summaryrefslogtreecommitdiffstats
path: root/sys
diff options
context:
space:
mode:
authoralfred <alfred@FreeBSD.org>2002-02-27 17:23:16 +0000
committeralfred <alfred@FreeBSD.org>2002-02-27 17:23:16 +0000
commit3a862cdbbdc92cd8b2163f5c49d3ecc25564d920 (patch)
treec5e89e31df4d7f95f7d1f8265e12636fe84f1388 /sys
parent3ed05b7b8966710c5cffbf0ba479dd2e07c91c0a (diff)
downloadFreeBSD-src-3a862cdbbdc92cd8b2163f5c49d3ecc25564d920.zip
FreeBSD-src-3a862cdbbdc92cd8b2163f5c49d3ecc25564d920.tar.gz
Fix a NULL deref panic in pipe_write, we can't blindly lock
pipe->pipe_peer->pipe_mtxp because it may be NULL, so lock the passed in pipe's mutex instead.
Diffstat (limited to 'sys')
-rw-r--r--sys/kern/sys_pipe.c24
1 files changed, 12 insertions, 12 deletions
diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c
index e1f981c..ce9fde7 100644
--- a/sys/kern/sys_pipe.c
+++ b/sys/kern/sys_pipe.c
@@ -817,12 +817,12 @@ pipe_write(fp, uio, cred, flags, td)
rpipe = (struct pipe *) fp->f_data;
wpipe = rpipe->pipe_peer;
- PIPE_LOCK(wpipe);
+ PIPE_LOCK(rpipe);
/*
* detect loss of pipe read side, issue SIGPIPE if lost.
*/
if ((wpipe == NULL) || (wpipe->pipe_state & PIPE_EOF)) {
- PIPE_UNLOCK(wpipe);
+ PIPE_UNLOCK(rpipe);
return (EPIPE);
}
++wpipe->pipe_busy;
@@ -838,10 +838,10 @@ pipe_write(fp, uio, cred, flags, td)
(wpipe->pipe_buffer.cnt == 0)) {
if ((error = pipelock(wpipe,1)) == 0) {
- PIPE_GET_GIANT(wpipe);
+ PIPE_GET_GIANT(rpipe);
if (pipespace(wpipe, BIG_PIPE_SIZE) == 0)
nbigpipe++;
- PIPE_DROP_GIANT(wpipe);
+ PIPE_DROP_GIANT(rpipe);
pipeunlock(wpipe);
}
}
@@ -857,7 +857,7 @@ pipe_write(fp, uio, cred, flags, td)
wpipe->pipe_state &= ~(PIPE_WANT | PIPE_WANTR);
wakeup(wpipe);
}
- PIPE_UNLOCK(wpipe);
+ PIPE_UNLOCK(rpipe);
return(error);
}
@@ -902,7 +902,7 @@ pipe_write(fp, uio, cred, flags, td)
wpipe->pipe_state &= ~PIPE_WANTR;
wakeup(wpipe);
}
- error = msleep(wpipe, PIPE_MTX(wpipe), PRIBIO | PCATCH,
+ error = msleep(wpipe, PIPE_MTX(rpipe), PRIBIO | PCATCH,
"pipbww", 0);
if (wpipe->pipe_state & PIPE_EOF)
break;
@@ -968,10 +968,10 @@ pipe_write(fp, uio, cred, flags, td)
/* Transfer first segment */
- PIPE_UNLOCK(wpipe);
+ PIPE_UNLOCK(rpipe);
error = uiomove(&wpipe->pipe_buffer.buffer[wpipe->pipe_buffer.in],
segsize, uio);
- PIPE_LOCK(wpipe);
+ PIPE_LOCK(rpipe);
if (error == 0 && segsize < size) {
/*
@@ -983,10 +983,10 @@ pipe_write(fp, uio, cred, flags, td)
wpipe->pipe_buffer.size)
panic("Expected pipe buffer wraparound disappeared");
- PIPE_UNLOCK(wpipe);
+ PIPE_UNLOCK(rpipe);
error = uiomove(&wpipe->pipe_buffer.buffer[0],
size - segsize, uio);
- PIPE_LOCK(wpipe);
+ PIPE_LOCK(rpipe);
}
if (error == 0) {
wpipe->pipe_buffer.in += size;
@@ -1031,7 +1031,7 @@ pipe_write(fp, uio, cred, flags, td)
pipeselwakeup(wpipe);
wpipe->pipe_state |= PIPE_WANTW;
- error = msleep(wpipe, PIPE_MTX(wpipe),
+ error = msleep(wpipe, PIPE_MTX(rpipe),
PRIBIO | PCATCH, "pipewr", 0);
if (error != 0)
break;
@@ -1081,7 +1081,7 @@ pipe_write(fp, uio, cred, flags, td)
if (wpipe->pipe_buffer.cnt)
pipeselwakeup(wpipe);
- PIPE_UNLOCK(wpipe);
+ PIPE_UNLOCK(rpipe);
return (error);
}
OpenPOWER on IntegriCloud