summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--fs/file_table.c9
-rw-r--r--fs/notify/notification.c13
2 files changed, 22 insertions, 0 deletions
diff --git a/fs/file_table.c b/fs/file_table.c
index 5c7d10ead4ad..b8a0bb63cbd7 100644
--- a/fs/file_table.c
+++ b/fs/file_table.c
@@ -230,6 +230,15 @@ static void __fput(struct file *file)
might_sleep();
fsnotify_close(file);
+
+ /*
+ * fsnotify_create_event may have taken one or more references on this
+ * file. If it did so it left one reference for us to drop to make sure
+ * its calls to fput could not prematurely destroy the file.
+ */
+ if (atomic_long_read(&file->f_count))
+ return fput(file);
+
/*
* The function eventpoll_release() should be the first called
* in the file cleanup chain.
diff --git a/fs/notify/notification.c b/fs/notify/notification.c
index c106cdd7ff5e..d6c435adc7a2 100644
--- a/fs/notify/notification.c
+++ b/fs/notify/notification.c
@@ -426,6 +426,19 @@ struct fsnotify_event *fsnotify_create_event(struct inode *to_tell, __u32 mask,
switch (data_type) {
case FSNOTIFY_EVENT_FILE: {
event->file = data;
+ /*
+ * if this file is about to disappear hold an extra reference
+ * until we return to __fput so we don't have to worry about
+ * future get/put destroying the file under us or generating
+ * additional events. Notice that we change f_mode without
+ * holding f_lock. This is safe since this is the only possible
+ * reference to this object in the kernel (it was about to be
+ * freed, remember?)
+ */
+ if (!atomic_long_read(&event->file->f_count)) {
+ event->file->f_mode |= FMODE_NONOTIFY;
+ get_file(event->file);
+ }
get_file(event->file);
break;
}