIST="files/*"
-TIS_PATCH_VER=3
+TIS_PATCH_VER=4
 BUILD_IS_BIG=11
 BUILD_IS_SLOW=12

kernel/kernel-rt/centos/meta_patches/Compile-issues.patch

@@ -1,33 +1,33 @@
-From 6fe892d415b3d728d223069eacb6f291fc38d86d Mon Sep 17 00:00:00 2001
-From: Alex Kozyrev <alex.kozyrev@windriver.com>
-Date: Mon, 29 Jul 2019 11:48:51 -0400
-Subject: [PATCH 1/1] Compile issues
+From d83caf51542ff89ffc70377d8a04d697d8fe09e3 Mon Sep 17 00:00:00 2001
+From: Bin Yang <bin.yang@intel.com>
+Date: Wed, 31 Jul 2019 14:23:20 +0800
+Subject: [PATCH 3/3] Compile issues
 
-Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
+Signed-off-by: Bin Yang <bin.yang@intel.com>
 ---
  SPECS/kernel-rt.spec | 8 ++++++++
  1 file changed, 8 insertions(+)
 
 diff --git a/SPECS/kernel-rt.spec b/SPECS/kernel-rt.spec
-index 3b7985c..5025db7 100644
+index e94ec2f..e6e71e4 100644
 --- a/SPECS/kernel-rt.spec
 +++ b/SPECS/kernel-rt.spec
-@@ -418,6 +418,11 @@ # DRBD was choking on write same
- Patch1028: turn-off-write-same-in-smartqpi-driver.patch
+@@ -420,6 +420,11 @@ Patch1028: turn-off-write-same-in-smartqpi-driver.patch
  Patch1029: restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch
  Patch1030: robustify-CFS-bandwidth-timer-locking.patch
-+Patch1031: fix-compilation-issues.patch
+ Patch1031: epoll-fix-use-after-free-in-eventpoll_release_file.patch
++Patch1032: fix-compilation-issues.patch
 +# Fix CentOS 7.6 upgrade compile error
-+Patch1032: fix-CentOS-7.6-upgrade-compile-error.patch
++Patch1033: fix-CentOS-7.6-upgrade-compile-error.patch
 +# Compile fix for disabling CONFIG_MEMCG_KMEM
-+Patch1033: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
++Patch1034: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
  
  BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
  
-@@ -781,6 +786,9 @@ ApplyPatch dpt_i2o-fix-build-warning.patch
- ApplyPatch turn-off-write-same-in-smartqpi-driver.patch
+@@ -784,6 +789,9 @@ ApplyPatch turn-off-write-same-in-smartqpi-driver.patch
  ApplyPatch restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch
  ApplyPatch robustify-CFS-bandwidth-timer-locking.patch
+ ApplyPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
 +ApplyPatch fix-compilation-issues.patch
 +ApplyPatch fix-CentOS-7.6-upgrade-compile-error.patch
 +ApplyPatch compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
@@ -35,5 +35,5 @@ index 3b7985c..5025db7 100644
  # move off upstream version mechanism
  if [ -e localversion-rt ]; then
 -- 
-1.8.3.1
+2.7.4
 

kernel/kernel-rt/centos/meta_patches/Kernel-source-patches-for-TiC.patch

@@ -1,18 +1,18 @@
-From 6a04eb3881ccb3c592b4b47d36bde90f1e33c598 Mon Sep 17 00:00:00 2001
-From: Alex Kozyrev <alex.kozyrev@windriver.com>
+From 2c23df3f032c68046a309e5b9f1d321438905e85 Mon Sep 17 00:00:00 2001
+From: Bin Yang <bin.yang@intel.com>
 Date: Mon, 29 Jul 2019 11:48:49 -0400
 Subject: [PATCH 2/3] Kernel source patches for TiC
 
-Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
+Signed-off-by: Bin Yang <bin.yang@intel.com>
 ---
- SPECS/kernel-rt.spec | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 64 insertions(+)
+ SPECS/kernel-rt.spec | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 66 insertions(+)
 
 diff --git a/SPECS/kernel-rt.spec b/SPECS/kernel-rt.spec
-index 905ae52..15114e6 100644
+index efc89cd..e94ec2f 100644
 --- a/SPECS/kernel-rt.spec
 +++ b/SPECS/kernel-rt.spec
-@@ -386,6 +386,39 @@ Source1000: modprobe-dccp-blacklist.conf
+@@ -386,6 +386,40 @@ Source1000: modprobe-dccp-blacklist.conf
  
  # Empty final patch file to facilitate testing of kernel patches
  Patch999999: linux-kernel-test.patch
@@ -49,10 +49,11 @@ index 905ae52..15114e6 100644
 +Patch1028: turn-off-write-same-in-smartqpi-driver.patch
 +Patch1029: restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch
 +Patch1030: robustify-CFS-bandwidth-timer-locking.patch
++Patch1031: epoll-fix-use-after-free-in-eventpoll_release_file.patch
  
  BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
  
-@@ -718,6 +751,37 @@ cp %{SOURCE38} .
+@@ -718,6 +752,38 @@ cp %{SOURCE38} .
  
  ## Apply Patches here
  ApplyPatch linux-kernel-test.patch
@@ -87,9 +88,10 @@ index 905ae52..15114e6 100644
 +ApplyPatch turn-off-write-same-in-smartqpi-driver.patch
 +ApplyPatch restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch
 +ApplyPatch robustify-CFS-bandwidth-timer-locking.patch
++ApplyPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
  
  # move off upstream version mechanism
  if [ -e localversion-rt ]; then
 -- 
-1.8.3.1
+2.7.4
 

kernel/kernel-rt/centos/patches/epoll-fix-use-after-free-in-eventpoll_release_file.patch

@@ -0,0 +1,52 @@
+From ebe06187bf2aec10d537ce4595e416035367d703 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <koct9i@gmail.com>
+Date: Tue, 17 Jun 2014 06:58:05 +0400
+Subject: [PATCH] epoll: fix use-after-free in eventpoll_release_file
+
+This fixes use-after-free of epi->fllink.next inside list loop macro.
+This loop actually releases elements in the body.  The list is
+rcu-protected but here we cannot hold rcu_read_lock because we need to
+lock mutex inside.
+
+The obvious solution is to use list_for_each_entry_safe().  RCU-ness
+isn't essential because nobody can change this list under us, it's final
+fput for this file.
+
+The bug was introduced by ae10b2b4eb01 ("epoll: optimize EPOLL_CTL_DEL
+using rcu")
+
+Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
+Reported-by: Cyrill Gorcunov <gorcunov@openvz.org>
+Cc: Stable <stable@vger.kernel.org> # 3.13+
+Cc: Sasha Levin <sasha.levin@oracle.com>
+Cc: Jason Baron <jbaron@akamai.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ fs/eventpoll.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index b73e062..b10b48c 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -910,7 +910,7 @@ static const struct file_operations eventpoll_fops = {
+ void eventpoll_release_file(struct file *file)
+ {
+ 	struct eventpoll *ep;
+-	struct epitem *epi;
++	struct epitem *epi, *next;
+ 
+ 	/*
+ 	 * We don't want to get "file->f_lock" because it is not
+@@ -926,7 +926,7 @@ void eventpoll_release_file(struct file *file)
+ 	 * Besides, ep_remove() acquires the lock, so we can't hold it here.
+ 	 */
+ 	mutex_lock(&epmutex);
+-	list_for_each_entry_rcu(epi, &file->f_ep_links, fllink) {
++	list_for_each_entry_safe(epi, next, &file->f_ep_links, fllink) {
+ 		ep = epi->ep;
+ 		mutex_lock_nested(&ep->mtx, 0);
+ 		ep_remove(ep, epi);
+-- 
+2.7.4
+

kernel/kernel-std/centos/build_srpm.data

@@ -1,4 +1,4 @@
 COPY_LIST="files/*"
-TIS_PATCH_VER=2
+TIS_PATCH_VER=3
 BUILD_IS_BIG=11
 BUILD_IS_SLOW=12

kernel/kernel-std/centos/meta_patches/Compile-issues.patch

@@ -1,34 +1,34 @@
-From 6b9579fcfb774f20f114ebc621a925d35d3aa034 Mon Sep 17 00:00:00 2001
-From: Bart Wensley <barton.wensley@windriver.com>
-Date: Tue, 9 Jul 2019 06:36:33 -0500
-Subject: [PATCH 1/1] Compile issues
+From e49a8758922e1f23c4e77dd19cf4eb1f80263763 Mon Sep 17 00:00:00 2001
+From: Bin Yang <bin.yang@intel.com>
+Date: Wed, 31 Jul 2019 10:50:03 +0800
+Subject: [PATCH 3/3] Compile issues
 
-Signed-off-by: Bart Wensley <barton.wensley@windriver.com>
+Signed-off-by: Bin Yang <bin.yang@intel.com>
 ---
  SPECS/kernel.spec | 9 +++++++++
  1 file changed, 9 insertions(+)
 
 diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
-index 3f774c2..b69967d 100644
+index 9149019..b8fb9f9 100644
 --- a/SPECS/kernel.spec
 +++ b/SPECS/kernel.spec
-@@ -489,6 +489,12 @@ Patch40024: aic94xx-Skip-reading-user-settings-if-flash-is-not-f.patch
- Patch40025: dpt_i2o-fix-build-warning.patch
- # DRBD was choking on write same
+@@ -491,6 +491,12 @@ Patch40025: dpt_i2o-fix-build-warning.patch
  Patch40026: turn-off-write-same-in-smartqpi-driver.patch
+ # Fix use-after-free in eventpoll_release_file
+ Patch40027: epoll-fix-use-after-free-in-eventpoll_release_file.patch
 +# Fix assorted compilation issues
-+Patch40027: fix-compilation-issues.patch
++Patch40028: fix-compilation-issues.patch
 +# Fix CentOS 7.6 upgrade compile error
-+Patch40028: fix-CentOS-7.6-upgrade-compile-error.patch
++Patch40029: fix-CentOS-7.6-upgrade-compile-error.patch
 +# Compile fix for disabling CONFIG_MEMCG_KMEM
-+Patch40029: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
++Patch40030: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
  
  BuildRoot: %{_tmppath}/kernel-%{KVRA}-root
  
-@@ -859,6 +865,9 @@ ApplyOptionalPatch US103091-IMA-System-Configuration.patch
- ApplyOptionalPatch aic94xx-Skip-reading-user-settings-if-flash-is-not-f.patch
+@@ -862,6 +868,9 @@ ApplyOptionalPatch aic94xx-Skip-reading-user-settings-if-flash-is-not-f.patch
  ApplyOptionalPatch dpt_i2o-fix-build-warning.patch
  ApplyOptionalPatch turn-off-write-same-in-smartqpi-driver.patch
+ ApplyOptionalPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
 +ApplyOptionalPatch fix-compilation-issues.patch
 +ApplyOptionalPatch fix-CentOS-7.6-upgrade-compile-error.patch
 +ApplyOptionalPatch compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
@@ -36,5 +36,5 @@ index 3f774c2..b69967d 100644
  # Any further pre-build tree manipulations happen here.
  
 -- 
-1.8.3.1
+2.7.4
 

kernel/kernel-std/centos/meta_patches/Kernel-source-patches-for-TiC.patch

@@ -1,18 +1,18 @@
-From d9d90b72c19c1d063272d2b84bd76c52514bf6ac Mon Sep 17 00:00:00 2001
-From: Jim Somerville <Jim.Somerville@windriver.com>
-Date: Fri, 20 Apr 2018 16:13:47 -0400
-Subject: [PATCH 2/5] Kernel source patches for TiC
+From 7191a6f784f12e295e508f105da4cfde518a64e7 Mon Sep 17 00:00:00 2001
+From: Bin Yang <bin.yang@intel.com>
+Date: Wed, 31 Jul 2019 10:49:20 +0800
+Subject: [PATCH 2/3] Kernel source patches for TiC
 
-Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
+Signed-off-by: Bin Yang <bin.yang@intel.com>
 ---
- SPECS/kernel.spec | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 58 insertions(+)
+ SPECS/kernel.spec | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 61 insertions(+)
 
 diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
-index eef356a..f1a0092 100644
+index 5b93a98..9149019 100644
 --- a/SPECS/kernel.spec
 +++ b/SPECS/kernel.spec
-@@ -460,6 +460,36 @@ Patch1002: debrand-rh-i686-cpu.patch
+@@ -460,6 +460,38 @@ Patch1002: debrand-rh-i686-cpu.patch
  Source30000: kernel-3.10.0-x86_64.config.tis_extra
  Source30001: ima_signing_key.pub
  
@@ -45,11 +45,13 @@ index eef356a..f1a0092 100644
 +Patch40025: dpt_i2o-fix-build-warning.patch
 +# DRBD was choking on write same
 +Patch40026: turn-off-write-same-in-smartqpi-driver.patch
++# Fix use-after-free in eventpoll_release_file
++Patch40027: epoll-fix-use-after-free-in-eventpoll_release_file.patch
 +
  BuildRoot: %{_tmppath}/kernel-%{KVRA}-root
  
  %description
-@@ -802,6 +832,34 @@ ApplyOptionalPatch debrand-single-cpu.patch
+@@ -802,6 +834,35 @@ ApplyOptionalPatch debrand-single-cpu.patch
  ApplyOptionalPatch debrand-rh_taint.patch
  ApplyOptionalPatch debrand-rh-i686-cpu.patch
  
@@ -80,6 +82,7 @@ index eef356a..f1a0092 100644
 +ApplyOptionalPatch aic94xx-Skip-reading-user-settings-if-flash-is-not-f.patch
 +ApplyOptionalPatch dpt_i2o-fix-build-warning.patch
 +ApplyOptionalPatch turn-off-write-same-in-smartqpi-driver.patch
++ApplyOptionalPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
 +
  # Any further pre-build tree manipulations happen here.
  

kernel/kernel-std/centos/patches/epoll-fix-use-after-free-in-eventpoll_release_file.patch

@@ -0,0 +1,52 @@
+From ebe06187bf2aec10d537ce4595e416035367d703 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <koct9i@gmail.com>
+Date: Tue, 17 Jun 2014 06:58:05 +0400
+Subject: [PATCH] epoll: fix use-after-free in eventpoll_release_file
+
+This fixes use-after-free of epi->fllink.next inside list loop macro.
+This loop actually releases elements in the body.  The list is
+rcu-protected but here we cannot hold rcu_read_lock because we need to
+lock mutex inside.
+
+The obvious solution is to use list_for_each_entry_safe().  RCU-ness
+isn't essential because nobody can change this list under us, it's final
+fput for this file.
+
+The bug was introduced by ae10b2b4eb01 ("epoll: optimize EPOLL_CTL_DEL
+using rcu")
+
+Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
+Reported-by: Cyrill Gorcunov <gorcunov@openvz.org>
+Cc: Stable <stable@vger.kernel.org> # 3.13+
+Cc: Sasha Levin <sasha.levin@oracle.com>
+Cc: Jason Baron <jbaron@akamai.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ fs/eventpoll.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index b73e062..b10b48c 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -910,7 +910,7 @@ static const struct file_operations eventpoll_fops = {
+ void eventpoll_release_file(struct file *file)
+ {
+ 	struct eventpoll *ep;
+-	struct epitem *epi;
++	struct epitem *epi, *next;
+ 
+ 	/*
+ 	 * We don't want to get "file->f_lock" because it is not
+@@ -926,7 +926,7 @@ void eventpoll_release_file(struct file *file)
+ 	 * Besides, ep_remove() acquires the lock, so we can't hold it here.
+ 	 */
+ 	mutex_lock(&epmutex);
+-	list_for_each_entry_rcu(epi, &file->f_ep_links, fllink) {
++	list_for_each_entry_safe(epi, next, &file->f_ep_links, fllink) {
+ 		ep = epi->ep;
+ 		mutex_lock_nested(&ep->mtx, 0);
+ 		ep_remove(ep, epi);
+-- 
+2.7.4
+