Re: crash in pipe_create()

[enami tsugutomo <enami%sm.sony.co.jp@localhost>]

Matthias Drochner <M.Drochner%fz-juelich.de@localhost> writes:

> While we are here: As reported by Scott Ellis and Tobias Nygren
> on current-users, some "configure" test crashes the system.
> I've just looked at it and found that the appended little
> program triggers the crash if started 2 times in succession.
> It happens in knote() traversing the list of knotes,
> due to an invalid kn_selnext link.
> There are some "XXXAD" comments in kern_event.c which
> suggest that you might already know the problem...

The pipe object once returned to the cache may have dangling pointer
(at the very point when it is returned to, the knote objects are alive
but soon they are destoried when peer pipe is closed).

enami.

Index: sys_pipe.c
===================================================================
RCS file: /cvsroot/src/sys/kern/sys_pipe.c,v
retrieving revision 1.107
diff -u -r1.107 sys_pipe.c
--- sys_pipe.c  6 Feb 2009 23:04:57 -0000       1.107
+++ sys_pipe.c  12 Feb 2009 09:47:59 -0000
@@ -1281,6 +1281,13 @@
                ppipe->pipe_peer = NULL;
        }
 
+       /*
+        * Any knote objects still left in the list are
+        * the one attached by peer.  Since no one will
+        * traverse this list, we just clear it.
+        */
+       SLIST_INIT(&pipe->pipe_sel.sel_klist);
+
        KASSERT((pipe->pipe_state & PIPE_LOCKFL) == 0);
        mutex_exit(lock);