From 66055a4e7334b05354c835123ff621c5f700e56a Mon Sep 17 00:00:00 2001 From: Amy Griffis Date: Sat, 20 May 2006 15:00:06 -0700 Subject: [PATCH] fix race in inotify_release While doing some inotify stress testing, I hit the following race. In inotify_release(), it's possible for a watch to be removed from the lists in between dropping dev->mutex and taking inode->inotify_mutex. The reference we hold prevents the watch from being freed, but not from being removed. Checking the dev's idr mapping will prevent a double list_del of the same watch. Signed-off-by: Amy Griffis Acked-by: John McCutchan Cc: Robert Love Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- fs/inotify.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'fs/inotify.c') diff --git a/fs/inotify.c b/fs/inotify.c index 1f50302849c..7d572533652 100644 --- a/fs/inotify.c +++ b/fs/inotify.c @@ -848,7 +848,11 @@ static int inotify_release(struct inode *ignored, struct file *file) inode = watch->inode; mutex_lock(&inode->inotify_mutex); mutex_lock(&dev->mutex); - remove_watch_no_event(watch, dev); + + /* make sure we didn't race with another list removal */ + if (likely(idr_find(&dev->idr, watch->wd))) + remove_watch_no_event(watch, dev); + mutex_unlock(&dev->mutex); mutex_unlock(&inode->inotify_mutex); put_inotify_watch(watch); -- cgit v1.2.3-70-g09d2 From d66fd908acc8ba88541ecc570d89b0243f947c5e Mon Sep 17 00:00:00 2001 From: Amy Griffis Date: Sat, 20 May 2006 15:00:07 -0700 Subject: [PATCH] fix NULL dereference in inotify_ignore Don't reassign to watch. If idr_find() returns NULL, then put_inotify_watch() will choke. Signed-off-by: Amy Griffis Cc: John McCutchan Cc: Robert Love Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- fs/inotify.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'fs/inotify.c') diff --git a/fs/inotify.c b/fs/inotify.c index 7d572533652..732ec4bd577 100644 --- a/fs/inotify.c +++ b/fs/inotify.c @@ -894,8 +894,7 @@ static int inotify_ignore(struct inotify_device *dev, s32 wd) mutex_lock(&dev->mutex); /* make sure that we did not race */ - watch = idr_find(&dev->idr, wd); - if (likely(watch)) + if (likely(idr_find(&dev->idr, wd) == watch)) remove_watch(watch, dev); mutex_unlock(&dev->mutex); -- cgit v1.2.3-70-g09d2