From ba719baeabbff5476eeb91c223e6921ba29e1490 Mon Sep 17 00:00:00 2001 From: Ulrich Drepper Date: Tue, 6 May 2008 20:42:38 -0700 Subject: [PATCH] sys_pipe(): fix file descriptor leaks Remember to close the files if copy_to_user() failed. Spotted by dm.n9107@gmail.com. Signed-off-by: Ulrich Drepper Cc: DM Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- arch/cris/kernel/sys_cris.c | 5 ++++- arch/m32r/kernel/sys_m32r.c | 5 ++++- fs/pipe.c | 6 +++++- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/arch/cris/kernel/sys_cris.c b/arch/cris/kernel/sys_cris.c index 8b99841..d124066 100644 --- a/arch/cris/kernel/sys_cris.c +++ b/arch/cris/kernel/sys_cris.c @@ -40,8 +40,11 @@ asmlinkage int sys_pipe(unsigned long __user * fildes) error = do_pipe(fd); unlock_kernel(); if (!error) { - if (copy_to_user(fildes, fd, 2*sizeof(int))) + if (copy_to_user(fildes, fd, 2*sizeof(int))) { + sys_close(fd[0]); + sys_close(fd[1]); error = -EFAULT; + } } return error; } diff --git a/arch/m32r/kernel/sys_m32r.c b/arch/m32r/kernel/sys_m32r.c index 6d7a80f..319c797 100644 --- a/arch/m32r/kernel/sys_m32r.c +++ b/arch/m32r/kernel/sys_m32r.c @@ -90,8 +90,11 @@ sys_pipe(unsigned long r0, unsigned long r1, unsigned long r2, error = do_pipe(fd); if (!error) { - if (copy_to_user((void __user *)r0, fd, 2*sizeof(int))) + if (copy_to_user((void __user *)r0, fd, 2*sizeof(int))) { + sys_close(fd[0]); + sys_close(fd[1]); error = -EFAULT; + } } return error; } diff --git a/fs/pipe.c b/fs/pipe.c index 3499f9f..ec228bc 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -1086,8 +1087,11 @@ asmlinkage long __weak sys_pipe(int __user *fildes) error = do_pipe(fd); if (!error) { - if (copy_to_user(fildes, fd, sizeof(fd))) + if (copy_to_user(fildes, fd, sizeof(fd))) { + sys_close(fd[0]); + sys_close(fd[1]); error = -EFAULT; + } } return error; } -- 1.8.2.3