eventpoll: kill __ep_remove()

Remove the boolean conditional in __ep_remove() and restructure the code
so the check for racing with eventpoll_release_file() are only done in
the ep_remove_safe() path where they belong.

Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-3-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 27839a4446be7ff381211f676f24eb54b18fccf7..aae1ef7a3f16ba6893eb1204e37fede68c8c72ca 100644 (file)
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -826,49 +826,18 @@ static void ep_free(struct eventpoll *ep)
        kfree_rcu(ep, rcu);
 }
 
-static void __ep_remove_file(struct eventpoll *ep, struct epitem *epi, struct file *file);
-static bool __ep_remove_epi(struct eventpoll *ep, struct epitem *epi);
-
-/*
- * Removes a "struct epitem" from the eventpoll RB tree and deallocates
- * all the associated resources. Must be called with "mtx" held.
- * If the dying flag is set, do the removal only if force is true.
- * This prevents ep_clear_and_put() from dropping all the ep references
- * while running concurrently with eventpoll_release_file().
- * Returns true if the eventpoll can be disposed.
- */
-static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force)
-{
-       struct file *file = epi->ffd.file;
-
-       lockdep_assert_irqs_enabled();
-
-       /*
-        * Removes poll wait queue hooks.
-        */
-       ep_unregister_pollwait(ep, epi);
-
-       /* Remove the current item from the list of epoll hooks */
-       spin_lock(&file->f_lock);
-       if (epi->dying && !force) {
-               spin_unlock(&file->f_lock);
-               return false;
-       }
-
-       __ep_remove_file(ep, epi, file);
-       return __ep_remove_epi(ep, epi);
-}
-
 /*
  * Called with &file->f_lock held,
  * returns with it released
  */
-static void __ep_remove_file(struct eventpoll *ep, struct epitem *epi, struct file *file)
+static void __ep_remove_file(struct eventpoll *ep, struct epitem *epi,
+                            struct file *file)
 {
        struct epitems_head *to_free = NULL;
        struct hlist_head *head = file->f_ep;
 
        lockdep_assert_held(&ep->mtx);
+       lockdep_assert_held(&file->f_lock);
 
        if (hlist_is_singular_node(&epi->fllink, head)) {
                /* See eventpoll_release() for details. */
@@ -915,7 +884,25 @@ static bool __ep_remove_epi(struct eventpoll *ep, struct epitem *epi)
  */
 static void ep_remove_safe(struct eventpoll *ep, struct epitem *epi)
 {
-       if (__ep_remove(ep, epi, false))
+       struct file *file = epi->ffd.file;
+
+       lockdep_assert_irqs_enabled();
+       lockdep_assert_held(&ep->mtx);
+
+       ep_unregister_pollwait(ep, epi);
+
+       /* sync with eventpoll_release_file() */
+       if (unlikely(READ_ONCE(epi->dying)))
+               return;
+
+       spin_lock(&file->f_lock);
+       if (epi->dying) {
+               spin_unlock(&file->f_lock);
+               return;
+       }
+       __ep_remove_file(ep, epi, file);
+
+       if (__ep_remove_epi(ep, epi))
                WARN_ON_ONCE(ep_refcount_dec_and_test(ep));
 }
 
@@ -1147,7 +1134,7 @@ again:
        spin_lock(&file->f_lock);
        if (file->f_ep && file->f_ep->first) {
                epi = hlist_entry(file->f_ep->first, struct epitem, fllink);
-               epi->dying = true;
+               WRITE_ONCE(epi->dying, true);
                spin_unlock(&file->f_lock);
 
                /*
@@ -1156,7 +1143,13 @@ again:
                 */
                ep = epi->ep;
                mutex_lock(&ep->mtx);
-               dispose = __ep_remove(ep, epi, true);
+
+               ep_unregister_pollwait(ep, epi);
+
+               spin_lock(&file->f_lock);
+               __ep_remove_file(ep, epi, file);
+               dispose = __ep_remove_epi(ep, epi);
+
                mutex_unlock(&ep->mtx);
 
                if (dispose && ep_refcount_dec_and_test(ep))