From: Davide Libenzi <davidel@xmailserver.org>

A potential race can happen in epoll_ctl(EPOLL_CTL_MOD) where an event can
happen in between f_op->poll() and the lock on ep->lock (we cannot call
f_op->poll() inside a lock, and the f_op->poll() callback does not carry
any info at the current time - missing wake_up_info() already ;).  In that
case the event would be removed.  We can easily leave the event inside the
ready list and have the ep_send_events() logic do the job for us at later
time.  (Thanks to david.lee@teracruz.com for reporting the thing, since it
shouldn't have been a nice one ;)



---

 25-akpm/fs/eventpoll.c |    3 +--
 1 files changed, 1 insertion(+), 2 deletions(-)

diff -puN fs/eventpoll.c~epoll_ctl-race-fix fs/eventpoll.c
--- 25/fs/eventpoll.c~epoll_ctl-race-fix	Fri Feb 13 17:15:48 2004
+++ 25-akpm/fs/eventpoll.c	Fri Feb 13 17:15:48 2004
@@ -1156,8 +1156,7 @@ static int ep_modify(struct eventpoll *e
 				if (waitqueue_active(&ep->poll_wait))
 					pwake++;
 			}
-		} else if (EP_IS_LINKED(&epi->rdllink))
-			EP_LIST_DEL(&epi->rdllink);
+		}
 	}
 
 	write_unlock_irqrestore(&ep->lock, flags);

_