Hi, There is a race in dosendsyslog() which resulted in a crash on a 5.9 system. sosend(syslogf->f_data, ...) was called with a NULL pointer. So syslogf is not NULL, f_data is NULL and f_count is 1.
The file structure is ref counted, but the global variable syslogf is not protected. So it may change during sleep and dosendsyslog() possibly uses a different socket at each access. My crash happend during a reboot when init(8) is killing syslogd(8) and some sort of super daemon tries to restart it constantly. Although this design is questionable, it helps finding kernel bugs :-) Solution is to access syslogf ony once, use a local copy, and do the ref counting there. ok? bluhm Index: kern/subr_log.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/kern/subr_log.c,v retrieving revision 1.48 diff -u -p -r1.48 subr_log.c --- kern/subr_log.c 23 Jun 2016 15:41:42 -0000 1.48 +++ kern/subr_log.c 24 Mar 2017 15:31:49 -0000 @@ -409,14 +409,17 @@ dosendsyslog(struct proc *p, const char struct iovec *ktriov = NULL; int iovlen; #endif + struct file *fp; char pri[6], *kbuf; struct iovec aiov; struct uio auio; size_t i, len; int error; - if (syslogf) - FREF(syslogf); + /* Global variable syslogf may change during sleep, use local copy. */ + fp = syslogf; + if (fp) + FREF(fp); else if (!ISSET(flags, LOG_CONS)) return (ENOTCONN); else { @@ -467,8 +470,8 @@ dosendsyslog(struct proc *p, const char #endif len = auio.uio_resid; - if (syslogf) { - error = sosend(syslogf->f_data, NULL, &auio, NULL, NULL, 0); + if (fp) { + error = sosend(fp->f_data, NULL, &auio, NULL, NULL, 0); if (error == 0) len -= auio.uio_resid; } else if (constty || cn_devvp) { @@ -515,8 +518,8 @@ dosendsyslog(struct proc *p, const char free(ktriov, M_TEMP, iovlen); } #endif - if (syslogf) - FRELE(syslogf, p); + if (fp) + FRELE(fp, p); else error = ENOTCONN; return (error);