On Sun, May 24, 2020 at 04:39:39PM -0700, Sargun Dhillon wrote:
> +static void seccomp_handle_addfd(struct seccomp_kaddfd *addfd)
> +{
> + int ret;
> +
> + /*
> + * Remove the notification, and reset the list pointers, indicating
> + * that it has been handled.
> + */
> + list_del_init(&addfd->list);
> +
> + ret = security_file_receive(addfd->file);
> + if (ret)
> + goto out;
> +
> + if (addfd->fd >= 0) {
> + ret = replace_fd(addfd->fd, addfd->file, addfd->flags);
> + if (ret >= 0)
> + fput(addfd->file);
> + } else {
> + ret = get_unused_fd_flags(addfd->flags);
> + if (ret >= 0)
> + fd_install(ret, addfd->file);
Bad refcounting rules. *IF* we go with anything of that sort (and I'm not
convinced that the entire series makes sense), it's better to have more
uniform rules re reference consumption/disposal.
Make the destructor of addfd *ALWAYS* drop its reference. And have this
function go
if (addfd->fd >= 0) {
ret = replace_fd(addfd->fd, addfd->file, addfd->flags);
} else {
ret = get_unused_fd_flags(addfd->flags);
if (ret >= 0)
fd_install(ret, get_file(addfd->file));
}
