fix a leak in replace_fd() users

replace_fd() began with "eats a reference, tries to insert into
descriptor table" semantics; at some point I'd switched it to
much saner current behaviour ("try to insert into descriptor
table, grabbing a new reference if inserted; caller should do
fput() in any case"), but forgot to update the callers.
Mea culpa...

[Spotted by Pavel Roskin, who has really weird system with pipe-fed
coredumps as part of what he considers a normal boot ;-)]

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

1 files changed, 7 insertions, 11 deletions

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 24ab4148547c..61a53367d029 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2132,18 +2132,14 @@ static inline void flush_unauthorized_files(const struct cred *cred,
                 return;
 
         devnull = dentry_open(&selinux_null, O_RDWR, cred);
-        if (!IS_ERR(devnull)) {
-                /* replace all the matching ones with this */
-                do {
-                        replace_fd(n - 1, get_file(devnull), 0);
-                } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
+        if (IS_ERR(devnull))
+                devnull = NULL;
+        /* replace all the matching ones with this */
+        do {
+                replace_fd(n - 1, devnull, 0);
+        } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
+        if (devnull)
                 fput(devnull);
-        } else {
-                /* just close all the matching ones */
-                do {
-                        replace_fd(n - 1, NULL, 0);
-                } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
-        }
 }
 
 /*