epoll: annotate racy check

Epoll relies on a racy fastpath check during __fput() in eventpoll_release() to avoid the hit of pointlessly acquiring a semaphore. Annotate that race by using WRITE_ONCE() and READ_ONCE(). Link: https://lore.kernel.org/r/66edfb3c.050a0220.3195df.001a.GAE@google.com Link: https://lore.kernel.org/r/20240925-fungieren-anbauen-79b334b00542@brauner Reviewed-by: Jan Kara <jack@suse.cz> Reported-by: syzbot+3b6b32dc50537a49bb4a@syzkaller.appspotmail.com Signed-off-by: Christian Brauner <brauner@kernel.org>
author: Christian Brauner <brauner@kernel.org> 2024-09-25 11:05:16 +0200
committer: Christian Brauner <brauner@kernel.org> 2024-10-22 11:16:56 +0200
commit: 6474353a5e3d0b2cf610153cea0c61f576a36d0a (patch)
tree: 1395d4b47fa1aaf0b08141610ec97a7c2c3f0d57 /fs/eventpoll.c
parent: 05fba0a11557dfdc1b6895f4a3fb59165669e643 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 1ae4542f0bd8..90fbab6b6f03 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -823,7 +823,8 @@ static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force)
 	to_free = NULL;
 	head = file->f_ep;
 	if (head->first == &epi->fllink && !epi->fllink.next) {
-		file->f_ep = NULL;
+		/* See eventpoll_release() for details. */
+		WRITE_ONCE(file->f_ep, NULL);
 		if (!is_file_epoll(file)) {
 			struct epitems_head *v;
 			v = container_of(head, struct epitems_head, epitems);
@@ -1603,7 +1604,8 @@ allocate:
 			spin_unlock(&file->f_lock);
 			goto allocate;
 		}
-		file->f_ep = head;
+		/* See eventpoll_release() for details. */
+		WRITE_ONCE(file->f_ep, head);
 		to_free = NULL;
 	}
 	hlist_add_head_rcu(&epi->fllink, file->f_ep);
author	Christian Brauner <brauner@kernel.org>	2024-09-25 11:05:16 +0200
committer	Christian Brauner <brauner@kernel.org>	2024-10-22 11:16:56 +0200
commit	6474353a5e3d0b2cf610153cea0c61f576a36d0a (patch)
tree	1395d4b47fa1aaf0b08141610ec97a7c2c3f0d57 /fs/eventpoll.c
parent	05fba0a11557dfdc1b6895f4a3fb59165669e643 (diff)