From c6a128a4b907ab2e60ff122305aee878371b5e92 Mon Sep 17 00:00:00 2001 From: alfred Date: Tue, 5 Feb 2002 21:23:05 +0000 Subject: Fix a race with free'ing vmspaces at process exit when vmspaces are shared. Also introduce vm_endcopy instead of using pointer tricks when initializing new vmspaces. The race occured because of how the reference was utilized: test vmspace reference, possibly block, decrement reference When sharing a vmspace between multiple processes it was possible for two processes exiting at the same time to test the reference count, possibly block and neither one free because they wouldn't see the other's update. Submitted by: green --- sys/kern/kern_exit.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'sys/kern/kern_exit.c') diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index 51b77c4..e8c5558 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -217,13 +217,14 @@ exit1(td, rv) * Can't free the entire vmspace as the kernel stack * may be mapped within that space also. */ - if (vm->vm_refcnt == 1) { + if (--vm->vm_refcnt == 0) { if (vm->vm_shm) shmexit(p); pmap_remove_pages(vmspace_pmap(vm), VM_MIN_ADDRESS, VM_MAXUSER_ADDRESS); (void) vm_map_remove(&vm->vm_map, VM_MIN_ADDRESS, VM_MAXUSER_ADDRESS); + vm->vm_freer = p; } PROC_LOCK(p); @@ -400,8 +401,8 @@ exit1(td, rv) /* * Finally, call machine-dependent code to release the remaining * resources including address space, the kernel stack and pcb. - * The address space is released by "vmspace_free(p->p_vmspace)" - * in vm_waitproc(); + * The address space is released by "vmspace_exitfree(p)" in + * vm_waitproc(). */ cpu_exit(td); -- cgit v1.1