Venkatesh Srinivas <[email protected]> added the comment:
Hi,
I just saw a patch, 49aa3df0ca3e226c0a0d7097863a2426ee6fd534, go in to fix this
issue; it adds:
+
+ /*
+ * Temporary refs may still have been acquired while
+ * we removed the process, make sure they are all
+ * gone before kfree()ing. Now that the process has
+ * been removed from all lists and all references to
+ * it have gone away, no new refs can occur.
+ */
+ while (p->p_lock)
+ tsleep(p, 0, "reap4", hz);
kfree(p, M_PROC);
First, is anything required to ensure that p->p_lock is really loaded each loop
iteration? Is the compiler allowed to optimize away the load after the first
loop?
Second, I don't understand how this is safe; the problem here is that another
code path obtained a reference to this process and was using it when the kfree()
happened. What prevents this?
A B
...
vm_waitproc(p)
while(p->p_lock)
tsleep(...)
/* get reference to process */
PHOLD(p)
kfree(p)
/* HEY! */
Thanks,
-- vs
_____________________________________________________
DragonFly issue tracker <[email protected]>
<http://bugs.dragonflybsd.org/issue1996>
_____________________________________________________
