svn commit: r354629 - head/sys/kern

Mark Johnston markj at FreeBSD.org
Mon Nov 11 20:44:31 UTC 2019 

Author: markj
Date: Mon Nov 11 20:44:30 2019
New Revision: 354629
URL: https://svnweb.freebsd.org/changeset/base/354629

Log:
  Fix handling of PIPE_EOF in the direct write path.
  
  Suppose a writing thread has pinned its pages and gone to sleep with
  pipe_map.cnt > 0.  Suppose that the thread is woken up by a signal (so
  error != 0) and the other end of the pipe has simultaneously been
  closed.  In this case, to satisfy the assertion about pipe_map.cnt in
  pipe_destroy_write_buffer(), we must mark the buffer as empty.
  
  Reported by:	syzbot+5cce271bf2cb1b1e1876 at syzkaller.appspotmail.com
  Reviewed by:	kib
  Tested by:	pho
  MFC after:	1 week
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D22261

Modified:
  head/sys/kern/sys_pipe.c

Modified: head/sys/kern/sys_pipe.c
==============================================================================
--- head/sys/kern/sys_pipe.c	Mon Nov 11 19:54:08 2019	(r354628)
+++ head/sys/kern/sys_pipe.c	Mon Nov 11 20:44:30 2019	(r354629)
@@ -970,15 +970,8 @@ retry:
 		goto error1;
 	}
 
-	while (wpipe->pipe_map.cnt != 0) {
-		if (wpipe->pipe_state & PIPE_EOF) {
-			wpipe->pipe_map.cnt = 0;
-			pipe_destroy_write_buffer(wpipe);
-			pipeselwakeup(wpipe);
-			pipeunlock(wpipe);
-			error = EPIPE;
-			goto error1;
-		}
+	while (wpipe->pipe_map.cnt != 0 &&
+	    (wpipe->pipe_state & PIPE_EOF) == 0) {
 		if (wpipe->pipe_state & PIPE_WANTR) {
 			wpipe->pipe_state &= ~PIPE_WANTR;
 			wakeup(wpipe);
@@ -993,12 +986,16 @@ retry:
 			break;
 	}
 
-	if (wpipe->pipe_state & PIPE_EOF)
+	if ((wpipe->pipe_state & PIPE_EOF) != 0) {
+		wpipe->pipe_map.cnt = 0;
+		pipe_destroy_write_buffer(wpipe);
+		pipeselwakeup(wpipe);
 		error = EPIPE;
-	if (error == EINTR || error == ERESTART)
+	} else if (error == EINTR || error == ERESTART) {
 		pipe_clone_write_buffer(wpipe);
-	else
+	} else {
 		pipe_destroy_write_buffer(wpipe);
+	}
 	pipeunlock(wpipe);
 	KASSERT((wpipe->pipe_state & PIPE_DIRECTW) == 0,
 	    ("pipe %p leaked PIPE_DIRECTW", wpipe));

More information about the svn-src-all mailing list