Commit 33e92e9ecf48 for kernel
commit 33e92e9ecf48c08cb4807e9a36f9eb01619c1a1e
Author: Christian Brauner <brauner@kernel.org>
Date: Thu Apr 23 11:56:11 2026 +0200
eventpoll: refresh eventpoll_release() fast-path comment
The old comment justified the lockless READ_ONCE(file->f_ep) check
with "False positives simply cannot happen because the file is on
the way to be removed and nobody ( but eventpoll ) has still a
reference to this file." That reasoning was the root of the UAF
fixed in "eventpoll: fix ep_remove struct eventpoll / struct file
UAF": __ep_remove() could clear f_ep while another close raced
past the fast path and freed the watched eventpoll / recycled the
struct file slot.
With ep_remove() now pinning @file via epi_fget() across the f_ep
clear and hlist_del_rcu(), the invariant is re-established for the
right reason: anyone who might clear f_ep holds @file alive for
the duration, so a NULL observation really does mean no
concurrent eventpoll path has work left on this file. Refresh the
comment accordingly so the next reader doesn't inherit the broken
model.
Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-8-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
diff --git a/include/linux/eventpoll.h b/include/linux/eventpoll.h
index ea9ca0e4172a..728fb5dee5ed 100644
--- a/include/linux/eventpoll.h
+++ b/include/linux/eventpoll.h
@@ -39,12 +39,16 @@ static inline void eventpoll_release(struct file *file)
{
/*
- * Fast check to avoid the get/release of the semaphore. Since
- * we're doing this outside the semaphore lock, it might return
- * false negatives, but we don't care. It'll help in 99.99% of cases
- * to avoid the semaphore lock. False positives simply cannot happen
- * because the file in on the way to be removed and nobody ( but
- * eventpoll ) has still a reference to this file.
+ * Fast check to skip the slow path in the common case where the
+ * file was never attached to an epoll. Safe without file->f_lock
+ * because every f_ep writer excludes a concurrent __fput() on
+ * @file:
+ * - ep_insert() requires the file alive (refcount > 0);
+ * - ep_remove() holds @file pinned via epi_fget() across the
+ * write;
+ * - eventpoll_release_file() runs from __fput() itself.
+ * We are in __fput() here, so none of those can race us: a NULL
+ * observation truly means no epoll path has work left on @file.
*/
if (likely(!READ_ONCE(file->f_ep)))
return;