Skip site navigation (1)Skip section navigation (2)
Date:      14 Jan 2000 12:01:52 -0000
From:      he@runit.no (Havard Eidnes)
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   kern/16122: Incorrect SysV SHM segment accounting by async I/O helper procs
Message-ID:  <20000114120152.60814.qmail@verden.pvv.ntnu.no>

next in thread | raw e-mail | index | archive | help

>Number:         16122
>Category:       kern
>Synopsis:       Incorrect SysV SHM segment accounting by async I/O helper procs
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 14 04:10:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Havard Eidnes
>Release:        FreeBSD 3.3-RELEASE i386
>Organization:
RUNIT AS
>Environment:
	"Standard" i386 machine running 3.3-RELEASE.

>Description:
	Only the first async I/O helper process releases the SystemV
	shared memory segments inherited from the parent process.  All
	async I/O helper processes end up calling shmfork() (implicitly
	via rfork()), but exit without doing shmexit(), causing shared
	memory segment reference counts not to be updated correctly.

	This causes shared memory segments to get an ever increasing
	reference count, preventing their removal from the system even
	though the processes which caused the reference count to be
	increased are no longer present.

>How-To-Repeat:
	Use SystemV shared memory segments and asynchronous I/O
	in the same process.  Note in "ipcs -mobp" output that
	the reference count of the segments increase over time
	as this process is run several times.

	(Sorry, no code here to reproduce the problem.)

>Fix:
	Not only the first async I/O helper process should get rid of its
	SystemV shared memory segments inherited from the parent process.

	Perusal of cvsweb seems to indicate that this problem
	is also present in the FreeBSD 3.4 release.

--- /sys/kern/vfs_aio.c.dist	Sun Aug 29 18:26:12 1999
+++ /sys/kern/vfs_aio.c	Thu Jan 13 14:24:10 2000
@@ -618,44 +618,49 @@
 	 * We manage to create only one VM space for all AIOD processes.
 	 * The VM space for the first AIOD created becomes the shared VM
 	 * space for all of them.  We add an additional reference count,
 	 * even for the first AIOD, so the address space does not go away,
 	 * and we continue to use that original VM space even if the first
 	 * AIOD exits.
 	 */
 	if ((aiovm = aiovmspace) == NULL) {
 		aiovmspace = myvm;
 		myvm->vm_refcnt++;
 		/*
 		 * Remove userland cruft from address space.
 		 */
 		if (myvm->vm_shm)
 			shmexit(mycp);
 		pmap_remove_pages(&myvm->vm_pmap, 0, USRSTACK);
 		vm_map_remove(&myvm->vm_map, 0, USRSTACK);
 		myvm->vm_tsize = 0;
 		myvm->vm_dsize = 0;
 		myvm->vm_ssize = 0;
 	} else {
 		aiovm->vm_refcnt++;
+		/*
+		 * Remove userland cruft from address space.
+		 */
+		if (myvm->vm_shm)
+			shmexit(mycp);
 		mycp->p_vmspace = aiovm;
 		pmap_activate(mycp);
 		vmspace_free(myvm);
 		myvm = aiovm;
 	}
 
 	if (mycp->p_textvp) {
 		vrele(mycp->p_textvp);
 		mycp->p_textvp = NULL;
 	}
 
 	/*
 	 * Allocate and ready the aio control info.  There is one
 	 * aiop structure per daemon.
 	 */
 	aiop = zalloc(aiop_zone);
 	aiop->aioproc = mycp;
 	aiop->aioprocflags |= AIOP_FREE;
 	TAILQ_INIT(&aiop->jobtorun);
 
 	/*
 	 * Place thread (lightweight process) onto the AIO free thread list



>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000114120152.60814.qmail>