If the server goes away while the client is trying to copy a message from
authorMatthew Dillon <dillon@dragonflybsd.org>
Mon, 26 Apr 2004 17:06:18 +0000 (17:06 +0000)
committerMatthew Dillon <dillon@dragonflybsd.org>
Mon, 26 Apr 2004 17:06:18 +0000 (17:06 +0000)
it, the kernel may panic with a null-pointer indirection through the caps
ci_td field (which becomes NULL).  The field is properly becoming NULL,
the culprit was some debugging code that indirected through it without
checking first.

Reported-by: Chris Pressey <cpressey@catseye.mine.nu>
sys/kern/lwkt_caps.c

index 39a6d1a..d7ece66 100644 (file)
@@ -23,7 +23,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $DragonFly: src/sys/kern/lwkt_caps.c,v 1.3 2004/03/31 19:28:29 dillon Exp $
+ * $DragonFly: src/sys/kern/lwkt_caps.c,v 1.4 2004/04/26 17:06:18 dillon Exp $
  */
 
 /*
@@ -881,12 +881,13 @@ caps_process_msg(caps_kinfo_t caps, caps_kmsg_t msg, struct caps_sys_get_args *u
        caps_dequeue_msg(caps, msg);
 
     if (msg->km_xio.xio_bytes != 0) {
-       struct proc *rp = msg->km_mcaps->ci_td->td_proc;
-       KKASSERT(rp != NULL);
        error = xio_copy_xtou(&msg->km_xio, uap->msg, 
                            min(msg->km_xio.xio_bytes, uap->maxsize));
        if (error) {
-           printf("xio_copy_xtou: error %d from proc %d\n", error, rp->p_pid);
+           if (msg->km_mcaps->ci_td && msg->km_mcaps->ci_td->td_proc) {
+               printf("xio_copy_xtou: error %d from proc %d\n", 
+                       error, msg->km_mcaps->ci_td->td_proc->p_pid);
+           }
            if (msgsize > uap->maxsize)
                caps_dequeue_msg(caps, msg);
            msgsize = 0;