Author: kib
Date: Thu Dec 1 11:36:41 2011
New Revision: 228178
URL: http://svn.freebsd.org/changeset/base/228178
Log:
If alloc_unr() call in the pipe_create() failed, then pipe->pipe_ino is
-1. But, because ino_t is unsigned, this case was not covered by the
test ino > 0 in pipeclose(), leading to the free_unr(-1). Fix it by
explicitely comparing with 0 and -1. [1]
Do no access freed memory, the inode number was cached to prevent access
to cpipe after it possibly was freed, but I failed to commit the right
patch.
Noted by: gianni [1]
Pointy hat to: kib
MFC after: 3 days
Modified:
head/sys/kern/sys_pipe.c
Modified: head/sys/kern/sys_pipe.c
==============================================================================
--- head/sys/kern/sys_pipe.c Thu Dec 1 11:20:25 2011 (r228177)
+++ head/sys/kern/sys_pipe.c Thu Dec 1 11:36:41 2011 (r228178)
@@ -1554,8 +1554,8 @@ pipeclose(cpipe)
} else
PIPE_UNLOCK(cpipe);
- if (ino > 0)
- free_unr(pipeino_unr, cpipe->pipe_ino);
+ if (ino != 0 && ino != (ino_t)-1)
+ free_unr(pipeino_unr, ino);
}
/*ARGSUSED*/
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
