[RFC,8/8] epoll: protect the iteration of ep->rbr by ep->mtx in ep_free()

Commit Message

Hou Tao Oct. 28, 2017, 12:58 p.m. UTC

When ep_free() iterates the epi in ep->rbr, the epi may be removed
by eventpoll_release_file(). To protect again the case, acquiring
ep->mtx before the iteration of ep->rbr.

Signed-off-by: Hou Tao <houtao1@huawei.com>
---
 fs/eventpoll.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index cd7a9f4..7618fb5 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -870,6 +870,7 @@  static void ep_free(struct eventpoll *ep)
 	/*
 	 * Walks through the whole tree by unregistering poll callbacks.
 	 */
+	mutex_lock(&ep->mtx);
 	for (rbp = rb_first_cached(&ep->rbr); rbp; rbp = rb_next(rbp)) {
 		epi = rb_entry(rbp, struct epitem, rbn);
 
@@ -885,7 +886,6 @@  static void ep_free(struct eventpoll *ep)
 	 * We do not need to lock ep->mtx, either, we only do it to prevent
 	 * a lockdep warning.
 	 */
-	mutex_lock(&ep->mtx);
 	while ((rbp = rb_first_cached(&ep->rbr)) != NULL) {
 		epi = rb_entry(rbp, struct epitem, rbn);
 		ep_remove(ep, epi);