Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 1 Dec 2011 11:36:41 +0000 (UTC)
From:      Konstantin Belousov <kib@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r228178 - head/sys/kern
Message-ID:  <201112011136.pB1BafvW043247@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: kib
Date: Thu Dec  1 11:36:41 2011
New Revision: 228178
URL: http://svn.freebsd.org/changeset/base/228178

Log:
  If alloc_unr() call in the pipe_create() failed, then pipe->pipe_ino is
  -1. But, because ino_t is unsigned, this case was not covered by the
  test ino > 0 in pipeclose(), leading to the free_unr(-1). Fix it by
  explicitely comparing with 0 and -1. [1]
  
  Do no access freed memory, the inode number was cached to prevent access
  to cpipe after it possibly was freed, but I failed to commit the right
  patch.
  
  Noted by:	gianni [1]
  Pointy hat to:	kib
  MFC after:	3 days

Modified:
  head/sys/kern/sys_pipe.c

Modified: head/sys/kern/sys_pipe.c
==============================================================================
--- head/sys/kern/sys_pipe.c	Thu Dec  1 11:20:25 2011	(r228177)
+++ head/sys/kern/sys_pipe.c	Thu Dec  1 11:36:41 2011	(r228178)
@@ -1554,8 +1554,8 @@ pipeclose(cpipe)
 	} else
 		PIPE_UNLOCK(cpipe);
 
-	if (ino > 0)
-		free_unr(pipeino_unr, cpipe->pipe_ino);
+	if (ino != 0 && ino != (ino_t)-1)
+		free_unr(pipeino_unr, ino);
 }
 
 /*ARGSUSED*/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201112011136.pB1BafvW043247>