From: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue, 22 Apr 2008 23:51:27 +0000 (-0400)
Subject: double-free of inode on alloc_file() failure exit in create_write_pipe()
X-Git-Tag: v2.6.25.7~44
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37067331d5902e42786f8456ca412512b19b8ac3;p=thirdparty%2Fkernel%2Fstable.git

double-free of inode on alloc_file() failure exit in create_write_pipe()

upstream commit: ed1524371716466e9c762808b02601d0d0276a92

Duh...  Fortunately, the bug is quite recent (post-2.6.25) and, embarrassingly,
mine ;-/

http://bugzilla.kernel.org/show_bug.cgi?id=10878

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

diff --git a/fs/pipe.c b/fs/pipe.c
index 8be381bbcb54a..f73492b6817ea 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -988,7 +988,10 @@ struct file *create_write_pipe(void)
 	return f;
 
  err_dentry:
+	free_pipe_info(inode);
 	dput(dentry);
+	return ERR_PTR(err);
+
  err_inode:
 	free_pipe_info(inode);
 	iput(inode);