[PATCH] epoll: try to be a _bit_ better about file lifetimes
Linus Torvalds
torvalds at linux-foundation.org
Sat May 4 15:40:25 UTC 2024
On Sat, 4 May 2024 at 08:32, Linus Torvalds
<torvalds at linux-foundation.org> wrote:
>
> Now, during this TOTALLY INNOCENT sock_poll(), in another thread, the
> file closing completes, eventpoll_release() finishes [..]
Actually, Al is right that ep_item_poll() should be holding the
ep->mtx, so eventpoll_release() -> eventpoll_release_file_file() ->
mutex_lock(&ep->mtx) should block and the file doesn't actually get
released.
So I guess the sock_poll() issue cannot happen. It does need some
poll() function that does 'fget()', and believes that it works.
But because the f_count has already gone down to zero, fget() doesn't
work, and doesn't keep the file around, and you have the bug.
The cases that do fget() in poll() are probably race, but they aren't
buggy. epoll is buggy.
So my example wasn't going to work, but the argument isn't really any
different, it's just a much more limited case that breaks.
And maybe it's even *only* dma-buf that does that fget() in its
->poll() function. Even *then* it's not a dma-buf.c bug.
Linus
More information about the dri-devel
mailing list