@@ -1029,6 +1029,18 @@ void eventpoll_release_file(struct file *file)
ep_remove(ep, epi);
mutex_unlock(&ep->mtx);
}
+
+ /*
+ * The file can not been added to tfile_check_list again, because
+ * (1) its refcnt has been zero, so ep_ctrl() can no longer get its reference
+ * (2) its related ep items have been removed, so ep_loop_check_proc()
+ * can not get the file by ep->rbr
+ */
+ if (!list_empty_careful(&file->f_tfile_llink)) {
+ mutex_lock(&epmutex);
+ list_del_init(&file->f_tfile_llink);
+ mutex_unlock(&epmutex);
+ }
}
static int ep_alloc(struct eventpoll **pep)
Before the removal of epmutex, the acquisition of epmutex in eventpoll_release_file() will prevent the freeing of file, so it's OK to iterate files in tfile_check_list. And now epmutex is removed, so when releasing file, we need to remove file from tfile_check_list to ensure the validity of file. Signed-off-by: Hou Tao <houtao1@huawei.com> --- fs/eventpoll.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)