If alloc_unr() call in the pipe_create() failed, then pipe->pipe_ino is

-1. But, because ino_t is unsigned, this case was not covered by the test ino > 0 in pipeclose(), leading to the free_unr(-1). Fix it by explicitely comparing with 0 and -1. [1] Do no access freed memory, the inode number was cached to prevent access to cpipe after it possibly was freed, but I failed to commit the right patch. Noted by: gianni [1] Pointy hat to: kib MFC after: 3 days
2011-12-01 11:36:41 +00:00 · 2011-12-01 11:36:41 +00:00 · 132ad7aa9b
commit 132ad7aa9b
parent 4dbebd9e51
1 changed files with 2 additions and 2 deletions
--- a/sys/kern/sys_pipe.c
+++ b/sys/kern/sys_pipe.c
@ -1554,8 +1554,8 @@ pipeclose(cpipe)
 	} else
 		PIPE_UNLOCK(cpipe);

-	if (ino > 0)
-		free_unr(pipeino_unr, cpipe->pipe_ino);
+	if (ino != 0 && ino != (ino_t)-1)
+		free_unr(pipeino_unr, ino);
 }

 /*ARGSUSED*/