When clone_flags & CLONE_PIDFD is true,the function creates a new file object called pidfile,and invokes get_pid(),which increases the refcnt of pid for pidfile to hold.
The reference counting issues take place in the error handling paths. When error occurs after the construction of pidfile, the function only invokes fput() to destroy pidfile, in which the increased refcount won't be decreased, resulting in a refcount leak. Fix this issue by adding put_pid() in the error handling path bad_fork_put_pidfd. Signed-off-by: Xiyu Yang <[email protected]> Signed-off-by: Xin Tan <[email protected]> Signed-off-by: Xin Xiong <[email protected]> --- kernel/fork.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/fork.c b/kernel/fork.c index 142b23645d82..7cbfb2c4fce3 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -2319,6 +2319,7 @@ static __latent_entropy struct task_struct *copy_process( bad_fork_put_pidfd: if (clone_flags & CLONE_PIDFD) { fput(pidfile); + put_pid(pid); put_unused_fd(pidfd); } bad_fork_free_pid: -- 2.25.1
