On Sat, 4 May 2024 at 08:32, Linus Torvalds torvalds@linux-foundation.org wrote:
Now, during this TOTALLY INNOCENT sock_poll(), in another thread, the file closing completes, eventpoll_release() finishes [..]
Actually, Al is right that ep_item_poll() should be holding the ep->mtx, so eventpoll_release() -> eventpoll_release_file_file() -> mutex_lock(&ep->mtx) should block and the file doesn't actually get released.
So I guess the sock_poll() issue cannot happen. It does need some poll() function that does 'fget()', and believes that it works.
But because the f_count has already gone down to zero, fget() doesn't work, and doesn't keep the file around, and you have the bug.
The cases that do fget() in poll() are probably race, but they aren't buggy. epoll is buggy.
So my example wasn't going to work, but the argument isn't really any different, it's just a much more limited case that breaks.
And maybe it's even *only* dma-buf that does that fget() in its ->poll() function. Even *then* it's not a dma-buf.c bug.
Linus