Linux Kernel Eventpoll Busy Loop Vulnerability After Timeout

A vulnerability in the Linux kernel's eventpoll implementation can lead to an endless busy loop after a timeout expires. This issue arises when a non-zero timeout, such as 1 nanosecond, is set. The timeout typically expires before the event polling function is executed, causing the kernel to skip setting a 'timed_out' variable. This oversight can quickly escalate into a soft lockup, RCU stalls, and deadlocks, severely disrupting the entire system.

Impact

Exploitation of this vulnerability causes a soft lockup, RCU stalls, and deadlocks, leading to significant system instability.

Reproduction

The vulnerability can be reproduced by creating an epoll instance and adding a file descriptor with a non-zero timeout of 1 nanosecond. When the epoll_pwait2 function is called, the timeout usually expires before the polling operation begins, causing the kernel to enter a busy loop without properly handling the timeout expiration.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the eventpoll timeout handling to correctly set the 'timed_out' variable when a timeout expires.