On Thu, Nov 30, 2017 at 02:07:19AM +0000, Al Viro wrote:

Incidentally, grepping for sys_close() shows another piece of fun in
net/netfilter/xt_bpf.c.  Folks, ONCE DESCRIPTOR IS INSTALLED, THAT'S
IT; THERE'S NO REMOVING IT ON FAILURE EXITS.  sys_close() should
never, ever be used that way.  Sigh...

Would be great do unexport the thing.  Except that we also have
binfmt_misc (which looks legit) and autofs4, which on crack decided
that close() isn't a fun syscall, they'd much rather have an ioctl
that does exactly the same..