fs: always return zero on success from replace_fd()

commit 708c04a5c2b78e22f56e2350de41feba74dfccd9 upstream.

replace_fd() returns the number of the new file descriptor through the
return value of do_dup2(). However its callers never care about the
specific returned number. In fact the caller in receive_fd_replace() treats
any non-zero return value as an error and therefore never calls
__receive_sock() for most file descriptors, which is a bug.

To fix the bug in receive_fd_replace() and to avoid the same issue
happening in future callers, signal success through a plain zero.

Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Link: https://lore.kernel.org/lkml/20250801220215.GS222315@ZenIV/
Fixes: 173817151b15 ("fs: Expand __receive_fd() to accept existing fd")
Fixes: 42eb0d54c08a ("fs: split receive_fd_replace from __receive_fd")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Link: https://lore.kernel.org/20250805-fix-receive_fd_replace-v3-1-b72ba8b34bac@linutronix.de
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/file.c b/fs/file.c
index bfc9eb9e7229847bd52a6cee0cd1a8e2bea42e22..68c1bcc6b7e970d20318c432cffeff827ac144cd 100644 (file)
--- a/fs/file.c
+++ b/fs/file.c
@@ -1262,7 +1262,10 @@ int replace_fd(unsigned fd, struct file *file, unsigned flags)
        err = expand_files(files, fd);
        if (unlikely(err < 0))
                goto out_unlock;
-       return do_dup2(files, file, fd, flags);
+       err = do_dup2(files, file, fd, flags);
+       if (err < 0)
+               return err;
+       return 0;
 
 out_unlock:
        spin_unlock(&files->file_lock);