From 3db161e07937ad130a89eb68afb1967c9ee5c7dd Mon Sep 17 00:00:00 2001
From: Matthew Dillon <dillon@FreeBSD.org>
Date: Mon, 13 Jan 2003 23:04:32 +0000
Subject: It is possible for an active aio to prevent shared memory from being
 dereferenced when a process exits due to the vmspace ref-count being bumped. 
 Change shmexit() and shmexit_myhook() to take a vmspace instead of a process
 and call it in vmspace_dofree().  This way if it is missed in exit1()'s
 early-resource-free it will still be caught when the zombie is reaped.

Also fix a potential race in shmexit_myhook() by NULLing out
vmspace->vm_shm prior to calling shm_delete_mapping() and free().

MFC after:	7 days
---
 sys/kern/kern_exit.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'sys/kern/kern_exit.c')

diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c
index 8737bed37c32..c34f26fe646b 100644
--- a/sys/kern/kern_exit.c
+++ b/sys/kern/kern_exit.c
@@ -297,8 +297,7 @@ exit1(td, rv)
 	 */
 	++vm->vm_exitingcnt;
 	if (--vm->vm_refcnt == 0) {
-		if (vm->vm_shm)
-			shmexit(p);
+		shmexit(vm);
 		vm_page_lock_queues();
 		pmap_remove_pages(vmspace_pmap(vm), vm_map_min(&vm->vm_map),
 		    vm_map_max(&vm->vm_map));
-- 
cgit v1.2.3