diff options
-rw-r--r-- | fs/file_table.c | 9 | ||||
-rw-r--r-- | fs/notify/notification.c | 13 |
2 files changed, 22 insertions, 0 deletions
diff --git a/fs/file_table.c b/fs/file_table.c index 5c7d10ead4ad..b8a0bb63cbd7 100644 --- a/fs/file_table.c +++ b/fs/file_table.c @@ -230,6 +230,15 @@ static void __fput(struct file *file) might_sleep(); fsnotify_close(file); + + /* + * fsnotify_create_event may have taken one or more references on this + * file. If it did so it left one reference for us to drop to make sure + * its calls to fput could not prematurely destroy the file. + */ + if (atomic_long_read(&file->f_count)) + return fput(file); + /* * The function eventpoll_release() should be the first called * in the file cleanup chain. diff --git a/fs/notify/notification.c b/fs/notify/notification.c index c106cdd7ff5e..d6c435adc7a2 100644 --- a/fs/notify/notification.c +++ b/fs/notify/notification.c @@ -426,6 +426,19 @@ struct fsnotify_event *fsnotify_create_event(struct inode *to_tell, __u32 mask, switch (data_type) { case FSNOTIFY_EVENT_FILE: { event->file = data; + /* + * if this file is about to disappear hold an extra reference + * until we return to __fput so we don't have to worry about + * future get/put destroying the file under us or generating + * additional events. Notice that we change f_mode without + * holding f_lock. This is safe since this is the only possible + * reference to this object in the kernel (it was about to be + * freed, remember?) + */ + if (!atomic_long_read(&event->file->f_count)) { + event->file->f_mode |= FMODE_NONOTIFY; + get_file(event->file); + } get_file(event->file); break; } |