Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/kern in shmdt(), wait until shmat() completes before det...
details: https://anonhg.NetBSD.org/src/rev/8c7461ded850
branches: trunk
changeset: 459916:8c7461ded850
user: chs <chs%NetBSD.org@localhost>
date: Tue Oct 01 16:36:58 2019 +0000
description:
in shmdt(), wait until shmat() completes before detaching.
Reported-by: syzbot+8f470a1bf36b47ae0040%syzkaller.appspotmail.com@localhost
Reported-by: syzbot+45810b4c41ed65d9148d%syzkaller.appspotmail.com@localhost
diffstat:
sys/kern/sysv_shm.c | 21 ++++++++++++++++++---
1 files changed, 18 insertions(+), 3 deletions(-)
diffs (93 lines):
diff -r d495dbfdd0d6 -r 8c7461ded850 sys/kern/sysv_shm.c
--- a/sys/kern/sysv_shm.c Tue Oct 01 16:08:56 2019 +0000
+++ b/sys/kern/sysv_shm.c Tue Oct 01 16:36:58 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: sysv_shm.c,v 1.138 2019/08/23 10:22:14 maxv Exp $ */
+/* $NetBSD: sysv_shm.c,v 1.139 2019/10/01 16:36:58 chs Exp $ */
/*-
* Copyright (c) 1999, 2007 The NetBSD Foundation, Inc.
@@ -61,7 +61,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sysv_shm.c,v 1.138 2019/08/23 10:22:14 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sysv_shm.c,v 1.139 2019/10/01 16:36:58 chs Exp $");
#ifdef _KERNEL_OPT
#include "opt_sysv.h"
@@ -87,6 +87,7 @@
SLIST_ENTRY(shmmap_entry) next;
vaddr_t va;
int shmid;
+ bool busy;
};
int shm_nused __cacheline_aligned;
@@ -313,8 +314,10 @@
struct uvm_object *uobj;
struct shmid_ds *shmseg;
size_t size;
+ int segnum;
mutex_enter(&shm_lock);
+restart:
/* In case of reallocation, we will wait for completion */
while (__predict_false(shm_realloc_state))
cv_wait(&shm_realloc_cv, &shm_lock);
@@ -346,12 +349,18 @@
}
}
+ segnum = IPCID_TO_IX(shmmap_se->shmid);
+ if (shmmap_se->busy) {
+ cv_wait(&shm_cv[segnum], &shm_lock);
+ goto restart;
+ }
+
SHMPRINTF(("shmdt: vm %p: remove %d @%lx\n",
p->p_vmspace, shmmap_se->shmid, shmmap_se->va));
/* Delete the entry from shm map */
uobj = shm_delete_mapping(shmmap_s, shmmap_se);
- shmseg = &shmsegs[IPCID_TO_IX(shmmap_se->shmid)];
+ shmseg = &shmsegs[segnum];
size = (shmseg->shm_segsz + PGOFSET) & ~PGOFSET;
mutex_exit(&shm_lock);
@@ -386,10 +395,13 @@
vaddr_t attach_va;
vm_prot_t prot;
vsize_t size;
+ int segnum;
/* Allocate a new map entry and set it */
shmmap_se = kmem_alloc(sizeof(struct shmmap_entry), KM_SLEEP);
shmmap_se->shmid = SCARG(uap, shmid);
+ shmmap_se->busy = true;
+ segnum = IPCID_TO_IX(shmmap_se->shmid);
mutex_enter(&shm_lock);
/* In case of reallocation, we will wait for completion */
@@ -466,11 +478,13 @@
/* Set the new address, and update the time */
mutex_enter(&shm_lock);
shmmap_se->va = attach_va;
+ shmmap_se->busy = false;
shmseg->shm_atime = time_second;
shm_realloc_disable--;
retval[0] = attach_va;
SHMPRINTF(("shmat: vm %p: add %d @%lx\n",
p->p_vmspace, shmmap_se->shmid, attach_va));
+ cv_broadcast(&shm_cv[segnum]);
err:
cv_broadcast(&shm_realloc_cv);
mutex_exit(&shm_lock);
@@ -484,6 +498,7 @@
mutex_enter(&shm_lock);
uobj = shm_delete_mapping(shmmap_s, shmmap_se);
shm_realloc_disable--;
+ cv_broadcast(&shm_cv[segnum]);
cv_broadcast(&shm_realloc_cv);
mutex_exit(&shm_lock);
if (uobj != NULL) {
Home |
Main Index |
Thread Index |
Old Index