[PATCH] fork: fix pid refcount leaks when destroying file

From: Xin Xiong
Date: Sun Jul 26 2020 - 01:08:12 EST


When clone_flags & CLONE_PIDFD is true,the function creates a new file
object called pidfile,and invokes get_pid(),which increases the refcnt
of pid for pidfile to hold.

The reference counting issues take place in the error handling paths.
When error occurs after the construction of pidfile, the function only
invokes fput() to destroy pidfile, in which the increased refcount
won't be decreased, resulting in a refcount leak.

Fix this issue by adding put_pid() in the error handling path
bad_fork_put_pidfd.

Signed-off-by: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx>
Signed-off-by: Xin Tan <tanxin.ctf@xxxxxxxxx>
Signed-off-by: Xin Xiong <xiongx18@xxxxxxxxxxxx>
---
kernel/fork.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/kernel/fork.c b/kernel/fork.c
index 142b23645d82..7cbfb2c4fce3 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2319,6 +2319,7 @@ static __latent_entropy struct task_struct *copy_process(
bad_fork_put_pidfd:
if (clone_flags & CLONE_PIDFD) {
fput(pidfile);
+ put_pid(pid);
put_unused_fd(pidfd);
}
bad_fork_free_pid:
--
2.25.1