First published: Wed Mar 02 2011(Updated: )
Description of problem: In several places, an epoll fd can call another file's ->f_op->poll() method with ep->mtx held. This is in general unsafe, because that other file could itself be an epoll fd that contains the original epoll fd. The code defends against this possibility in its own ->poll() method using ep_call_nested, but there are several other unsafe calls to ->poll elsewhere that can be made to deadlock. For example, the following simple program causes the call in ep_insert recursively call the original fd's ->poll, leading to deadlock References: <a href="https://lkml.org/lkml/2011/2/5/220">https://lkml.org/lkml/2011/2/5/220</a> <a href="http://seclists.org/oss-sec/2011/q1/337">http://seclists.org/oss-sec/2011/q1/337</a> Upstream commit: <a href="http://git.kernel.org/linus/22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e">http://git.kernel.org/linus/22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e</a> Acknowledgements: Red Hat would like to thank Nelson Elhage for reporting this issue.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Linux Linux kernel | <2.6.38 | |
debian/linux-2.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.