diff options
author | dillon <dillon@FreeBSD.org> | 2003-01-13 23:04:32 +0000 |
---|---|---|
committer | dillon <dillon@FreeBSD.org> | 2003-01-13 23:04:32 +0000 |
commit | ce710d36cc14755344115d36e5459a39e385e64d (patch) | |
tree | 3c875a6ad9627d4125943a71834883e1b354baa5 /sys/kern/kern_exit.c | |
parent | e08a8297e2779e8d6e2160c041440e8f3908ece8 (diff) | |
download | FreeBSD-src-ce710d36cc14755344115d36e5459a39e385e64d.zip FreeBSD-src-ce710d36cc14755344115d36e5459a39e385e64d.tar.gz |
It is possible for an active aio to prevent shared memory from being
dereferenced when a process exits due to the vmspace ref-count being
bumped. Change shmexit() and shmexit_myhook() to take a vmspace instead
of a process and call it in vmspace_dofree(). This way if it is missed
in exit1()'s early-resource-free it will still be caught when the zombie is
reaped.
Also fix a potential race in shmexit_myhook() by NULLing out
vmspace->vm_shm prior to calling shm_delete_mapping() and free().
MFC after: 7 days
Diffstat (limited to 'sys/kern/kern_exit.c')
-rw-r--r-- | sys/kern/kern_exit.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index 8737bed..c34f26f 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -297,8 +297,7 @@ exit1(td, rv) */ ++vm->vm_exitingcnt; if (--vm->vm_refcnt == 0) { - if (vm->vm_shm) - shmexit(p); + shmexit(vm); vm_page_lock_queues(); pmap_remove_pages(vmspace_pmap(vm), vm_map_min(&vm->vm_map), vm_map_max(&vm->vm_map)); |