From bf06776f7cb2bcf74567f92de3e16c58c88cb92e Mon Sep 17 00:00:00 2001
From: liuhaitao <liuhaitao@xiaomi.com>
Date: Tue, 8 Sep 2020 14:13:49 +0800
Subject: [PATCH] fs/vfs: reuse file_dup2 directly in file_dup to fix segfault
 issue

Or close the fd2 return by dup() would segment fault since filep->f_priv
null access.

Change-Id: I285c86f54bbb486d6c2c5aea53952f69083dca72
Signed-off-by: liuhaitao <liuhaitao@xiaomi.com>
---
 fs/vfs/fs_dupfd.c | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/fs/vfs/fs_dupfd.c b/fs/vfs/fs_dupfd.c
index d8bd080c89..5364bdef93 100644
--- a/fs/vfs/fs_dupfd.c
+++ b/fs/vfs/fs_dupfd.c
@@ -50,13 +50,14 @@
  *   accepts a struct file instance instead of a file descriptor.
  *
  * Returned Value:
- *   Zero (OK) is returned on success; a negated errno value is returned on
- *   any failure.
+ *   The new file descriptor is returned on success; a negated errno value
+ *   is returned on any failure.
  *
  ****************************************************************************/
 
 int file_dup(FAR struct file *filep, int minfd)
 {
+  FAR struct file *filep2;
   int fd2;
   int ret;
 
@@ -67,21 +68,26 @@ int file_dup(FAR struct file *filep, int minfd)
       return -EBADF;
     }
 
-  /* Increment the reference count on the contained inode */
+  /* Then allocate a new file descriptor for the inode */
 
-  ret = inode_addref(filep->f_inode);
+  fd2 = files_allocate(NULL, 0, 0, minfd);
+  if (fd2 < 0)
+    {
+      return -EMFILE;
+    }
+
+  ret = fs_getfilep(fd2, &filep2);
   if (ret < 0)
     {
+      files_release(fd2);
       return ret;
     }
 
-  /* Then allocate a new file descriptor for the inode */
-
-  fd2 = files_allocate(filep->f_inode, filep->f_oflags, filep->f_pos, minfd);
-  if (fd2 < 0)
+  ret = file_dup2(filep, filep2);
+  if (ret < 0)
     {
-      inode_release(filep->f_inode);
-      return -EMFILE;
+      files_release(fd2);
+      return ret;
     }
 
   return fd2;
@@ -95,8 +101,8 @@ int file_dup(FAR struct file *filep, int minfd)
  *   value greater than or equal to 'minfd').
  *
  * Returned Value:
- *   Zero (OK) is returned on success; a negated errno value is returned on
- *   any failure.
+ *   The new file descriptor is returned on success; a negated errno value
+ *   is returned on any failure.
  *
  ****************************************************************************/