[PATCH] fix race in inotify_release

While doing some inotify stress testing, I hit the following race.  In
inotify_release(), it's possible for a watch to be removed from the lists
in between dropping dev->mutex and taking inode->inotify_mutex.  The
reference we hold prevents the watch from being freed, but not from being
removed.

Checking the dev's idr mapping will prevent a double list_del of the
same watch.

Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Acked-by: John McCutchan <john@johnmccutchan.com>
Cc: Robert Love <rml@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/fs/inotify.c b/fs/inotify.c
index 1f50302..7d57253 100644 (file)
--- a/fs/inotify.c
+++ b/fs/inotify.c
@@ -848,7 +848,11 @@ static int inotify_release(struct inode *ignored, struct file *file)
                inode = watch->inode;
                mutex_lock(&inode->inotify_mutex);
                mutex_lock(&dev->mutex);
-               remove_watch_no_event(watch, dev);
+
+               /* make sure we didn't race with another list removal */
+               if (likely(idr_find(&dev->idr, watch->wd)))
+                       remove_watch_no_event(watch, dev);
+
                mutex_unlock(&dev->mutex);
                mutex_unlock(&inode->inotify_mutex);
                put_inotify_watch(watch);