Unverified Commit 708c04a5 authored Aug 05, 2025 by Thomas Weißschuh Committed by Christian Brauner Aug 11, 2025

fs: always return zero on success from replace_fd()



replace_fd() returns the number of the new file descriptor through the
return value of do_dup2(). However its callers never care about the
specific returned number. In fact the caller in receive_fd_replace() treats
any non-zero return value as an error and therefore never calls
__receive_sock() for most file descriptors, which is a bug.

To fix the bug in receive_fd_replace() and to avoid the same issue
happening in future callers, signal success through a plain zero.

Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Link: https://lore.kernel.org/lkml/20250801220215.GS222315@ZenIV/


Fixes: 17381715 ("fs: Expand __receive_fd() to accept existing fd")
Fixes: 42eb0d54 ("fs: split receive_fd_replace from __receive_fd")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Link: https://lore.kernel.org/20250805-fix-receive_fd_replace-v3-1-b72ba8b34bac@linutronix.de


Signed-off-by: Christian Brauner <brauner@kernel.org>

parent f7d81235

fs/file.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -1330,7 +1330,10 @@ int replace_fd(unsigned fd, struct file *file, unsigned flags)
		err = expand_files(files, fd);
		if (unlikely(err < 0))
		goto out_unlock;
		return do_dup2(files, file, fd, flags);
		err = do_dup2(files, file, fd, flags);
		if (err < 0)
		return err;
		return 0;

		out_unlock:
		spin_unlock(&files->file_lock);