[PATCH] sanitize anon_inode_getfd()

a) none of the callers even looks at inode or file returned by anon_inode_getfd()
b) any caller that would try to look at those would be racy, since by the time
it returns we might have raced with close() from another thread and that
file would be pining for fjords.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

1 files changed, 4 insertions, 13 deletions

diff --git a/fs/signalfd.c b/fs/signalfd.c
index 8ead0db35933..619725644c75 100644
--- a/fs/signalfd.c
+++ b/fs/signalfd.c
@@ -207,11 +207,8 @@ static const struct file_operations signalfd_fops = {
 
 asmlinkage long sys_signalfd(int ufd, sigset_t __user *user_mask, size_t sizemask)
 {
-        int error;
         sigset_t sigmask;
         struct signalfd_ctx *ctx;
-        struct file *file;
-        struct inode *inode;
 
         if (sizemask != sizeof(sigset_t) ||
             copy_from_user(&sigmask, user_mask, sizeof(sigmask)))
@@ -230,12 +227,11 @@ asmlinkage long sys_signalfd(int ufd, sigset_t __user *user_mask, size_t sizemas
                  * When we call this, the initialization must be complete, since
                  * anon_inode_getfd() will install the fd.
                  */
-                error = anon_inode_getfd(&ufd, &inode, &file, "[signalfd]",
-                                         &signalfd_fops, ctx);
-                if (error)
-                        goto err_fdalloc;
+                ufd = anon_inode_getfd("[signalfd]", &signalfd_fops, ctx);
+                if (ufd < 0)
+                        kfree(ctx);
         } else {
-                file = fget(ufd);
+                struct file *file = fget(ufd);
                 if (!file)
                         return -EBADF;
                 ctx = file->private_data;
@@ -252,9 +248,4 @@ asmlinkage long sys_signalfd(int ufd, sigset_t __user *user_mask, size_t sizemas
         }
 
         return ufd;
-
-err_fdalloc:
-        kfree(ctx);
-        return error;
 }
-