Correct a bug introduced in sys_pipe.c:1.179: in pipe_ioctl(),

release the pipe mutex before calling fsetown(), as fsetown()
may block.  The sigio code protects the pipe sigio data using
its own mutex, and the pipe reference count held by the caller
will prevent the pipe from being prematurely garbage-collected.

Discovered by:	imp

1 files changed, 5 insertions, 2 deletions

diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c
index 16af809..e8468d4 100644
--- a/sys/kern/sys_pipe.c
+++ b/sys/kern/sys_pipe.c
@@ -1292,8 +1292,9 @@ pipe_ioctl(fp, cmd, data, active_cred, td)
 		break;
 
 	case FIOSETOWN:
+		PIPE_UNLOCK(mpipe);
 		error = fsetown(*(int *)data, &mpipe->pipe_sigio);
-		break;
+		goto out_unlocked;
 
 	case FIOGETOWN:
 		*(int *)data = fgetown(&mpipe->pipe_sigio);
@@ -1301,8 +1302,9 @@ pipe_ioctl(fp, cmd, data, active_cred, td)
 
 	/* This is deprecated, FIOSETOWN should be used instead. */
 	case TIOCSPGRP:
+		PIPE_UNLOCK(mpipe);
 		error = fsetown(-(*(int *)data), &mpipe->pipe_sigio);
-		break;
+		goto out_unlocked;
 
 	/* This is deprecated, FIOGETOWN should be used instead. */
 	case TIOCGPGRP:
@@ -1314,6 +1316,7 @@ pipe_ioctl(fp, cmd, data, active_cred, td)
 		break;
 	}
 	PIPE_UNLOCK(mpipe);
+out_unlocked:
 	return (error);
 }