From owner-svn-src-all@FreeBSD.ORG Mon Jun 28 18:12:43 2010 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4541D106564A; Mon, 28 Jun 2010 18:12:43 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 359078FC0C; Mon, 28 Jun 2010 18:12:43 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o5SIChtW079187; Mon, 28 Jun 2010 18:12:43 GMT (envelope-from kib@svn.freebsd.org) Received: (from kib@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o5SIChMc079185; Mon, 28 Jun 2010 18:12:43 GMT (envelope-from kib@svn.freebsd.org) Message-Id: <201006281812.o5SIChMc079185@svn.freebsd.org> From: Konstantin Belousov Date: Mon, 28 Jun 2010 18:12:43 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r209580 - head/sys/kern X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2010 18:12:43 -0000 Author: kib Date: Mon Jun 28 18:12:42 2010 New Revision: 209580 URL: http://svn.freebsd.org/changeset/base/209580 Log: Despite system call deregistration drains the threads executing System V shm syscalls, and initial check for the number of allocated segments in the module deinitialization code, the following might happen: after the check for active segment, while waiting for threads to leave some other syscall, shmget(2) is called. Then, we can end up with the shared segment that cannot be detached since sysvshm module is unloaded. Prevent the leak by rechecking and disclaiming a reference to the vm object owned by sysvshm module, that might have grown during the drain. Tested by: pho Reviewed by: jhb MFC after: 1 month Modified: head/sys/kern/sysv_shm.c Modified: head/sys/kern/sysv_shm.c ============================================================================== --- head/sys/kern/sysv_shm.c Mon Jun 28 18:06:46 2010 (r209579) +++ head/sys/kern/sysv_shm.c Mon Jun 28 18:12:42 2010 (r209580) @@ -919,10 +919,18 @@ shmunload() #endif syscall_helper_unregister(shm_syscalls); + for (i = 0; i < shmalloced; i++) { #ifdef MAC - for (i = 0; i < shmalloced; i++) mac_sysvshm_destroy(&shmsegs[i]); #endif + /* + * Objects might be still mapped into the processes + * address spaces. Actual free would happen on the + * last mapping destruction. + */ + if (shmsegs[i].u.shm_perm.mode != SHMSEG_FREE) + vm_object_deallocate(shmsegs[i].object); + } free(shmsegs, M_SHM); shmexit_hook = NULL; shmfork_hook = NULL;