On Tue, Sep 24, 2013 at 10:45:17AM -0700, John-Mark Gurney wrote: > I'd like to understand why you think protecting these functions w/ > the _DETACHED check is correct... In kern_event.c, all calls to > f_detach are followed by knote_drop which will ensure that the knote > is removed and free, so no more f_event calls will be called on that > knote..
My current belief is that what happens is a glitch in the kqueue_register(). After a new knote is created and attached, the kq lock is dropped and then f_event() is called. If the vnode is reclaimed or possible freed meantime, f_event() seems to dereference freed memory, since kn_hook points to freed vnode. The issue as I see it is that vnode lifecycle is detached from the knote lifecycle. Might be, only the second patch, which acquires a hold reference on the vnode for each knote, is really needed. But before going into any conclusions, I want to see the testing results.
pgpE9EQ09ovgc.pgp
Description: PGP signature
