fix a problem referencing free'd memory. This is only a problem for

kqueue write events on a socket and you regularly create tons of pipes
which overwrites the structure causing a panic when removing the knote
from the list.  If the peer has gone away (and it's a write knote), then
don't bother trying to remove the knote from the list.

Submitted by:	Brian Buchanan and myself
Obtained from:	nCircle

1 files changed, 7 insertions, 2 deletions

diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c
index 76e23b7..c5b39e0 100644
--- a/sys/kern/sys_pipe.c
+++ b/sys/kern/sys_pipe.c
@@ -1467,7 +1467,6 @@ pipe_kqfilter(struct file *fp, struct knote *kn)
 	default:
 		return (1);
 	}
-	kn->kn_hook = cpipe;
 
 	PIPE_LOCK(cpipe);
 	SLIST_INSERT_HEAD(&cpipe->pipe_sel.si_note, kn, kn_selnext);
@@ -1478,7 +1477,13 @@ pipe_kqfilter(struct file *fp, struct knote *kn)
 static void
 filt_pipedetach(struct knote *kn)
 {
-	struct pipe *cpipe = (struct pipe *)kn->kn_hook;
+	struct pipe *cpipe = (struct pipe *)kn->kn_fp->f_data;
+
+	if (kn->kn_filter == EVFILT_WRITE) {
+		if (cpipe->pipe_peer == NULL)
+			return;
+		cpipe = cpipe->pipe_peer;
+	}
 
 	PIPE_LOCK(cpipe);
 	SLIST_REMOVE(&cpipe->pipe_sel.si_note, kn, knote, kn_selnext);