diff options
author | Amy Griffis <amy.griffis@hp.com> | 2006-05-20 18:00:06 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-05-21 15:59:18 -0400 |
commit | 66055a4e7334b05354c835123ff621c5f700e56a (patch) | |
tree | de9d4b432e48d4c919b70a627d9ba0b50e840de0 | |
parent | 12783b002db1f02c29353c8f698a85514420b9f4 (diff) |
[PATCH] fix race in inotify_release
While doing some inotify stress testing, I hit the following race. In
inotify_release(), it's possible for a watch to be removed from the lists
in between dropping dev->mutex and taking inode->inotify_mutex. The
reference we hold prevents the watch from being freed, but not from being
removed.
Checking the dev's idr mapping will prevent a double list_del of the
same watch.
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Acked-by: John McCutchan <john@johnmccutchan.com>
Cc: Robert Love <rml@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r-- | fs/inotify.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/fs/inotify.c b/fs/inotify.c index 1f50302849c5..7d5725336527 100644 --- a/fs/inotify.c +++ b/fs/inotify.c | |||
@@ -848,7 +848,11 @@ static int inotify_release(struct inode *ignored, struct file *file) | |||
848 | inode = watch->inode; | 848 | inode = watch->inode; |
849 | mutex_lock(&inode->inotify_mutex); | 849 | mutex_lock(&inode->inotify_mutex); |
850 | mutex_lock(&dev->mutex); | 850 | mutex_lock(&dev->mutex); |
851 | remove_watch_no_event(watch, dev); | 851 | |
852 | /* make sure we didn't race with another list removal */ | ||
853 | if (likely(idr_find(&dev->idr, watch->wd))) | ||
854 | remove_watch_no_event(watch, dev); | ||
855 | |||
852 | mutex_unlock(&dev->mutex); | 856 | mutex_unlock(&dev->mutex); |
853 | mutex_unlock(&inode->inotify_mutex); | 857 | mutex_unlock(&inode->inotify_mutex); |
854 | put_inotify_watch(watch); | 858 | put_inotify_watch(watch); |