From 0bf4d22c37083170961c31694b90551538901a1c Mon Sep 17 00:00:00 2001 From: Kyle Evans Date: Wed, 8 Apr 2026 21:37:00 -0500 Subject: [PATCH] kqueue: don't leak file refs on failure to knote_attach() We'll subsequently just knote_free() since the knote is barely constructed, but that bypasses any logic that might release references on owned files/fops. Defer clearing those until the knote actually owns them and update the comment to draw the line more clearly. Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D56318 --- sys/kern/kern_event.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c index 0d37327f14b..1deb7a705c5 100644 --- a/sys/kern/kern_event.c +++ b/sys/kern/kern_event.c @@ -1822,12 +1822,6 @@ kqueue_register(struct kqueue *kq, struct kevent *kev, struct thread *td, kn->kn_fp = fp; kn->kn_kq = kq; kn->kn_fop = fops; - /* - * apply reference counts to knote structure, and - * do not release it at the end of this routine. - */ - fops = NULL; - fp = NULL; kn->kn_sfflags = kev->fflags; kn->kn_sdata = kev->data; @@ -1848,6 +1842,16 @@ kqueue_register(struct kqueue *kq, struct kevent *kev, struct thread *td, goto done; } + /* + * We transfer ownership of fops/fp to the knote + * structure and avoid releasing them at the end of + * this routine, now that all of the remaining exit + * paths will knote_drop() to release the reference + * counts we held on them above. + */ + fops = NULL; + fp = NULL; + if ((error = kn->kn_fop->f_attach(kn)) != 0) { knote_drop_detached(kn, td); goto done;