When eventpoll_release_file() iterates epitem in file->f_ep_links,
the epitem may be removed by ep_free(). To protect again the concurrent
writer, iterate file->f_ep_links by using rcu_read_lock() and
list_first_or_null_rcu()
Signed-off-by: Hou Tao <houtao1@xxxxxxxxxx>
---
fs/eventpoll.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 18de596..e1e4796 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1033,12 +1033,22 @@ void eventpoll_release_file(struct file *file)
*
* Besides, ep_remove() acquires the lock, so we can't hold it here.
*/
- list_for_each_entry_safe(epi, next, &file->f_ep_links, fllink) {
+ rcu_read_lock();
+ while (true) {
+ epi = list_first_or_null_rcu(&file->f_ep_links, struct epitem, fllink);
+ if (!epi)
+ break;
+
ep = epi->ep;
+ rcu_read_unlock();
+
mutex_lock_nested(&ep->mtx, 0);
ep_remove(ep, epi);
mutex_unlock(&ep->mtx);
+
+ rcu_read_lock();
}
+ rcu_read_unlock();
/*
* The file can not been added to tfile_check_list again, because
--
2.7.5
