diff options
| author | Klemens Nanni <kn@cvs.openbsd.org> | 2022-02-14 21:11:03 +0000 |
|---|---|---|
| committer | Klemens Nanni <kn@cvs.openbsd.org> | 2022-02-14 21:11:03 +0000 |
| commit | 91b522d342992b8fe1bcad7b6f1e483bce72d250 (patch) | |
| tree | 6474b6ae155c402a79d109540a9fbeb834fb2a30 /sys/uvm | |
| parent | 8af49c917002c2248daee0d9977add5cd68d0d9b (diff) | |
Unwire with map lock held
This is an updated version of uvm_map.c r1.283 "Unwire with map lock held".
The previous version introduced a use-after-free by not unlocking vm_map
locks in uvm_map_teardown(), resulting in dangling references on the
reaper's lock list (thanks visa!).
Lock and unlock the map in around uvm_map_teardown() instead.
This code path holds the last reference, hence the lock isn't strictly
needed except for satisfying upcoming locking assertions.
Tested on amd64, arm64, i386, macppc, octeon, sparc64.
This time also with WITNESS enabled (except on sparc64 which builds but does
not boot with WITNESS; this is a known issue).
OK mpi visa
Diffstat (limited to 'sys/uvm')
| -rw-r--r-- | sys/uvm/uvm_map.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/uvm/uvm_map.c b/sys/uvm/uvm_map.c index 9263c4d8ab5..6cb8b05acea 100644 --- a/sys/uvm/uvm_map.c +++ b/sys/uvm/uvm_map.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uvm_map.c,v 1.286 2022/02/11 12:06:48 kn Exp $ */ +/* $OpenBSD: uvm_map.c,v 1.287 2022/02/14 21:11:02 kn Exp $ */ /* $NetBSD: uvm_map.c,v 1.86 2000/11/27 08:40:03 chs Exp $ */ /* @@ -3681,7 +3681,9 @@ uvmspace_free(struct vmspace *vm) shmexit(vm); #endif + vm_map_lock(&vm->vm_map); uvm_map_teardown(&vm->vm_map); + vm_map_unlock(&vm->vm_map); pool_put(&uvm_vmspace_pool, vm); } } |