[PATCH] Fix race in epoll_ctl(EPOLL_CTL_MOD)

From: Davide Libenzi <davidel@xmailserver.org> A potential race can happen in epoll_ctl(EPOLL_CTL_MOD) where an event can happen in between f_op->poll() and the lock on ep->lock (we cannot call f_op->poll() inside a lock, and the f_op->poll() callback does not carry any info at the current time - missing wake_up_info() already ;). In that case the event would be removed. We can easily leave the event inside the ready list and have the ep_send_events() logic do the job for us at later time. (Thanks to david.lee@teracruz.com for reporting the thing, since it shouldn't have been a nice one ;)

[PATCH] Fix race in epoll_ctl(EPOLL_CTL_MOD)
From: Davide Libenzi <davidel@xmailserver.org> A potential race can happen in epoll_ctl(EPOLL_CTL_MOD) where an event can happen in between f_op->poll() and the lock on ep->lock (we cannot call f_op->poll() inside a lock, and the f_op->poll() callback does not carry any info at the current time - missing wake_up_info() already ;). In that case the event would be removed. We can easily leave the event inside the ready list and have the ep_send_events() logic do the job for us at later time. (Thanks to david.lee@teracruz.com for reporting the thing, since it shouldn't have been a nice one ;)
2328d92a · Andrew Morton · Linus Torvalds · 2268bb30 · 2328d92a
Commit 2328d92a authored Feb 18, 2004 by Andrew Morton Committed by Linus Torvalds Feb 18, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 2 deletions

fs/eventpoll.c fs/eventpoll.c +1 -2

No files found.
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1155,8 +1155,7 @@ static int ep_modify(struct eventpoll *ep, struct epitem *epi, struct epoll_even
 				if (waitqueue_active(&ep->poll_wait))
 					pwake++;
 			}
-		} else if (EP_IS_LINKED(&epi->rdllink))
-			EP_LIST_DEL(&epi->rdllink);
+		}
 	}

 	write_unlock_irqrestore(&ep->lock, flags);