If we failed to allocate the file discriptor for the write end of

the pipe, then we were corrupting the pipe_zone free list by calling pipeclose on rpipe twice. NULL out rpipe to avoid this. Reviewed by: dillon Reviewed by: iedowse
author: dwmalone <dwmalone@FreeBSD.org> 2001-01-08 22:14:48 +0000
committer: dwmalone <dwmalone@FreeBSD.org> 2001-01-08 22:14:48 +0000
commit: e42ccf8d79ffa7c3eab7b0edc9826a39595da584 (patch)
tree: 6aa9f9471c709cdcdc99e8d223687a0951eeda5b /sys/kern/sys_pipe.c
parent: 74fb2ac9f3b1d0db6b714762168308c2c724d16d (diff)
download: FreeBSD-src-e42ccf8d79ffa7c3eab7b0edc9826a39595da584.zip
FreeBSD-src-e42ccf8d79ffa7c3eab7b0edc9826a39595da584.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c
index 4c505e7..3b944dd 100644
--- a/sys/kern/sys_pipe.c
+++ b/sys/kern/sys_pipe.c
@@ -182,6 +182,12 @@ pipe(p, uap)
 	pipeinit(wpipe);
 	wpipe->pipe_state |= PIPE_DIRECTOK;
 
+	/*
+	 * Warning: once we've gotten past allocation of the fd for the
+	 * read-side, we can only drop the read side via fdrop() in order
+	 * to avoid races against processes which manage to dup() the read
+	 * side while we are blocked trying to allocate the write side.
+	 */
 	error = falloc(p, &rf, &fd);
 	if (error)
 		goto free2;
@@ -211,6 +217,8 @@ free3:
 		fdrop(rf, p);
 	}
 	fdrop(rf, p);
+	/* rpipe has been closed by fdrop() */
+	rpipe = NULL;
 free2:
 	(void)pipeclose(wpipe);
 	(void)pipeclose(rpipe);
author	dwmalone <dwmalone@FreeBSD.org>	2001-01-08 22:14:48 +0000
committer	dwmalone <dwmalone@FreeBSD.org>	2001-01-08 22:14:48 +0000
commit	e42ccf8d79ffa7c3eab7b0edc9826a39595da584 (patch)
tree	6aa9f9471c709cdcdc99e8d223687a0951eeda5b /sys/kern/sys_pipe.c
parent	74fb2ac9f3b1d0db6b714762168308c2c724d16d (diff)
download	FreeBSD-src-e42ccf8d79ffa7c3eab7b0edc9826a39595da584.zip FreeBSD-src-e42ccf8d79ffa7c3eab7b0edc9826a39595da584.tar.gz