Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/kern in shmdt(), wait until shmat() completes before det...



details:   https://anonhg.NetBSD.org/src/rev/c48abf833029
branches:  trunk
changeset: 1003808:c48abf833029
user:      chs <chs%NetBSD.org@localhost>
date:      Tue Oct 01 16:36:58 2019 +0000

description:
in shmdt(), wait until shmat() completes before detaching.

Reported-by: syzbot+8f470a1bf36b47ae0040%syzkaller.appspotmail.com@localhost
Reported-by: syzbot+45810b4c41ed65d9148d%syzkaller.appspotmail.com@localhost

diffstat:

 sys/kern/sysv_shm.c |  21 ++++++++++++++++++---
 1 files changed, 18 insertions(+), 3 deletions(-)

diffs (93 lines):

diff -r 197062bca2cf -r c48abf833029 sys/kern/sysv_shm.c
--- a/sys/kern/sysv_shm.c       Tue Oct 01 16:08:56 2019 +0000
+++ b/sys/kern/sysv_shm.c       Tue Oct 01 16:36:58 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: sysv_shm.c,v 1.138 2019/08/23 10:22:14 maxv Exp $      */
+/*     $NetBSD: sysv_shm.c,v 1.139 2019/10/01 16:36:58 chs Exp $       */
 
 /*-
  * Copyright (c) 1999, 2007 The NetBSD Foundation, Inc.
@@ -61,7 +61,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sysv_shm.c,v 1.138 2019/08/23 10:22:14 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sysv_shm.c,v 1.139 2019/10/01 16:36:58 chs Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_sysv.h"
@@ -87,6 +87,7 @@
        SLIST_ENTRY(shmmap_entry) next;
        vaddr_t va;
        int shmid;
+       bool busy;
 };
 
 int                    shm_nused               __cacheline_aligned;
@@ -313,8 +314,10 @@
        struct uvm_object *uobj;
        struct shmid_ds *shmseg;
        size_t size;
+       int segnum;
 
        mutex_enter(&shm_lock);
+restart:
        /* In case of reallocation, we will wait for completion */
        while (__predict_false(shm_realloc_state))
                cv_wait(&shm_realloc_cv, &shm_lock);
@@ -346,12 +349,18 @@
                }
        }
 
+       segnum = IPCID_TO_IX(shmmap_se->shmid);
+       if (shmmap_se->busy) {
+               cv_wait(&shm_cv[segnum], &shm_lock);
+               goto restart;
+       }
+
        SHMPRINTF(("shmdt: vm %p: remove %d @%lx\n",
            p->p_vmspace, shmmap_se->shmid, shmmap_se->va));
 
        /* Delete the entry from shm map */
        uobj = shm_delete_mapping(shmmap_s, shmmap_se);
-       shmseg = &shmsegs[IPCID_TO_IX(shmmap_se->shmid)];
+       shmseg = &shmsegs[segnum];
        size = (shmseg->shm_segsz + PGOFSET) & ~PGOFSET;
        mutex_exit(&shm_lock);
 
@@ -386,10 +395,13 @@
        vaddr_t attach_va;
        vm_prot_t prot;
        vsize_t size;
+       int segnum;
 
        /* Allocate a new map entry and set it */
        shmmap_se = kmem_alloc(sizeof(struct shmmap_entry), KM_SLEEP);
        shmmap_se->shmid = SCARG(uap, shmid);
+       shmmap_se->busy = true;
+       segnum = IPCID_TO_IX(shmmap_se->shmid);
 
        mutex_enter(&shm_lock);
        /* In case of reallocation, we will wait for completion */
@@ -466,11 +478,13 @@
        /* Set the new address, and update the time */
        mutex_enter(&shm_lock);
        shmmap_se->va = attach_va;
+       shmmap_se->busy = false;
        shmseg->shm_atime = time_second;
        shm_realloc_disable--;
        retval[0] = attach_va;
        SHMPRINTF(("shmat: vm %p: add %d @%lx\n",
            p->p_vmspace, shmmap_se->shmid, attach_va));
+       cv_broadcast(&shm_cv[segnum]);
 err:
        cv_broadcast(&shm_realloc_cv);
        mutex_exit(&shm_lock);
@@ -484,6 +498,7 @@
        mutex_enter(&shm_lock);
        uobj = shm_delete_mapping(shmmap_s, shmmap_se);
        shm_realloc_disable--;
+       cv_broadcast(&shm_cv[segnum]);
        cv_broadcast(&shm_realloc_cv);
        mutex_exit(&shm_lock);
        if (uobj != NULL) {



Home | Main Index | Thread Index | Old Index