diff options
| author | John-Mark Gurney <jmg@FreeBSD.org> | 2003-10-12 07:06:02 +0000 |
|---|---|---|
| committer | John-Mark Gurney <jmg@FreeBSD.org> | 2003-10-12 07:06:02 +0000 |
| commit | 9e5de980c6b23c978d8fdec863f529c2216b6cc0 (patch) | |
| tree | 344a00b1ec4bd18791905ad55621bb9cf0de30db /sys/kern/sys_pipe.c | |
| parent | a307eb3d01f58b619a869a7474507189cb3cb2bf (diff) | |
| download | src-9e5de980c6b23c978d8fdec863f529c2216b6cc0.tar.gz src-9e5de980c6b23c978d8fdec863f529c2216b6cc0.zip | |
fix a problem referencing free'd memory. This is only a problem for
kqueue write events on a socket and you regularly create tons of pipes
which overwrites the structure causing a panic when removing the knote
from the list. If the peer has gone away (and it's a write knote), then
don't bother trying to remove the knote from the list.
Submitted by: Brian Buchanan and myself
Obtained from: nCircle
Notes
Notes:
svn path=/head/; revision=121018
Diffstat (limited to 'sys/kern/sys_pipe.c')
| -rw-r--r-- | sys/kern/sys_pipe.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c index 76e23b733a9e..c5b39e0ae510 100644 --- a/sys/kern/sys_pipe.c +++ b/sys/kern/sys_pipe.c @@ -1467,7 +1467,6 @@ pipe_kqfilter(struct file *fp, struct knote *kn) default: return (1); } - kn->kn_hook = cpipe; PIPE_LOCK(cpipe); SLIST_INSERT_HEAD(&cpipe->pipe_sel.si_note, kn, kn_selnext); @@ -1478,7 +1477,13 @@ pipe_kqfilter(struct file *fp, struct knote *kn) static void filt_pipedetach(struct knote *kn) { - struct pipe *cpipe = (struct pipe *)kn->kn_hook; + struct pipe *cpipe = (struct pipe *)kn->kn_fp->f_data; + + if (kn->kn_filter == EVFILT_WRITE) { + if (cpipe->pipe_peer == NULL) + return; + cpipe = cpipe->pipe_peer; + } PIPE_LOCK(cpipe); SLIST_REMOVE(&cpipe->pipe_sel.si_note, kn, knote, kn_selnext); |