From: Yan Zheng Date: Wed, 6 Feb 2008 09:36:09 +0000 (-0800) Subject: A potential bug in inotify_user.c X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=1c17d18e3775485bf1e0ce79575eb637a94494a2;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git A potential bug in inotify_user.c Following comment is at fs/inotify_user.c:287 /* coalescing: drop this event if it is a dupe of the previous */ I think the previous event in the comment should be the last event in the link list. But inotify_dev_get_event return the first event in the list. In addition, it doesn't check whether the list is empty Signed-off-by: Yan Zheng Acked-by: Robert Love Cc: John McCutchan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/fs/inotify_user.c b/fs/inotify_user.c index 5e009331c01..c509a817068 100644 --- a/fs/inotify_user.c +++ b/fs/inotify_user.c @@ -247,6 +247,19 @@ inotify_dev_get_event(struct inotify_device *dev) return list_entry(dev->events.next, struct inotify_kernel_event, list); } +/* + * inotify_dev_get_last_event - return the last event in the given dev's queue + * + * Caller must hold dev->ev_mutex. + */ +static inline struct inotify_kernel_event * +inotify_dev_get_last_event(struct inotify_device *dev) +{ + if (list_empty(&dev->events)) + return NULL; + return list_entry(dev->events.prev, struct inotify_kernel_event, list); +} + /* * inotify_dev_queue_event - event handler registered with core inotify, adds * a new event to the given device @@ -273,7 +286,7 @@ static void inotify_dev_queue_event(struct inotify_watch *w, u32 wd, u32 mask, put_inotify_watch(w); /* final put */ /* coalescing: drop this event if it is a dupe of the previous */ - last = inotify_dev_get_event(dev); + last = inotify_dev_get_last_event(dev); if (last && last->event.mask == mask && last->event.wd == wd && last->event.cookie == cookie) { const char *lastname = last->name;