[RFC][PATCH 6/8] epoll: ensure the validity of ep when removing epi in eventpoll_release_file()

Hou Tao <houtao1@xxxxxxxxxx> · Sat, 28 Oct 2017 20:58:25 +0800

Before the removal of epmutex, ep_free() will be blocked by epmutex when
invoking eventpoll_release_file(), so epi->ep will be valid.

After the removal of epmutex, epi->ep may be freed during the invocation
of eventpoll_release_file(). We can not use rcu_read_lock/unlock because
we needs to acquire ep->mtx which is a mutex, so we add a ref-counter to
eventpoll and increase it before leaving the rcu read critical region.

Signed-off-by: Hou Tao <houtao1@xxxxxxxxxx>
---
 fs/eventpoll.c | 38 +++++++++++++++++++++++++++++++-------
 1 file changed, 31 insertions(+), 7 deletions(-)

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index e1e4796..27b743b 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -43,6 +43,7 @@
 #include <linux/compat.h>
 #include <linux/rculist.h>
 #include <net/busy_poll.h>
+#include <linux/refcount.h>
 
 /*
  * LOCKING:
@@ -231,6 +232,8 @@ struct eventpoll {
 	unsigned int napi_id;
 #endif
 
+	/* used to ensure the validity of eventpoll when release file */
+	refcount_t ref;
 	/* used to free itself */
 	struct rcu_head rcu;
 };
@@ -827,6 +830,25 @@ static void ep_rcu_free(struct rcu_head *head)
 	kfree(ep);
 }
 
+static void eventpoll_put_ep(struct eventpoll *ep)
+{
+	if (refcount_dec_and_test(&ep->ref)) {
+		mutex_destroy(&ep->mtx);
+		free_uid(ep->user);
+		wakeup_source_unregister(ep->ws);
+
+		call_rcu(&ep->rcu, ep_rcu_free);
+	}
+}
+
+static struct eventpoll *eventpoll_get_ep(struct eventpoll *ep)
+{
+	if (refcount_inc_not_zero(&ep->ref))
+		return ep;
+	else
+		return NULL;
+}
+
 static void ep_free(struct eventpoll *ep)
 {
 	struct rb_node *rbp;
@@ -883,11 +905,7 @@ static void ep_free(struct eventpoll *ep)
 		mutex_unlock(&epmutex);
 	}
 
-	mutex_destroy(&ep->mtx);
-	free_uid(ep->user);
-	wakeup_source_unregister(ep->ws);
-
-	call_rcu(&ep->rcu, ep_rcu_free);
+	eventpoll_put_ep(ep);
 }
 
 static int ep_eventpoll_release(struct inode *inode, struct file *file)
@@ -1018,7 +1036,7 @@ static const struct file_operations eventpoll_fops = {
 void eventpoll_release_file(struct file *file)
 {
 	struct eventpoll *ep;
-	struct epitem *epi, *next;
+	struct epitem *epi;
 
 	/*
 	 * We don't want to get "file->f_lock" because it is not
@@ -1039,13 +1057,18 @@ void eventpoll_release_file(struct file *file)
 		if (!epi)
 			break;
 
-		ep = epi->ep;
+		ep = eventpoll_get_ep(epi->ep);
+		/* Current epi has been removed by ep_free() */
+		if (!ep)
+			continue;
 		rcu_read_unlock();
 
 		mutex_lock_nested(&ep->mtx, 0);
 		ep_remove(ep, epi);
 		mutex_unlock(&ep->mtx);
 
+		eventpoll_put_ep(ep);
+
 		rcu_read_lock();
 	}
 	rcu_read_unlock();
@@ -1084,6 +1107,7 @@ static int ep_alloc(struct eventpoll **pep)
 	ep->ovflist = EP_UNACTIVE_PTR;
 	ep->user = user;
 	INIT_LIST_HEAD(&ep->visited_list_link);
+	refcount_set(&ep->ref, 1);
 
 	*pep = ep;
 
-- 
2.7.5







