Unverified Commit e9e5cd40 authored by Christian Brauner's avatar Christian Brauner
Browse files

eventpoll: kill __ep_remove() 

Remove the boolean conditional in __ep_remove() and restructure the code
so the check for racing with eventpoll_release_file() are only done in
the ep_remove_safe() path where they belong.

Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-3-2470f9eec0f5@kernel.org


Signed-off-by: default avatarChristian Brauner (Amutable) <brauner@kernel.org>
parent 0f7bdfd4

fs/eventpoll.c

+30 −37
Original line number Diff line number Diff line
@@ -826,49 +826,18 @@ static void ep_free(struct eventpoll *ep) 
	kfree_rcu(ep, rcu);

}



static void __ep_remove_file(struct eventpoll *ep, struct epitem *epi, struct file *file);

static bool __ep_remove_epi(struct eventpoll *ep, struct epitem *epi);



/*

 * Removes a "struct epitem" from the eventpoll RB tree and deallocates

 * all the associated resources. Must be called with "mtx" held.

 * If the dying flag is set, do the removal only if force is true.

 * This prevents ep_clear_and_put() from dropping all the ep references

 * while running concurrently with eventpoll_release_file().

 * Returns true if the eventpoll can be disposed.

 */

static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force)

{

	struct file *file = epi->ffd.file;



	lockdep_assert_irqs_enabled();



	/*

	 * Removes poll wait queue hooks.

	 */

	ep_unregister_pollwait(ep, epi);



	/* Remove the current item from the list of epoll hooks */

	spin_lock(&file->f_lock);

	if (epi->dying && !force) {

		spin_unlock(&file->f_lock);

		return false;

	}



	__ep_remove_file(ep, epi, file);

	return __ep_remove_epi(ep, epi);

}



/*

 * Called with &file->f_lock held,

 * returns with it released

 */

static void __ep_remove_file(struct eventpoll *ep, struct epitem *epi, struct file *file)

static void __ep_remove_file(struct eventpoll *ep, struct epitem *epi,

			     struct file *file)

{

	struct epitems_head *to_free = NULL;

	struct hlist_head *head = file->f_ep;



	lockdep_assert_held(&ep->mtx);

	lockdep_assert_held(&file->f_lock);



	if (hlist_is_singular_node(&epi->fllink, head)) {

		/* See eventpoll_release() for details. */
@@ -915,7 +884,25 @@ static bool __ep_remove_epi(struct eventpoll *ep, struct epitem *epi) 
 */

static void ep_remove_safe(struct eventpoll *ep, struct epitem *epi)

{

	if (__ep_remove(ep, epi, false))

	struct file *file = epi->ffd.file;



	lockdep_assert_irqs_enabled();

	lockdep_assert_held(&ep->mtx);



	ep_unregister_pollwait(ep, epi);



	/* sync with eventpoll_release_file() */

	if (unlikely(READ_ONCE(epi->dying)))

		return;



	spin_lock(&file->f_lock);

	if (epi->dying) {

		spin_unlock(&file->f_lock);

		return;

	}

	__ep_remove_file(ep, epi, file);



	if (__ep_remove_epi(ep, epi))

		WARN_ON_ONCE(ep_refcount_dec_and_test(ep));

}
@@ -1147,7 +1134,7 @@ void eventpoll_release_file(struct file *file) 
	spin_lock(&file->f_lock);

	if (file->f_ep && file->f_ep->first) {

		epi = hlist_entry(file->f_ep->first, struct epitem, fllink);

		epi->dying = true;

		WRITE_ONCE(epi->dying, true);

		spin_unlock(&file->f_lock);



		/*
@@ -1156,7 +1143,13 @@ void eventpoll_release_file(struct file *file) 
		 */

		ep = epi->ep;

		mutex_lock(&ep->mtx);

		dispose = __ep_remove(ep, epi, true);



		ep_unregister_pollwait(ep, epi);



		spin_lock(&file->f_lock);

		__ep_remove_file(ep, epi, file);

		dispose = __ep_remove_epi(ep, epi);



		mutex_unlock(&ep->mtx);



		if (dispose && ep_refcount_dec_and_test(ep))