From f1d456150eaee8a281db4ce6c89bf4b4e24e2ba0 Mon Sep 17 00:00:00 2001 From: jmg Date: Sun, 12 Oct 2003 07:06:02 +0000 Subject: [PATCH] fix a problem referencing free'd memory. This is only a problem for kqueue write events on a socket and you regularly create tons of pipes which overwrites the structure causing a panic when removing the knote from the list. If the peer has gone away (and it's a write knote), then don't bother trying to remove the knote from the list. Submitted by: Brian Buchanan and myself Obtained from: nCircle --- sys/kern/sys_pipe.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c index 76e23b733a9e..c5b39e0ae510 100644 --- a/sys/kern/sys_pipe.c +++ b/sys/kern/sys_pipe.c @@ -1467,7 +1467,6 @@ pipe_kqfilter(struct file *fp, struct knote *kn) default: return (1); } - kn->kn_hook = cpipe; PIPE_LOCK(cpipe); SLIST_INSERT_HEAD(&cpipe->pipe_sel.si_note, kn, kn_selnext); @@ -1478,7 +1477,13 @@ pipe_kqfilter(struct file *fp, struct knote *kn) static void filt_pipedetach(struct knote *kn) { - struct pipe *cpipe = (struct pipe *)kn->kn_hook; + struct pipe *cpipe = (struct pipe *)kn->kn_fp->f_data; + + if (kn->kn_filter == EVFILT_WRITE) { + if (cpipe->pipe_peer == NULL) + return; + cpipe = cpipe->pipe_peer; + } PIPE_LOCK(cpipe); SLIST_REMOVE(&cpipe->pipe_sel.si_note, kn, knote, kn_selnext);