Unverified Commit 3a4551ea authored by Christian Brauner's avatar Christian Brauner
Browse files

eventpoll: drop dead bool return from ep_remove_epi() 

ep_remove_epi() always returns true -- the "can be disposed"
answer was meaningful back when the dying-check lived inside the
pre-split __ep_remove(), but after that check moved to ep_remove()
the return value is just noise. Both callers gate on it
unconditionally:

  if (ep_remove_epi(ep, epi))
      WARN_ON_ONCE(ep_refcount_dec_and_test(ep));

  dispose = ep_remove_epi(ep, epi);
  ...
  if (dispose && ep_refcount_dec_and_test(ep))
      ep_free(ep);

Make ep_remove_epi() return void, drop the dispose local in
eventpoll_release_file(), and the useless conditionals at both
callers. No functional change.

Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-9-2470f9eec0f5@kernel.org


Signed-off-by: default avatarChristian Brauner (Amutable) <brauner@kernel.org>
parent 33e92e9e

fs/eventpoll.c

+5 −8
Original line number Diff line number Diff line
@@ -882,7 +882,7 @@ static void ep_remove_file(struct eventpoll *ep, struct epitem *epi, 
	free_ephead(to_free);

}



static bool ep_remove_epi(struct eventpoll *ep, struct epitem *epi)

static void ep_remove_epi(struct eventpoll *ep, struct epitem *epi)

{

	lockdep_assert_held(&ep->mtx);
@@ -904,7 +904,6 @@ static bool ep_remove_epi(struct eventpoll *ep, struct epitem *epi) 
	kfree_rcu(epi, rcu);



	percpu_counter_dec(&ep->user->epoll_watches);

	return true;

}



/*
@@ -932,8 +931,7 @@ static void ep_remove(struct eventpoll *ep, struct epitem *epi) 
		return;



	ep_remove_file(ep, epi, file);



	if (ep_remove_epi(ep, epi))

	ep_remove_epi(ep, epi);

	WARN_ON_ONCE(ep_refcount_dec_and_test(ep));

}
@@ -1126,7 +1124,6 @@ void eventpoll_release_file(struct file *file) 
{

	struct eventpoll *ep;

	struct epitem *epi;

	bool dispose;



	/*

	 * Use the 'dying' flag to prevent a concurrent ep_clear_and_put() from
@@ -1150,11 +1147,11 @@ void eventpoll_release_file(struct file *file) 
		ep_unregister_pollwait(ep, epi);



		ep_remove_file(ep, epi, file);

		dispose = ep_remove_epi(ep, epi);

		ep_remove_epi(ep, epi);



		mutex_unlock(&ep->mtx);



		if (dispose && ep_refcount_dec_and_test(ep))

		if (ep_refcount_dec_and_test(ep))

			ep_free(ep);

		goto again;

	}