svn commit: r354629 - head/sys/kern

Mon, 11 Nov 2019 12:44:56 -0800 

Author: markj
Date: Mon Nov 11 20:44:30 2019
New Revision: 354629
URL: https://svnweb.freebsd.org/changeset/base/354629

Log:
  Fix handling of PIPE_EOF in the direct write path.
  
  Suppose a writing thread has pinned its pages and gone to sleep with
  pipe_map.cnt > 0.  Suppose that the thread is woken up by a signal (so
  error != 0) and the other end of the pipe has simultaneously been
  closed.  In this case, to satisfy the assertion about pipe_map.cnt in
  pipe_destroy_write_buffer(), we must mark the buffer as empty.
  
  Reported by:  syzbot+5cce271bf2cb1b1e1...@syzkaller.appspotmail.com
  Reviewed by:  kib
  Tested by:    pho
  MFC after:    1 week
  Sponsored by: The FreeBSD Foundation
  Differential Revision:        https://reviews.freebsd.org/D22261

Modified:
  head/sys/kern/sys_pipe.c

Modified: head/sys/kern/sys_pipe.c
==============================================================================
--- head/sys/kern/sys_pipe.c    Mon Nov 11 19:54:08 2019        (r354628)
+++ head/sys/kern/sys_pipe.c    Mon Nov 11 20:44:30 2019        (r354629)
@@ -970,15 +970,8 @@ retry:
                goto error1;
        }
 
-       while (wpipe->pipe_map.cnt != 0) {
-               if (wpipe->pipe_state & PIPE_EOF) {
-                       wpipe->pipe_map.cnt = 0;
-                       pipe_destroy_write_buffer(wpipe);
-                       pipeselwakeup(wpipe);
-                       pipeunlock(wpipe);
-                       error = EPIPE;
-                       goto error1;
-               }
+       while (wpipe->pipe_map.cnt != 0 &&
+           (wpipe->pipe_state & PIPE_EOF) == 0) {
                if (wpipe->pipe_state & PIPE_WANTR) {
                        wpipe->pipe_state &= ~PIPE_WANTR;
                        wakeup(wpipe);
@@ -993,12 +986,16 @@ retry:
                        break;
        }
 
-       if (wpipe->pipe_state & PIPE_EOF)
+       if ((wpipe->pipe_state & PIPE_EOF) != 0) {
+               wpipe->pipe_map.cnt = 0;
+               pipe_destroy_write_buffer(wpipe);
+               pipeselwakeup(wpipe);
                error = EPIPE;
-       if (error == EINTR || error == ERESTART)
+       } else if (error == EINTR || error == ERESTART) {
                pipe_clone_write_buffer(wpipe);
-       else
+       } else {
                pipe_destroy_write_buffer(wpipe);
+       }
        pipeunlock(wpipe);
        KASSERT((wpipe->pipe_state & PIPE_DIRECTW) == 0,
            ("pipe %p leaked PIPE_DIRECTW", wpipe));
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to