If alloc_unr() call in the pipe_create() failed, then pipe->pipe_ino is

-1. But, because ino_t is unsigned, this case was not covered by the
test ino > 0 in pipeclose(), leading to the free_unr(-1). Fix it by
explicitely comparing with 0 and -1. [1]

Do no access freed memory, the inode number was cached to prevent access
to cpipe after it possibly was freed, but I failed to commit the right
patch.

Noted by:	gianni [1]
Pointy hat to:	kib
MFC after:	3 days

0 files changed, 0 insertions, 0 deletions