[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200726044959.GA50544@xin-virtual-machine>
Date: Sun, 26 Jul 2020 12:49:59 +0800
From: Xin Xiong <xiongx18@...an.edu.cn>
To: Christian Brauner <christian@...uner.io>,
Andrew Morton <akpm@...ux-foundation.org>,
Thomas Gleixner <tglx@...utronix.de>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Peter Zijlstra <peterz@...radead.org>,
Eugene Syromiatnikov <esyr@...hat.com>,
Jason Gunthorpe <jgg@...pe.ca>,
Christian Kellner <christian@...lner.me>,
Adrian Reber <areber@...hat.com>,
Aleksa Sarai <cyphar@...har.com>, linux-kernel@...r.kernel.org
Cc: Xiyu Yang <xiyuyang19@...an.edu.cn>,
Xin Tan <tanxin.ctf@...il.com>, yuanxzhang@...an.edu.cn,
Xin Xiong <xiongx18@...an.edu.cn>
Subject: [PATCH] fork: fix pid refcount leaks when destroying file
When clone_flags & CLONE_PIDFD is true,the function creates a new file
object called pidfile,and invokes get_pid(),which increases the refcnt
of pid for pidfile to hold.
The reference counting issues take place in the error handling paths.
When error occurs after the construction of pidfile, the function only
invokes fput() to destroy pidfile, in which the increased refcount
won't be decreased, resulting in a refcount leak.
Fix this issue by adding put_pid() in the error handling path
bad_fork_put_pidfd.
Signed-off-by: Xiyu Yang <xiyuyang19@...an.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@...il.com>
Signed-off-by: Xin Xiong <xiongx18@...an.edu.cn>
---
kernel/fork.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/fork.c b/kernel/fork.c
index 142b23645d82..7cbfb2c4fce3 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2319,6 +2319,7 @@ static __latent_entropy struct task_struct *copy_process(
bad_fork_put_pidfd:
if (clone_flags & CLONE_PIDFD) {
fput(pidfile);
+ put_pid(pid);
put_unused_fd(pidfd);
}
bad_fork_free_pid:
--
2.25.1
Powered by blists - more mailing lists