From owner-cvs-all@FreeBSD.ORG  Fri May 23 11:09:50 2008
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 56718106564A;
	Fri, 23 May 2008 11:09:50 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 48D628FC15;
	Fri, 23 May 2008 11:09:50 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id m4NB9o3f069862;
	Fri, 23 May 2008 11:09:50 GMT (envelope-from kib@repoman.freebsd.org)
Received: (from kib@localhost)
	by repoman.freebsd.org (8.14.1/8.14.1/Submit) id m4NB9osT069861;
	Fri, 23 May 2008 11:09:50 GMT (envelope-from kib)
Message-Id: <200805231109.m4NB9osT069861@repoman.freebsd.org>
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Fri, 23 May 2008 11:09:50 +0000 (UTC)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Cc: 
Subject: cvs commit: src/sys/kern sys_pipe.c
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 May 2008 11:09:50 -0000

kib         2008-05-23 11:09:50 UTC

  FreeBSD src repository

  Modified files:
    sys/kern             sys_pipe.c 
  Log:
  Destruction of the pipe calls knlist_cleardel() to remove the knotes
  monitoring the pipe. The code sets pipe_present = 0 and enters
  knlist_cleardel(), where the PIPE_MTX might be dropped when knl->kl_list
  cannot be cleared due to influx knotes.
  
  If the following often encountered code fragment
                  if (!(kn->kn_status & KN_DETACHED))
                          kn->kn_fop->f_detach(kn);
                  knote_drop(kn, td); [1]
  is executed while the knlist lock is dropped, then the knote memory is freed
  by the knote_drop() without knote being removed from the knlist, since
  the filt_pipedetach() contains the following:
          if (kn->kn_filter == EVFILT_WRITE) {
                  if (!cpipe->pipe_peer->pipe_present) {
                          PIPE_UNLOCK(cpipe);
                          return;
  
  Now, the memory may be reused in the zone, causing the access to the
  freed memory. I got the panics caused by the marker knote appearing on
  the knlist, that, I believe, manifestation of the issue. In the Peter
  Holm test scenarious, we got unkillable processes too.
  
  The pipe_peer that has the knote for write shall be present. Ignore the
  pipe_present value for EVFILT_WRITE in filt_pipedetach().
  
  Debugging help and tested by:   pho
  Discussed with: jmg
  MFC after:      2 weeks
  
  Revision  Changes    Path
  1.197     +1 -6      src/sys/kern/sys_pipe.c