Commit 66055a4e authored May 20, 2006 by Amy Griffis Committed by Linus Torvalds May 21, 2006

[PATCH] fix race in inotify_release



While doing some inotify stress testing, I hit the following race.  In
inotify_release(), it's possible for a watch to be removed from the lists
in between dropping dev->mutex and taking inode->inotify_mutex.  The
reference we hold prevents the watch from being freed, but not from being
removed.

Checking the dev's idr mapping will prevent a double list_del of the
same watch.

Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Acked-by: John McCutchan <john@johnmccutchan.com>
Cc: Robert Love <rml@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

parent 12783b00

fs/inotify.c

+5 −1

Original line number	Original line	Diff line number	Diff line
	@@ -848,7 +848,11 @@ static int inotify_release(struct inode ignored, struct file file)
	inode = watch->inode;		inode = watch->inode;
	mutex_lock(&inode->inotify_mutex);		mutex_lock(&inode->inotify_mutex);
	mutex_lock(&dev->mutex);		mutex_lock(&dev->mutex);

			/* make sure we didn't race with another list removal */
			if (likely(idr_find(&dev->idr, watch->wd)))
	remove_watch_no_event(watch, dev);		remove_watch_no_event(watch, dev);

	mutex_unlock(&dev->mutex);		mutex_unlock(&dev->mutex);
	mutex_unlock(&inode->inotify_mutex);		mutex_unlock(&inode->inotify_mutex);
	put_inotify_watch(watch);		put_inotify_watch(watch);