A potential bug in inotify_user.c

Following comment is at fs/inotify_user.c:287
/* coalescing: drop this event if it is a dupe of the previous */

I think the previous event in the comment should be the last event in the
link list.  But inotify_dev_get_event return the first event in the list.
In addition, it doesn't check whether the list is empty

Signed-off-by: Yan Zheng<yanzheng@21cn.com>
Acked-by: Robert Love <rlove@rlove.org>
Cc: John McCutchan <ttb@tentacle.dhs.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/fs/inotify_user.c b/fs/inotify_user.c
index 5e00933..c509a81 100644 (file)
--- a/fs/inotify_user.c
+++ b/fs/inotify_user.c
@@ -247,6 +247,19 @@ inotify_dev_get_event(struct inotify_device *dev)
        return list_entry(dev->events.next, struct inotify_kernel_event, list);
 }
 
+/*
+ * inotify_dev_get_last_event - return the last event in the given dev's queue
+ *
+ * Caller must hold dev->ev_mutex.
+ */
+static inline struct inotify_kernel_event *
+inotify_dev_get_last_event(struct inotify_device *dev)
+{
+       if (list_empty(&dev->events))
+               return NULL;
+       return list_entry(dev->events.prev, struct inotify_kernel_event, list);
+}
+
 /*
  * inotify_dev_queue_event - event handler registered with core inotify, adds
  * a new event to the given device
@@ -273,7 +286,7 @@ static void inotify_dev_queue_event(struct inotify_watch *w, u32 wd, u32 mask,
                put_inotify_watch(w); /* final put */
 
        /* coalescing: drop this event if it is a dupe of the previous */
-       last = inotify_dev_get_event(dev);
+       last = inotify_dev_get_last_event(dev);
        if (last && last->event.mask == mask && last->event.wd == wd &&
                        last->event.cookie == cookie) {
                const char *lastname = last->name;