kqueue: don't leak file refs on failure to knote_attach()

We'll subsequently just knote_free() since the knote is barely
constructed, but that bypasses any logic that might release references
on owned files/fops.  Defer clearing those until the knote actually owns
them and update the comment to draw the line more clearly.

Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D56318

1 files changed, 10 insertions, 6 deletions

diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c
index 0d37327f14bd..1deb7a705c56 100644
--- a/sys/kern/kern_event.c
+++ b/sys/kern/kern_event.c
@@ -1822,12 +1822,6 @@ findkn:
 			kn->kn_fp = fp;
 			kn->kn_kq = kq;
 			kn->kn_fop = fops;
-			/*
-			 * apply reference counts to knote structure, and
-			 * do not release it at the end of this routine.
-			 */
-			fops = NULL;
-			fp = NULL;
 
 			kn->kn_sfflags = kev->fflags;
 			kn->kn_sdata = kev->data;
@@ -1848,6 +1842,16 @@ findkn:
 				goto done;
 			}
 
+			/*
+			 * We transfer ownership of fops/fp to the knote
+			 * structure and avoid releasing them at the end of
+			 * this routine, now that all of the remaining exit
+			 * paths will knote_drop() to release the reference
+			 * counts we held on them above.
+			 */
+			fops = NULL;
+			fp = NULL;
+
 			if ((error = kn->kn_fop->f_attach(kn)) != 0) {
 				knote_drop_detached(kn, td);
 				goto done;