Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 30 Dec 2011 19:58:06 +0000 (UTC)
From:      Konstantin Belousov <kib@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
Subject:   svn commit: r229016 - stable/9/sys/kern
Message-ID:  <201112301958.pBUJw6q0027803@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: kib
Date: Fri Dec 30 19:58:06 2011
New Revision: 229016
URL: http://svn.freebsd.org/changeset/base/229016

Log:
  MFC r228178:
  If alloc_unr() call in the pipe_create() failed, then pipe->pipe_ino is
  -1. But, because ino_t is unsigned, this case was not covered by the
  test ino > 0 in pipeclose(), leading to the free_unr(-1). Fix it by
  explicitely comparing with 0 and -1.
  
  Do no access freed memory, the inode number was cached to prevent access
  to cpipe after it possibly was freed, but I failed to commit the right
  patch.

Modified:
  stable/9/sys/kern/sys_pipe.c
Directory Properties:
  stable/9/sys/   (props changed)

Modified: stable/9/sys/kern/sys_pipe.c
==============================================================================
--- stable/9/sys/kern/sys_pipe.c	Fri Dec 30 19:24:53 2011	(r229015)
+++ stable/9/sys/kern/sys_pipe.c	Fri Dec 30 19:58:06 2011	(r229016)
@@ -1554,8 +1554,8 @@ pipeclose(cpipe)
 	} else
 		PIPE_UNLOCK(cpipe);
 
-	if (ino > 0)
-		free_unr(pipeino_unr, cpipe->pipe_ino);
+	if (ino != 0 && ino != (ino_t)-1)
+		free_unr(pipeino_unr, ino);
 }
 
 /*ARGSUSED*/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201112301958.pBUJw6q0027803>