From 783bc29bbc5d6625a4669d3eb1d989a8fb275d43 Mon Sep 17 00:00:00 2001
From: Robert Love <rml@novell.com>
Date: Mon, 25 Jul 2005 15:10:08 -0400
Subject: [PATCH] [PATCH] inotify: oops fix

Bug fix: Ensure that the fd passed to inotify_add_watch() and
inotify_rm_watch() belongs to inotify.

Signed-off-by: Robert Love <rml@novell.com>
Signed-off-by: John McCutchan <ttb@tentacle.dhs.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
---
 fs/inotify.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/fs/inotify.c b/fs/inotify.c
index 807209f0bc..b55d6e4a09 100644
--- a/fs/inotify.c
+++ b/fs/inotify.c
@@ -929,6 +929,12 @@ asmlinkage long sys_inotify_add_watch(int fd, const char __user *path, u32 mask)
 	if (unlikely(!filp))
 		return -EBADF;
 
+	/* verify that this is indeed an inotify instance */
+	if (unlikely(filp->f_op != &inotify_fops)) {
+		ret = -EINVAL;
+		goto fput_and_out;
+	}
+
 	ret = find_inode(path, &nd);
 	if (unlikely(ret))
 		goto fput_and_out;
@@ -986,10 +992,18 @@ asmlinkage long sys_inotify_rm_watch(int fd, u32 wd)
 	filp = fget_light(fd, &fput_needed);
 	if (unlikely(!filp))
 		return -EBADF;
+
+	/* verify that this is indeed an inotify instance */
+	if (unlikely(filp->f_op != &inotify_fops)) {
+		ret = -EINVAL;
+		goto out;
+	}
+
 	dev = filp->private_data;
 	ret = inotify_ignore(dev, wd);
-	fput_light(filp, fput_needed);
 
+out:
+	fput_light(filp, fput_needed);
 	return ret;
 }
 
-- 
2.39.2