svn commit: r278145 - head/sys/kern

[Konstantin Belousov]

Author: kib
Date: Tue Feb  3 10:29:40 2015
New Revision: 278145
URL: https://svnweb.freebsd.org/changeset/base/278145

Log:
  Fix use after free in pipe_dtor().  PIPE_NAMED flag must be tested
  before pipeclose() is called, since for !PIPE_NAMED case, when peer is
  already closed, the pipe pair memory is freed.
  
  Submitted by:	luke.tw at gmail.com
  PR:	197246
  Tested by:	pho
  MFC after:	3 days

Modified:
  head/sys/kern/sys_pipe.c

Modified: head/sys/kern/sys_pipe.c
==============================================================================
--- head/sys/kern/sys_pipe.c	Tue Feb  3 08:59:42 2015	(r278144)
+++ head/sys/kern/sys_pipe.c	Tue Feb  3 10:29:40 2015	(r278145)
@@ -377,15 +377,16 @@ pipe_named_ctor(struct pipe **ppipe, str
 void
 pipe_dtor(struct pipe *dpipe)
 {
+	struct pipe *peer;
 	ino_t ino;
 
 	ino = dpipe->pipe_ino;
+	peer = (dpipe->pipe_state & PIPE_NAMED) != 0 ? dpipe->pipe_peer : NULL;
 	funsetown(&dpipe->pipe_sigio);
 	pipeclose(dpipe);
-	if (dpipe->pipe_state & PIPE_NAMED) {
-		dpipe = dpipe->pipe_peer;
-		funsetown(&dpipe->pipe_sigio);
-		pipeclose(dpipe);
+	if (peer != NULL) {
+		funsetown(&peer->pipe_sigio);
+		pipeclose(peer);
 	}
 	if (ino != 0 && ino != (ino_t)-1)
 		free_unr(pipeino_unr, ino);