mirrors/linux
2
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-05-16 10:11:38 -04:00
Code Issues Packages Projects Releases Wiki Activity

eventpoll: drop dead bool return from ep_remove_epi()

Browse Source 
ep_remove_epi() always returns true -- the "can be disposed"
answer was meaningful back when the dying-check lived inside the
pre-split __ep_remove(), but after that check moved to ep_remove()
the return value is just noise. Both callers gate on it
unconditionally:

  if (ep_remove_epi(ep, epi))
      WARN_ON_ONCE(ep_refcount_dec_and_test(ep));

  dispose = ep_remove_epi(ep, epi);
  ...
  if (dispose && ep_refcount_dec_and_test(ep))
      ep_free(ep);

Make ep_remove_epi() return void, drop the dispose local in
eventpoll_release_file(), and the useless conditionals at both
callers. No functional change.

Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-9-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
This commit is contained in:
Christian Brauner
2026-04-23 11:56:12 +02:00
parent 33e92e9ecf
commit 3a4551ea9c
1 changed files with 5 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
fs/eventpoll.c
View File

@@ -882,7 +882,7 @@ static void ep_remove_file(struct eventpoll *ep, struct epitem *epi,
free_ephead(to_free);
}
static bool ep_remove_epi(struct eventpoll *ep, struct epitem *epi)
static void ep_remove_epi(struct eventpoll *ep, struct epitem *epi)
{
lockdep_assert_held(&ep->mtx);
@@ -904,7 +904,6 @@ static bool ep_remove_epi(struct eventpoll *ep, struct epitem *epi)
kfree_rcu(epi, rcu);
percpu_counter_dec(&ep->user->epoll_watches);
return true;
}
/*
@@ -932,9 +931,8 @@ static void ep_remove(struct eventpoll *ep, struct epitem *epi)
return;
ep_remove_file(ep, epi, file);
if (ep_remove_epi(ep, epi))
WARN_ON_ONCE(ep_refcount_dec_and_test(ep));
ep_remove_epi(ep, epi);
WARN_ON_ONCE(ep_refcount_dec_and_test(ep));
}
static void ep_clear_and_put(struct eventpoll *ep)
@@ -1126,7 +1124,6 @@ void eventpoll_release_file(struct file *file)
{
struct eventpoll *ep;
struct epitem *epi;
bool dispose;
/*
* Use the 'dying' flag to prevent a concurrent ep_clear_and_put() from
@@ -1150,11 +1147,11 @@ void eventpoll_release_file(struct file *file)
ep_unregister_pollwait(ep, epi);
ep_remove_file(ep, epi, file);
dispose = ep_remove_epi(ep, epi);
ep_remove_epi(ep, epi);
mutex_unlock(&ep->mtx);
if (dispose && ep_refcount_dec_and_test(ep))
if (ep_refcount_dec_and_test(ep))
ep_free(ep);
goto again;
}