The branch main has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=0bf4d22c37083170961c31694b90551538901a1c
commit 0bf4d22c37083170961c31694b90551538901a1c Author: Kyle Evans <[email protected]> AuthorDate: 2026-04-09 02:37:00 +0000 Commit: Kyle Evans <[email protected]> CommitDate: 2026-04-09 02:37:11 +0000 kqueue: don't leak file refs on failure to knote_attach() We'll subsequently just knote_free() since the knote is barely constructed, but that bypasses any logic that might release references on owned files/fops. Defer clearing those until the knote actually owns them and update the comment to draw the line more clearly. Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D56318 --- sys/kern/kern_event.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c index 0d37327f14bd..1deb7a705c56 100644 --- a/sys/kern/kern_event.c +++ b/sys/kern/kern_event.c @@ -1822,12 +1822,6 @@ findkn: kn->kn_fp = fp; kn->kn_kq = kq; kn->kn_fop = fops; - /* - * apply reference counts to knote structure, and - * do not release it at the end of this routine. - */ - fops = NULL; - fp = NULL; kn->kn_sfflags = kev->fflags; kn->kn_sdata = kev->data; @@ -1848,6 +1842,16 @@ findkn: goto done; } + /* + * We transfer ownership of fops/fp to the knote + * structure and avoid releasing them at the end of + * this routine, now that all of the remaining exit + * paths will knote_drop() to release the reference + * counts we held on them above. + */ + fops = NULL; + fp = NULL; + if ((error = kn->kn_fop->f_attach(kn)) != 0) { knote_drop_detached(kn, td); goto done;
