[PATCH] inotify: oops fix

Bug fix: Ensure that the fd passed to inotify_add_watch() and
inotify_rm_watch() belongs to inotify.

Signed-off-by: Robert Love <rml@novell.com>
Signed-off-by: John McCutchan <ttb@tentacle.dhs.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/fs/inotify.c b/fs/inotify.c
index 807209f0bcda18d39686386adad8f1db18a44d38..b55d6e4a0911ddf06408c2ae224f14fbc04b9f7f 100644 (file)
--- a/fs/inotify.c
+++ b/fs/inotify.c
@@ -929,6 +929,12 @@ asmlinkage long sys_inotify_add_watch(int fd, const char __user *path, u32 mask)
        if (unlikely(!filp))
                return -EBADF;
 
+       /* verify that this is indeed an inotify instance */
+       if (unlikely(filp->f_op != &inotify_fops)) {
+               ret = -EINVAL;
+               goto fput_and_out;
+       }
+
        ret = find_inode(path, &nd);
        if (unlikely(ret))
                goto fput_and_out;
@@ -986,10 +992,18 @@ asmlinkage long sys_inotify_rm_watch(int fd, u32 wd)
        filp = fget_light(fd, &fput_needed);
        if (unlikely(!filp))
                return -EBADF;
+
+       /* verify that this is indeed an inotify instance */
+       if (unlikely(filp->f_op != &inotify_fops)) {
+               ret = -EINVAL;
+               goto out;
+       }
+
        dev = filp->private_data;
        ret = inotify_ignore(dev, wd);
-       fput_light(filp, fput_needed);
 
+out:
+       fput_light(filp, fput_needed);
        return ret;
 }