Diff below does FREF(9) earlier instead of incrementing `f_count' by hand.

The error path is also updated to call FRELE(9) accordingly.

ok?

Index: kern/uipc_usrreq.c
===================================================================
RCS file: /cvs/src/sys/kern/uipc_usrreq.c,v
retrieving revision 1.123
diff -u -p -r1.123 uipc_usrreq.c
--- kern/uipc_usrreq.c  4 Jan 2018 10:45:30 -0000       1.123
+++ kern/uipc_usrreq.c  16 Apr 2018 08:13:52 -0000
@@ -838,23 +838,27 @@ morespace:
                        error = EBADF;
                        goto fail;
                }
+               FREF(fp);
                if (fp->f_count == LONG_MAX-2) {
+                       FRELE(fp, p);
                        error = EDEADLK;
                        goto fail;
                }
                error = pledge_sendfd(p, fp);
-               if (error)
+               if (error) {
+                       FRELE(fp, p);
                        goto fail;
-                   
+               }
+
                /* kqueue descriptors cannot be copied */
                if (fp->f_type == DTYPE_KQUEUE) {
+                       FRELE(fp, p);
                        error = EINVAL;
                        goto fail;
                }
                rp->fp = fp;
                rp->flags = fdp->fd_ofileflags[fd] & UF_PLEDGED;
                rp--;
-               fp->f_count++;
                if ((unp = fptounp(fp)) != NULL) {
                        unp->unp_file = fp;
                        unp->unp_msgcount++;
@@ -867,7 +871,7 @@ fail:
        for ( ; i > 0; i--) {
                rp++;
                fp = rp->fp;
-               fp->f_count--;
+               FRELE(fp, p);
                if ((unp = fptounp(fp)) != NULL)
                        unp->unp_msgcount--;
                unp_rights--;

Reply via email to