Before the removal of epmutex, the acquisition of epmutex in eventpoll_release_file() will prevent the freeing of file, so it's OK to iterate files in tfile_check_list. And now epmutex is removed, so when releasing file, we need to remove file from tfile_check_list to ensure the validity of file. Signed-off-by: Hou Tao <houtao1@xxxxxxxxxx> --- fs/eventpoll.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 44ea587..998c635 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -1029,6 +1029,18 @@ void eventpoll_release_file(struct file *file) ep_remove(ep, epi); mutex_unlock(&ep->mtx); } + + /* + * The file can not been added to tfile_check_list again, because + * (1) its refcnt has been zero, so ep_ctrl() can no longer get its reference + * (2) its related ep items have been removed, so ep_loop_check_proc() + * can not get the file by ep->rbr + */ + if (!list_empty_careful(&file->f_tfile_llink)) { + mutex_lock(&epmutex); + list_del_init(&file->f_tfile_llink); + mutex_unlock(&epmutex); + } } static int ep_alloc(struct eventpoll **pep) -- 2.7.5