Open Radar

 
Summary:
OS X El Capitan crashes with kernel panic after some concurrent writes/polls/reads on named FIFO from two processes.

I have attached source code of a simple test program, using which the crash is reproduced with 100% probability.
Also attached Kernel Panic report, and can attach the kernel core dump if required.

The crash happens in fifo_write(), when it calls knote(). It seems that v_knotes list in vp is empty at the time of knote() call.
As far as I can understand, this happens when the other process polls the FIFO, but the poll exits with timeout, detaching knote from v_knotes list at the time when fifo_write() has already checked for v_knotes non-emptyness, but before the knote() is called.

Crash stack:
    frame #0: 0xffffff80071dbbbe kernel`Debugger(message=<unavailable>) + 782 at model_dep.c:1018
    frame #1: 0xffffff80070e5307 kernel`panic(str=<unavailable>) + 231 at debug.c:395
    frame #2: 0xffffff80071d6bba kernel`kernel_trap [inlined] panic_trap(regs=<unavailable>, pl=<unavailable>) + 2330 at trap.c:847
    frame #3: 0xffffff80071d69b9 kernel`kernel_trap(state=<unavailable>, lo_spp=<unavailable>) + 1817 at trap.c:791
    frame #4: 0xffffff80071f4313 kernel`trap_from_kernel + 38
    frame #5: 0xffffff80075909e5 kernel`knote(list=<unavailable>, hint=0) + 53 at kern_event.c:2887
    frame #6: 0xffffff800733ef86 kernel`fifo_write(ap=<unavailable>) + 86 at fifo_vnops.c:364
  * frame #7: 0xffffff800732e0d0 kernel`VNOP_WRITE(vp=0xffffff8038e83a50, uio=0xffffff91f1a5be80, ioflag=<unavailable>, ctx=<unavailable>) + 112 at kpi_vfs.c:3338
    frame #8: 0xffffff8007322f30 kernel`vn_write(fp=0xffffff8029d6fa18, uio=0xffffff91f1a5be80, flags=0, ctx=0xffffff91f1a5bf20) + 960 at vfs_vnops.c:1156
    frame #9: 0xffffff80075ca577 kernel`dofilewrite [inlined] fo_write(fp=(null) at r15, uio=(null) at rbx, flags=0, ctx=(null) at r14) + 26 at kern_descrip.c:5794
    frame #10: 0xffffff80075ca55d kernel`dofilewrite(ctx=0xffffff91f1a5bf20, fp=0xffffff8029d6fa18, bufp=140734531636003, nbyte=1, offset=<unavailable>, flags=0, retval=<unavailable>) + 269 at sys_generic.c:599
    frame #11: 0xffffff80075ca3ae kernel`write_nocancel(p=0xffffff80483665d8, uap=0xffffff8046af8000, retval=0xffffff8046af8040) + 222 at sys_generic.c:479
    frame #12: 0xffffff800762afd1 kernel`unix_syscall64(state=0xffffff804558f5e0) + 593 at systemcalls.c:384

Steps to Reproduce:
1. build the test program "clang fifo_test.c"
2. create some test FIFO "mkfifo /tmp/tstfifo"
3. from one terminal run the test program for read "./a.out read /tmp/tstfifo"
4. from another terminal run it for write "./a.out write /tmp/tstfifo"
5. Wait for kernel panic (in my experience it takes from 10 seconds to 1 minute)

Expected Results:
System does not crash

Actual Results:
System crashes

Version:
OS X El Capitan 10.11.1 Build 15B42

Darwin Kernel Version 15.0.0: Sat Sep 19 15:53:46 PDT 2015; root:xnu-3247.10.11~1/RELEASE_X86_64

Notes:


Configuration:
System model name: Macmini7,1 (Mac-35C5E08120C7EEAF)
OS X El Capitan 10.11.1 Build 15B42

Also, reproduced on a number of MacBook Pro's. It seems that the bug is not hardware-specific.

Attachments:
'fifo_test.c' and 'Kernel_2015-11-16-162404_MacMini-k06a-2.panic' were successfully uploaded.

Also, fifo_test.c source is available at http://pastebin.com/iC7dzWKN