diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2024-05-03 22:36:09 +0200 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2024-05-05 23:00:48 +0200 |
commit | 4efaa5acf0a1d2b5947f98abb3acf8bfd966422b (patch) | |
tree | 0a7f074026609c4fed7d2c4add29c12e5c051ce0 /scripts/cc-version.sh | |
parent | Merge tag 'edac_urgent_for_v6.9_rc7' of git://git.kernel.org/pub/scm/linux/ke... (diff) | |
download | linux-4efaa5acf0a1d2b5947f98abb3acf8bfd966422b.tar.xz linux-4efaa5acf0a1d2b5947f98abb3acf8bfd966422b.zip |
epoll: be better about file lifetimes
epoll can call out to vfs_poll() with a file pointer that may race with
the last 'fput()'. That would make f_count go down to zero, and while
the ep->mtx locking means that the resulting file pointer tear-down will
be blocked until the poll returns, it means that f_count is already
dead, and any use of it won't actually get a reference to the file any
more: it's dead regardless.
Make sure we have a valid ref on the file pointer before we call down to
vfs_poll() from the epoll routines.
Link: https://lore.kernel.org/lkml/0000000000002d631f0615918f1e@google.com/
Reported-by: syzbot+045b454ab35fd82a35fb@syzkaller.appspotmail.com
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'scripts/cc-version.sh')
0 files changed, 0 insertions, 0 deletions