Use receive_fd() to receive file from another process instead of combination of get_unused_fd_flags() and fd_install(). This simplifies the logic and also makes sure we don't miss any security stuff. Signed-off-by: Xie Yongji <xieyongji@xxxxxxxxxxxxx> --- drivers/android/binder.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index c119736ca56a..080bcab7d632 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3728,7 +3728,7 @@ static int binder_apply_fd_fixups(struct binder_proc *proc, int ret = 0; list_for_each_entry(fixup, &t->fd_fixups, fixup_entry) { - int fd = get_unused_fd_flags(O_CLOEXEC); + int fd = receive_fd(fixup->file, O_CLOEXEC); if (fd < 0) { binder_debug(BINDER_DEBUG_TRANSACTION, @@ -3741,7 +3741,7 @@ static int binder_apply_fd_fixups(struct binder_proc *proc, "fd fixup txn %d fd %d\n", t->debug_id, fd); trace_binder_transaction_fd_recv(t, fd, fixup->offset); - fd_install(fd, fixup->file); + fput(fixup->file); fixup->file = NULL; if (binder_alloc_copy_to_buffer(&proc->alloc, t->buffer, fixup->offset, &fd, -- 2.11.0