[PATCH 2/3] do_epoll_ctl(): clean the failure exits up a bit

[Tim Gardner]

From: Al Viro <viro at zeniv.linux.org.uk>

CVE-2020-0466

commit 52c479697c9b73f628140dcdfcd39ea302d05482 upstream.

Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
Signed-off-by: Marc Zyngier <maz at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
(cherry picked from commit 42694912aaf1d7fa426bd02b0b313f05601b6488 linux-5.4.y)
Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
v2: Added linux-5.4.y to the cherry picked line.
---
 fs/eventpoll.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 1676b8b25074..74fa6dc98c8b 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -2181,10 +2181,8 @@ int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds,
 			full_check = 1;
 			if (is_file_epoll(tf.file)) {
 				error = -ELOOP;
-				if (ep_loop_check(ep, tf.file) != 0) {
-					clear_tfile_check_list();
+				if (ep_loop_check(ep, tf.file) != 0)
 					goto error_tgt_fput;
-				}
 			} else {
 				get_file(tf.file);
 				list_add(&tf.file->f_tfile_llink,
@@ -2222,8 +2220,6 @@ int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds,
 			error = ep_insert(ep, epds, tf.file, fd, full_check);
 		} else
 			error = -EEXIST;
-		if (full_check)
-			clear_tfile_check_list();
 		break;
 	case EPOLL_CTL_DEL:
 		if (epi)
@@ -2246,8 +2242,10 @@ int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds,
 	mutex_unlock(&ep->mtx);
 
 error_tgt_fput:
-	if (full_check)
+	if (full_check) {
+		clear_tfile_check_list();
 		mutex_unlock(&epmutex);
+	}
 
 	fdput(tf);
 error_fput:
-- 
2.17.1