From: Amy Griffis Date: Sat, 20 May 2006 22:00:06 +0000 (-0700) Subject: [PATCH] fix race in inotify_release X-Git-Tag: firefly_0821_release~35719 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=66055a4e7334b05354c835123ff621c5f700e56a;p=firefly-linux-kernel-4.4.55.git [PATCH] fix race in inotify_release While doing some inotify stress testing, I hit the following race. In inotify_release(), it's possible for a watch to be removed from the lists in between dropping dev->mutex and taking inode->inotify_mutex. The reference we hold prevents the watch from being freed, but not from being removed. Checking the dev's idr mapping will prevent a double list_del of the same watch. Signed-off-by: Amy Griffis Acked-by: John McCutchan Cc: Robert Love Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/fs/inotify.c b/fs/inotify.c index 1f50302849c5..7d5725336527 100644 --- a/fs/inotify.c +++ b/fs/inotify.c @@ -848,7 +848,11 @@ static int inotify_release(struct inode *ignored, struct file *file) inode = watch->inode; mutex_lock(&inode->inotify_mutex); mutex_lock(&dev->mutex); - remove_watch_no_event(watch, dev); + + /* make sure we didn't race with another list removal */ + if (likely(idr_find(&dev->idr, watch->wd))) + remove_watch_no_event(watch, dev); + mutex_unlock(&dev->mutex); mutex_unlock(&inode->inotify_mutex); put_inotify_watch(watch);