eventpoll: drop dead bool return from ep_remove_epi()

ep_remove_epi() always returns true -- the "can be disposed"
answer was meaningful back when the dying-check lived inside the
pre-split __ep_remove(), but after that check moved to ep_remove()
the return value is just noise. Both callers gate on it
unconditionally:

  if (ep_remove_epi(ep, epi))
      WARN_ON_ONCE(ep_refcount_dec_and_test(ep));

  dispose = ep_remove_epi(ep, epi);
  ...
  if (dispose && ep_refcount_dec_and_test(ep))
      ep_free(ep);

Make ep_remove_epi() return void, drop the dispose local in
eventpoll_release_file(), and the useless conditionals at both
callers. No functional change.

Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-9-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 3f99ff54626f1991f3626de4ccc7cfbc13050be5..eeaadb000eee04224e670819878b061e277f401a 100644 (file)
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -882,7 +882,7 @@ static void ep_remove_file(struct eventpoll *ep, struct epitem *epi,
        free_ephead(to_free);
 }
 
-static bool ep_remove_epi(struct eventpoll *ep, struct epitem *epi)
+static void ep_remove_epi(struct eventpoll *ep, struct epitem *epi)
 {
        lockdep_assert_held(&ep->mtx);
 
@@ -904,7 +904,6 @@ static bool ep_remove_epi(struct eventpoll *ep, struct epitem *epi)
        kfree_rcu(epi, rcu);
 
        percpu_counter_dec(&ep->user->epoll_watches);
-       return true;
 }
 
 /*
@@ -932,9 +931,8 @@ static void ep_remove(struct eventpoll *ep, struct epitem *epi)
                return;
 
        ep_remove_file(ep, epi, file);
-
-       if (ep_remove_epi(ep, epi))
-               WARN_ON_ONCE(ep_refcount_dec_and_test(ep));
+       ep_remove_epi(ep, epi);
+       WARN_ON_ONCE(ep_refcount_dec_and_test(ep));
 }
 
 static void ep_clear_and_put(struct eventpoll *ep)
@@ -1126,7 +1124,6 @@ void eventpoll_release_file(struct file *file)
 {
        struct eventpoll *ep;
        struct epitem *epi;
-       bool dispose;
 
        /*
         * Use the 'dying' flag to prevent a concurrent ep_clear_and_put() from
@@ -1150,11 +1147,11 @@ again:
                ep_unregister_pollwait(ep, epi);
 
                ep_remove_file(ep, epi, file);
-               dispose = ep_remove_epi(ep, epi);
+               ep_remove_epi(ep, epi);
 
                mutex_unlock(&ep->mtx);
 
-               if (dispose && ep_refcount_dec_and_test(ep))
+               if (ep_refcount_dec_and_test(ep))
                        ep_free(ep);
                goto again;
        }