diff options
| author | Christian Brauner <brauner@kernel.org> | 2026-04-23 11:56:12 +0200 |
|---|---|---|
| committer | Christian Brauner <brauner@kernel.org> | 2026-04-24 00:36:57 +0200 |
| commit | 3a4551ea9c042502019b1d8a986e962cb9015366 (patch) | |
| tree | 916990e767efc24cff025cc0c40fd1e5f8c75431 /fs | |
| parent | 33e92e9ecf48c08cb4807e9a36f9eb01619c1a1e (diff) | |
eventpoll: drop dead bool return from ep_remove_epi()
ep_remove_epi() always returns true -- the "can be disposed"
answer was meaningful back when the dying-check lived inside the
pre-split __ep_remove(), but after that check moved to ep_remove()
the return value is just noise. Both callers gate on it
unconditionally:
if (ep_remove_epi(ep, epi))
WARN_ON_ONCE(ep_refcount_dec_and_test(ep));
dispose = ep_remove_epi(ep, epi);
...
if (dispose && ep_refcount_dec_and_test(ep))
ep_free(ep);
Make ep_remove_epi() return void, drop the dispose local in
eventpoll_release_file(), and the useless conditionals at both
callers. No functional change.
Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-9-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/eventpoll.c | 13 |
1 files changed, 5 insertions, 8 deletions
diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 3f99ff54626f..eeaadb000eee 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -882,7 +882,7 @@ static void ep_remove_file(struct eventpoll *ep, struct epitem *epi, free_ephead(to_free); } -static bool ep_remove_epi(struct eventpoll *ep, struct epitem *epi) +static void ep_remove_epi(struct eventpoll *ep, struct epitem *epi) { lockdep_assert_held(&ep->mtx); @@ -904,7 +904,6 @@ static bool ep_remove_epi(struct eventpoll *ep, struct epitem *epi) kfree_rcu(epi, rcu); percpu_counter_dec(&ep->user->epoll_watches); - return true; } /* @@ -932,9 +931,8 @@ static void ep_remove(struct eventpoll *ep, struct epitem *epi) return; ep_remove_file(ep, epi, file); - - if (ep_remove_epi(ep, epi)) - WARN_ON_ONCE(ep_refcount_dec_and_test(ep)); + ep_remove_epi(ep, epi); + WARN_ON_ONCE(ep_refcount_dec_and_test(ep)); } static void ep_clear_and_put(struct eventpoll *ep) @@ -1126,7 +1124,6 @@ void eventpoll_release_file(struct file *file) { struct eventpoll *ep; struct epitem *epi; - bool dispose; /* * Use the 'dying' flag to prevent a concurrent ep_clear_and_put() from @@ -1150,11 +1147,11 @@ again: ep_unregister_pollwait(ep, epi); ep_remove_file(ep, epi, file); - dispose = ep_remove_epi(ep, epi); + ep_remove_epi(ep, epi); mutex_unlock(&ep->mtx); - if (dispose && ep_refcount_dec_and_test(ep)) + if (ep_refcount_dec_and_test(ep)) ep_free(ep); goto again; } |