From 53ad2dbd305d53f08617d1bf75a428d7a3efd83e Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Sat, 3 Aug 2019 18:47:31 +0000 Subject: [PATCH] Acquire shmseg uobj reference while we hold shm_lock. Otherwise nothing prevents it from being detached under our feet when we drop shm_lock. --- sys/kern/sysv_shm.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/sys/kern/sysv_shm.c b/sys/kern/sysv_shm.c index f535c3fc01ae..156953fac1a1 100644 --- a/sys/kern/sysv_shm.c +++ b/sys/kern/sysv_shm.c @@ -425,14 +425,19 @@ sys_shmat(struct lwp *l, const struct sys_shmat_args *uap, register_t *retval) shmseg->shm_lpid = p->p_pid; shmseg->shm_nattch++; shm_realloc_disable++; - mutex_exit(&shm_lock); /* - * Add a reference to the memory object, map it to the - * address space, and lock the memory, if needed. + * Add a reference to the uvm object while we hold the + * shm_lock. */ uobj = shmseg->_shm_internal; uao_reference(uobj); + mutex_exit(&shm_lock); + + /* + * Drop the shm_lock to map it into the address space, and lock + * the memory, if needed (XXX where does this lock memory?). + */ error = uvm_map(&vm->vm_map, &attach_va, size, uobj, 0, 0, UVM_MAPFLAG(prot, prot, UVM_INH_SHARE, UVM_ADV_RANDOM, flags)); if (error)