when user use system call epoll_ctl to insertion/removal/change file descriptor into epoll, like this: epoll_ctl(int epfd, int op, int fd=-1, struct epoll_event __user *event); this operate will lead application crash, the following function will lead to this problem when fd is -1: static inline struct file * fcheck_files(struct files_struct *files, unsigned int fd) { struct file * file = NULL; struct fdtable *fdt = files_fdtable(files); if (fd < fdt->max_fds) file = rcu_dereference(fdt->fd[fd]); /*here fd is -1*/ return file; }
you have an oops, or this is an observation? max_fds and fd are unsigned int
oh, it's my fault. i have omitted max_fds and fd are unsigned int
but this happend once in 64-bit operating system and i checked the fd to avoid my application crashed