Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in clear_tfile_check_list

Next message: Martin K. Petersen: "Re: [PATCH v2] scsi: hisi_sas: Add slave_destroy interface for v3 hw"
Previous message: arash golgol: "Re: [PATCH 14/16] media: sun6i-isp: Use V4L2 subdev active state"
In reply to: syzbot: "[syzbot] [fs?] KASAN: slab-use-after-free Read in clear_tfile_check_list"
Next in thread: syzbot: "Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in clear_tfile_check_list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Edward Adam Davis

Date: Fri May 22 2026 - 23:23:07 EST

#syz test

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index a569e98d4a99..b2fb707e06aa 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1839,9 +1839,6 @@ static int ep_register_epitem(struct ep_ctl_ctx *ctx, struct eventpoll *ep,
return error;
}

- if (full_check && !tep)
- list_file(tfile, ctx);
-
ep_rbtree_insert(ep, epi);

if (tep)
@@ -1863,6 +1860,7 @@ static int ep_insert(struct ep_ctl_ctx *ctx, struct eventpoll *ep,
struct epitem *epi;
struct ep_pqueue epq;
struct eventpoll *tep = NULL;
+ struct file *tfile;

if (is_file_epoll(tf->file))
tep = tf->file->private_data;
@@ -1873,6 +1871,7 @@ static int ep_insert(struct ep_ctl_ctx *ctx, struct eventpoll *ep,
if (IS_ERR(epi))
return PTR_ERR(epi);

+ tfile = epi->ffd.file;
error = ep_register_epitem(ctx, ep, epi, tep, full_check);
if (error)
return error;
@@ -1910,6 +1909,9 @@ static int ep_insert(struct ep_ctl_ctx *ctx, struct eventpoll *ep,
return -ENOMEM;
}

+ if (full_check && !tep)
+ list_file(tfile, ctx);
+
/* Drop the new item onto the ready list if it is already ready. */
spin_lock_irq(&ep->lock);