signalfd: use wake_up_pollfree()

jira VULN-63551
cve-pre CVE-2021-47505
commit-author Eric Biggers <[email protected]>
commit 9537bae

wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up
all exclusive waiters.  Yet, POLLFREE *must* wake up all waiters.  epoll
and aio poll are fortunately not affected by this, but it's very
fragile.  Thus, the new function wake_up_pollfree() has been introduced.

Convert signalfd to use wake_up_pollfree().

	Reported-by: Linus Torvalds <[email protected]>
Fixes: d80e731 ("epoll: introduce POLLFREE to flush ->signalfd_wqh before kfree()")
	Cc: [email protected]
Link: https://lore.kernel.org/r/[email protected]
	Signed-off-by: Eric Biggers <[email protected]>
(cherry picked from commit 9537bae)
	Signed-off-by: Brett Mastbergen <[email protected]>

Author: bmastbergen

fs/signalfd.c

@@ -35,17 +35,7 @@
 
 void signalfd_cleanup(struct sighand_struct *sighand)
 {
-	wait_queue_head_t *wqh = &sighand->signalfd_wqh;
-	/*
-	 * The lockless check can race with remove_wait_queue() in progress,
-	 * but in this case its caller should run under rcu_read_lock() and
-	 * sighand_cachep is SLAB_TYPESAFE_BY_RCU, we can safely return.
-	 */
-	if (likely(!waitqueue_active(wqh)))
-		return;
-
-	/* wait_queue_entry_t->func(POLLFREE) should do remove_wait_queue() */
-	wake_up_poll(wqh, EPOLLHUP | POLLFREE);
+	wake_up_pollfree(&sighand->signalfd_wqh);
 }
 
 struct signalfd_ctx {