Before the removal of epmutex, the acquisition of epmutex in
ep_free() will prevent the freeing of ep, so it's OK to access
ep in visited_list in ep_loop_check().
To ensure the validity of ep when clearing visited_list, we need
to remove ep from visited_list when freeing ep. If the ep had been
added to the visited_list, we need to wait for its removal.
Signed-off-by: Hou Tao <houtao1@xxxxxxxxxx>
---
fs/eventpoll.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 26ab0c5..44ea587 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -862,6 +862,18 @@ static void ep_free(struct eventpoll *ep)
}
mutex_unlock(&ep->mtx);
+ /*
+ * ep will not been added to visited_list, because ep_ctrl()
+ * can not get its reference and can not reference it by the
+ * corresponding epitem. The only possible operation is list_del_init,
+ * so it's OK to use list_empty_careful() here.
+ */
+ if (!list_empty_careful(&ep->visited_list_link)) {
+ mutex_lock(&epmutex);
+ list_del_init(&ep->visited_list_link);
+ mutex_unlock(&epmutex);
+ }
+
mutex_destroy(&ep->mtx);
free_uid(ep->user);
wakeup_source_unregister(ep->ws);
@@ -1039,6 +1051,7 @@ static int ep_alloc(struct eventpoll **pep)
ep->rbr = RB_ROOT_CACHED;
ep->ovflist = EP_UNACTIVE_PTR;
ep->user = user;
+ INIT_LIST_HEAD(&ep->visited_list_link);
*pep = ep;
@@ -1928,7 +1941,7 @@ static int ep_loop_check(struct eventpoll *ep, struct file *file)
list_for_each_entry_safe(ep_cur, ep_next, &visited_list,
visited_list_link) {
ep_cur->visited = 0;
- list_del(&ep_cur->visited_list_link);
+ list_del_init(&ep_cur->visited_list_link);
}
return ret;
}
--
2.7.5
