kqueue: don't leak file refs on failure to knote_attach()

We'll subsequently just knote_free() since the knote is barely
constructed, but that bypasses any logic that might release references
on owned files/fops.  Defer clearing those until the knote actually owns
them and update the comment to draw the line more clearly.

Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D56318
This commit is contained in:
Kyle Evans
2026-04-08 21:37:00 -05:00
parent 9f7080ba6b
commit 0bf4d22c37
+10 -6
View File
@@ -1822,12 +1822,6 @@ kqueue_register(struct kqueue *kq, struct kevent *kev, struct thread *td,
kn->kn_fp = fp;
kn->kn_kq = kq;
kn->kn_fop = fops;
/*
* apply reference counts to knote structure, and
* do not release it at the end of this routine.
*/
fops = NULL;
fp = NULL;
kn->kn_sfflags = kev->fflags;
kn->kn_sdata = kev->data;
@@ -1848,6 +1842,16 @@ kqueue_register(struct kqueue *kq, struct kevent *kev, struct thread *td,
goto done;
}
/*
* We transfer ownership of fops/fp to the knote
* structure and avoid releasing them at the end of
* this routine, now that all of the remaining exit
* paths will knote_drop() to release the reference
* counts we held on them above.
*/
fops = NULL;
fp = NULL;
if ((error = kn->kn_fop->f_attach(kn)) != 0) {
knote_drop_detached(kn, td);
goto done;