fix the breakage in close_fd_get_file() calling conventions change

It used to grab an extra reference to struct file rather than just transferring to caller the one it had removed from descriptor table. New variant doesn't, and callers need to be adjusted. Reported-and-tested-by: syzbot+47dd250f527cb7bebf24@syzkaller.appspotmail.com Fixes: 6319194ec57b ("Unify the primitives for file descriptor closing") Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Al Viro <viro@zeniv.linux.org.uk> 2022-06-05 14:01:42 -0400
committer: Al Viro <viro@zeniv.linux.org.uk> 2022-06-05 15:03:03 -0400
commit: 40a1926022d128057376d35167128a7c74e3dca4 (patch)
tree: b58c10d4ef49365fece9ccd5e49974ce8e03d747 /drivers/android/binder.c
parent: 6319194ec57b0452dcda4589d24c4e7db299c5bf (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 27c9b004823a..73beea5dc18c 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1857,6 +1857,8 @@ static void binder_deferred_fd_close(int fd)
 	init_task_work(&twcb->twork, binder_do_fd_close);
 	twcb->file = close_fd_get_file(fd);
 	if (twcb->file) {
+		// pin it until binder_do_fd_close(); see comments there
+		get_file(twcb->file);
 		filp_close(twcb->file, current->files);
 		task_work_add(current, &twcb->twork, TWA_RESUME);
 	} else {
author	Al Viro <viro@zeniv.linux.org.uk>	2022-06-05 14:01:42 -0400
committer	Al Viro <viro@zeniv.linux.org.uk>	2022-06-05 15:03:03 -0400
commit	40a1926022d128057376d35167128a7c74e3dca4 (patch)
tree	b58c10d4ef49365fece9ccd5e49974ce8e03d747 /drivers/android/binder.c
parent	6319194ec57b0452dcda4589d24c4e7db299c5bf (diff)