From 01d775979f8df140343274de02d3aca682f12a02 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <benh@debian.org>
Date: Sat, 14 Jul 2012 22:09:58 +0000
Subject: [PATCH] epoll: clear the tfile_check_list on -ELOOP (CVE-2012-3375)

svn path=/dists/sid/linux/; revision=19253
---
 debian/changelog                              |  1 +
 ...-clear-the-tfile_check_list-on-eloop.patch | 39 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 41 insertions(+)
 create mode 100644 debian/patches/bugfix/all/epoll-clear-the-tfile_check_list-on-eloop.patch

diff --git a/debian/changelog b/debian/changelog
index 575c02822..074aca083 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -33,6 +33,7 @@ linux (3.2.23-1) UNRELEASED; urgency=low
   * linux-image: Remove versioned relations where stable version is new enough
   * udf: Improve table length check to avoid possible overflow
   * CIFS: Respect negotiated MaxMpxCount (deferred from 3.2.14)
+  * epoll: clear the tfile_check_list on -ELOOP (CVE-2012-3375)
 
  -- Ben Hutchings <ben@decadent.org.uk>  Fri, 29 Jun 2012 15:01:22 +0100
 
diff --git a/debian/patches/bugfix/all/epoll-clear-the-tfile_check_list-on-eloop.patch b/debian/patches/bugfix/all/epoll-clear-the-tfile_check_list-on-eloop.patch
new file mode 100644
index 000000000..d181b65b8
--- /dev/null
+++ b/debian/patches/bugfix/all/epoll-clear-the-tfile_check_list-on-eloop.patch
@@ -0,0 +1,39 @@
+From: Jason Baron <jbaron@redhat.com>
+Date: Wed, 25 Apr 2012 16:01:47 -0700
+Subject: epoll: clear the tfile_check_list on -ELOOP
+
+commit 13d518074a952d33d47c428419693f63389547e9 upstream.
+
+An epoll_ctl(,EPOLL_CTL_ADD,,) operation can return '-ELOOP' to prevent
+circular epoll dependencies from being created.  However, in that case we
+do not properly clear the 'tfile_check_list'.  Thus, add a call to
+clear_tfile_check_list() for the -ELOOP case.
+
+Signed-off-by: Jason Baron <jbaron@redhat.com>
+Reported-by: Yurij M. Plotnikov <Yurij.Plotnikov@oktetlabs.ru>
+Cc: Nelson Elhage <nelhage@nelhage.com>
+Cc: Davide Libenzi <davidel@xmailserver.org>
+Tested-by: Alexandra N. Kossovsky <Alexandra.Kossovsky@oktetlabs.ru>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/eventpoll.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index 739b098..c0b3c70 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -1663,8 +1663,10 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,
+ 	if (op == EPOLL_CTL_ADD) {
+ 		if (is_file_epoll(tfile)) {
+ 			error = -ELOOP;
+-			if (ep_loop_check(ep, tfile) != 0)
++			if (ep_loop_check(ep, tfile) != 0) {
++				clear_tfile_check_list();
+ 				goto error_tgt_fput;
++			}
+ 		} else
+ 			list_add(&tfile->f_tfile_llink, &tfile_check_list);
+ 	}
diff --git a/debian/patches/series b/debian/patches/series
index 5ce908561..cbdbce6bb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -367,3 +367,4 @@ debian/driver-core-avoid-ABI-change-for-removal-of-__must_check.patch
 
 bugfix/all/scsi-Silence-unnecessary-warnings-about-ioctl-to-par.patch
 bugfix/all/udf-Improve-table-length-check-to-avoid-possible-underflow.patch
+bugfix/all/epoll-clear-the-tfile_check_list-on-eloop.patch