tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

eventpoll: move epi_fget() up

We'll need it when removing files so move it up. No functional change.

Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-5-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

Christian Brauner 86e87059 0bade234

+28 -28
+28 -28
fs/eventpoll.c
··· 827 827 } 828 828 829 829 /* 830 + * The ffd.file pointer may be in the process of being torn down due to 831 + * being closed, but we may not have finished eventpoll_release() yet. 832 + * 833 + * Normally, even with the atomic_long_inc_not_zero, the file may have 834 + * been free'd and then gotten re-allocated to something else (since 835 + * files are not RCU-delayed, they are SLAB_TYPESAFE_BY_RCU). 836 + * 837 + * But for epoll, users hold the ep->mtx mutex, and as such any file in 838 + * the process of being free'd will block in eventpoll_release_file() 839 + * and thus the underlying file allocation will not be free'd, and the 840 + * file re-use cannot happen. 841 + * 842 + * For the same reason we can avoid a rcu_read_lock() around the 843 + * operation - 'ffd.file' cannot go away even if the refcount has 844 + * reached zero (but we must still not call out to ->poll() functions 845 + * etc). 846 + */ 847 + static struct file *epi_fget(const struct epitem *epi) 848 + { 849 + struct file *file; 850 + 851 + file = epi->ffd.file; 852 + if (!file_ref_get(&file->f_ref)) 853 + file = NULL; 854 + return file; 855 + } 856 + 857 + /* 830 858 * Called with &file->f_lock held, 831 859 * returns with it released 832 860 */ ··· 1044 1016 ep_done_scan(ep, &txlist); 1045 1017 mutex_unlock(&ep->mtx); 1046 1018 return res; 1047 - } 1048 - 1049 - /* 1050 - * The ffd.file pointer may be in the process of being torn down due to 1051 - * being closed, but we may not have finished eventpoll_release() yet. 1052 - * 1053 - * Normally, even with the atomic_long_inc_not_zero, the file may have 1054 - * been free'd and then gotten re-allocated to something else (since 1055 - * files are not RCU-delayed, they are SLAB_TYPESAFE_BY_RCU). 1056 - * 1057 - * But for epoll, users hold the ep->mtx mutex, and as such any file in 1058 - * the process of being free'd will block in eventpoll_release_file() 1059 - * and thus the underlying file allocation will not be free'd, and the 1060 - * file re-use cannot happen. 1061 - * 1062 - * For the same reason we can avoid a rcu_read_lock() around the 1063 - * operation - 'ffd.file' cannot go away even if the refcount has 1064 - * reached zero (but we must still not call out to ->poll() functions 1065 - * etc). 1066 - */ 1067 - static struct file *epi_fget(const struct epitem *epi) 1068 - { 1069 - struct file *file; 1070 - 1071 - file = epi->ffd.file; 1072 - if (!file_ref_get(&file->f_ref)) 1073 - file = NULL; 1074 - return file; 1075 1019 } 1076 1020 1077 1021 /*