From: Christian Brauner Date: Thu, 23 Apr 2026 09:56:10 +0000 (+0200) Subject: eventpoll: move f_lock acquisition into ep_remove_file() X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d30deeb8b0cf6259785c1fb79b87905d281b0a5a;p=thirdparty%2Fkernel%2Fstable.git eventpoll: move f_lock acquisition into ep_remove_file() Let the helper own its critical section end-to-end: take &file->f_lock at the top, read file->f_ep inside the lock, release on exit. Callers (ep_remove() and eventpoll_release_file()) no longer need to wrap the call, and the function-comment lock-handoff contract is gone. Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-7-2470f9eec0f5@kernel.org Signed-off-by: Christian Brauner (Amutable) --- diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 0f785c0a1544..3f99ff54626f 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -855,18 +855,18 @@ static struct file *epi_fget(const struct epitem *epi) } /* - * Called with &file->f_lock held, - * returns with it released + * Takes &file->f_lock; returns with it released. */ static void ep_remove_file(struct eventpoll *ep, struct epitem *epi, struct file *file) { struct epitems_head *to_free = NULL; - struct hlist_head *head = file->f_ep; + struct hlist_head *head; lockdep_assert_held(&ep->mtx); - lockdep_assert_held(&file->f_lock); + spin_lock(&file->f_lock); + head = file->f_ep; if (hlist_is_singular_node(&epi->fllink, head)) { /* See eventpoll_release() for details. */ WRITE_ONCE(file->f_ep, NULL); @@ -931,7 +931,6 @@ static void ep_remove(struct eventpoll *ep, struct epitem *epi) if (!file) return; - spin_lock(&file->f_lock); ep_remove_file(ep, epi, file); if (ep_remove_epi(ep, epi)) @@ -1150,7 +1149,6 @@ again: ep_unregister_pollwait(ep, epi); - spin_lock(&file->f_lock); ep_remove_file(ep, epi, file); dispose = ep_remove_epi(ep, epi);