Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 13 Apr 2026 14:43:28 +0000
From:      Kyle Evans <kevans@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 64c72d3020f5 - stable/14 - kqueue: don't leak file refs on failure to knote_attach()
Message-ID:  <69dd0110.1a10c.13b8c5d@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch stable/14 has been updated by kevans:

URL: https://cgit.FreeBSD.org/src/commit/?id=64c72d3020f5c0d07219745f658400ca26654d84

commit 64c72d3020f5c0d07219745f658400ca26654d84
Author:     Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2026-04-09 02:37:00 +0000
Commit:     Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2026-04-13 14:43:17 +0000

    kqueue: don't leak file refs on failure to knote_attach()
    
    We'll subsequently just knote_free() since the knote is barely
    constructed, but that bypasses any logic that might release references
    on owned files/fops.  Defer clearing those until the knote actually owns
    them and update the comment to draw the line more clearly.
    
    Reviewed by:    kib
    
    (cherry picked from commit 0bf4d22c37083170961c31694b90551538901a1c)
---
 sys/kern/kern_event.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c
index 3df1ed5565d2..e10e57cdceb8 100644
--- a/sys/kern/kern_event.c
+++ b/sys/kern/kern_event.c
@@ -1669,12 +1669,6 @@ findkn:
 			kn->kn_fp = fp;
 			kn->kn_kq = kq;
 			kn->kn_fop = fops;
-			/*
-			 * apply reference counts to knote structure, and
-			 * do not release it at the end of this routine.
-			 */
-			fops = NULL;
-			fp = NULL;
 
 			kn->kn_sfflags = kev->fflags;
 			kn->kn_sdata = kev->data;
@@ -1695,6 +1689,16 @@ findkn:
 				goto done;
 			}
 
+			/*
+			 * We transfer ownership of fops/fp to the knote
+			 * structure and avoid releasing them at the end of
+			 * this routine, now that all of the remaining exit
+			 * paths will knote_drop() to release the reference
+			 * counts we held on them above.
+			 */
+			fops = NULL;
+			fp = NULL;
+
 			if ((error = kn->kn_fop->f_attach(kn)) != 0) {
 				knote_drop_detached(kn, td);
 				goto done;
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69dd0110.1a10c.13b8c5d>