On Mon, 24 Jul 2023 at 09:36, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > > There are magic rules with "total_refs == inflight_refs", and that > total_refs thing is very much the file count, ie > > total_refs = file_count(u->sk.sk_socket->file); > > where we had some nasty bugs with files coming back to life. Ok, I don't think this is an issue here. It really is that "only in-flight refs remaining" that is a special case, and even pidfd_getfd() shouldn't be able to change that. But the magic code is all in fget_task(), and those need to be checked. You can see how proc does things properly: it does do "fget_task()", but then it only uses it to copy the path part, and just does fput() afterwards. The bpf code does something like that too, and seems ok (ie it gets the file in order to copy data from it, not to install it). kcmp_epoll_target() -> get_epoll_tfile_raw_ptr() looks a bit scary, but seems to use the thing only for polling, so I guess any f_pos is irrelevant. Linus