From: Christian Brauner <brauner@kernel.org>
Date: Thu, 23 Apr 2026 09:56:12 +0000 (+0200)
Subject: eventpoll: drop dead bool return from ep_remove_epi()
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3a4551ea9c042502019b1d8a986e962cb9015366;p=thirdparty%2Fkernel%2Fstable.git

eventpoll: drop dead bool return from ep_remove_epi()

ep_remove_epi() always returns true -- the "can be disposed"
answer was meaningful back when the dying-check lived inside the
pre-split __ep_remove(), but after that check moved to ep_remove()
the return value is just noise. Both callers gate on it
unconditionally:

  if (ep_remove_epi(ep, epi))
      WARN_ON_ONCE(ep_refcount_dec_and_test(ep));

  dispose = ep_remove_epi(ep, epi);
  ...
  if (dispose && ep_refcount_dec_and_test(ep))
      ep_free(ep);

Make ep_remove_epi() return void, drop the dispose local in
eventpoll_release_file(), and the useless conditionals at both
callers. No functional change.

Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-9-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
---

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 3f99ff54626f..eeaadb000eee 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -882,7 +882,7 @@ static void ep_remove_file(struct eventpoll *ep, struct epitem *epi,
 	free_ephead(to_free);
 }
 
-static bool ep_remove_epi(struct eventpoll *ep, struct epitem *epi)
+static void ep_remove_epi(struct eventpoll *ep, struct epitem *epi)
 {
 	lockdep_assert_held(&ep->mtx);
 
@@ -904,7 +904,6 @@ static bool ep_remove_epi(struct eventpoll *ep, struct epitem *epi)
 	kfree_rcu(epi, rcu);
 
 	percpu_counter_dec(&ep->user->epoll_watches);
-	return true;
 }
 
 /*
@@ -932,9 +931,8 @@ static void ep_remove(struct eventpoll *ep, struct epitem *epi)
 		return;
 
 	ep_remove_file(ep, epi, file);
-
-	if (ep_remove_epi(ep, epi))
-		WARN_ON_ONCE(ep_refcount_dec_and_test(ep));
+	ep_remove_epi(ep, epi);
+	WARN_ON_ONCE(ep_refcount_dec_and_test(ep));
 }
 
 static void ep_clear_and_put(struct eventpoll *ep)
@@ -1126,7 +1124,6 @@ void eventpoll_release_file(struct file *file)
 {
 	struct eventpoll *ep;
 	struct epitem *epi;
-	bool dispose;
 
 	/*
 	 * Use the 'dying' flag to prevent a concurrent ep_clear_and_put() from
@@ -1150,11 +1147,11 @@ again:
 		ep_unregister_pollwait(ep, epi);
 
 		ep_remove_file(ep, epi, file);
-		dispose = ep_remove_epi(ep, epi);
+		ep_remove_epi(ep, epi);
 
 		mutex_unlock(&ep->mtx);
 
-		if (dispose && ep_refcount_dec_and_test(ep))
+		if (ep_refcount_dec_and_test(ep))
 			ep_free(ep);
 		goto again;
 	}