[PATCH 3/3] fix regression in "epoll: Keep a reference on files added to the check list"

[Tim Gardner]

From: Al Viro <viro at zeniv.linux.org.uk>

CVE-2020-0466

[ Upstream commit 77f4689de17c0887775bb77896f4cc11a39bf848 ]

epoll_loop_check_proc() can run into a file already committed to destruction;
we can't grab a reference on those and don't need to add them to the set for
reverse path check anyway.

Tested-by: Marc Zyngier <maz at kernel.org>
Fixes: a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list")
Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal at kernel.org>
(cherry picked from commit 88405cf0f2bd771670b76c42b169527ff86048da linux-5.4.y)
Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
---
 fs/eventpoll.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 74fa6dc98c8b..e8730acb3fea 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1973,9 +1973,9 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
 			 * during ep_insert().
 			 */
 			if (list_empty(&epi->ffd.file->f_tfile_llink)) {
-				get_file(epi->ffd.file);
-				list_add(&epi->ffd.file->f_tfile_llink,
-					 &tfile_check_list);
+				if (get_file_rcu(epi->ffd.file))
+					list_add(&epi->ffd.file->f_tfile_llink,
+						 &tfile_check_list);
 			}
 		}
 	}
-- 
2.17.1