Re: [PATCH] fs: Fix lock leak in replace_fd()

Next message: Konrad Dybcio: "Re: [PATCH RESEND] ARM: dts: qcom: msm8960: expressatt: Add coreriver,tc360-touchkey"
Previous message: Thierry Reding: "Re: [PATCH v6 05/10] dmaengine: tegra: Use struct for register offsets"
In reply to: Hongling Zeng: "Re: [PATCH] fs: Fix lock leak in replace_fd()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Christian Brauner

Date: Fri May 22 2026 - 06:15:42 EST

On Thu, May 21, 2026 at 04:45:28PM +0200, Mateusz Guzik wrote:
> On Thu, May 21, 2026 at 03:49:34PM +0800, Hongling Zeng wrote:
> > In replace_fd(), the function acquires files->file_lock but then has
> > two return paths that don't release the lock:
> > - When do_dup2() fails (returns negative error)
> > - When do_dup2() succeeds (returns 0)
> >
> > Both of these paths return directly without unlocking files->file_lock,
> > causing a lock leak and potential deadlock.
> >
> > Fix this by making both error and success paths go through the
> > out_unlock label to ensure the lock is always released.
>
> do_dup2 always releases the lock regardless of return value, so this
> patch cannot be correct.

I mean, also:

static int do_dup2(struct files_struct *files,
struct file *file, unsigned fd, unsigned flags)
__releases(&files->file_lock)

it's literally in the annotation... and if that had been a bug it would
be very very noticable very very quickly...