From 2754ff61c1e07597d36abf0d0b3410f0b371dd5e Mon Sep 17 00:00:00 2001
From: Guy Zana <guy@cloudius-systems.com>
Date: Sun, 7 Apr 2013 12:10:53 +0300
Subject: [PATCH] hold a recount before calling fo_close(fp)

the socket implementation of fo_close() frees the socket structure and that in
turn invokes poll_wake() which uses refcounting as it mess with the file structure.

the following patch increases the refcount by 1 before calling fo_close()
so we avoid entering the free area in fdrop twice.
---
 fs/vfs/kern_descrip.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/vfs/kern_descrip.c b/fs/vfs/kern_descrip.c
index c1680c6c2..0face8cdb 100644
--- a/fs/vfs/kern_descrip.c
+++ b/fs/vfs/kern_descrip.c
@@ -189,6 +189,12 @@ int fdrop(struct file *fp)
 	if (__sync_fetch_and_sub(&fp->f_count, 1) > 1)
 		return 0;
 
+	/* We are about to free this file structure, but we still do things with it
+	 * so we increase the refcount by one, fdrop may get called again
+	 * and we don't want to reach this point more than once.
+	 */
+
+	fhold(fp);
 	fo_close(fp);
 	poll_drain(fp);
 	mutex_destroy(&fp->f_lock);
-- 
GitLab