From owner-cvs-all  Sat Dec 21 16: 7:16 2002
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 19DE037B401; Sat, 21 Dec 2002 16:07:15 -0800 (PST)
Received: from k6.locore.ca (k6.locore.ca [198.96.117.170])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 7ABC243EDA; Sat, 21 Dec 2002 16:07:14 -0800 (PST)
	(envelope-from jake@k6.locore.ca)
Received: from k6.locore.ca (jake@localhost.locore.ca [127.0.0.1])
	by k6.locore.ca (8.12.6/8.12.6) with ESMTP id gBM0LwuP026312;
	Sat, 21 Dec 2002 19:21:58 -0500 (EST)
	(envelope-from jake@k6.locore.ca)
Received: (from jake@localhost)
	by k6.locore.ca (8.12.6/8.12.6/Submit) id gBM0LwTO026311;
	Sat, 21 Dec 2002 19:21:58 -0500 (EST)
Date: Sat, 21 Dec 2002 19:21:57 -0500
From: Jake Burkholder <jake@locore.ca>
To: Matt Dillon <dillon@FreeBSD.org>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/kern kern_exit.c src/sys/vm vm_map.c vm_map.h
Message-ID: <20021221192157.B25630@locore.ca>
References: <200212151850.gBFIo5vL019297@repoman.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200212151850.gBFIo5vL019297@repoman.freebsd.org>; from dillon@FreeBSD.org on Sun, Dec 15, 2002 at 10:50:05AM -0800
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

Apparently, On Sun, Dec 15, 2002 at 10:50:05AM -0800,
	Matt Dillon said words to the effect of;

> dillon      2002/12/15 10:50:05 PST
> 
>   Modified files:
>     sys/kern             kern_exit.c 
>     sys/vm               vm_map.c vm_map.h 
>   Log:
>   Fix a refcount race with the vmspace structure.  In order to prevent
>   resource starvation we clean-up as much of the vmspace structure as we
>   can when the last process using it exits.  The rest of the structure
>   is cleaned up when it is reaped.  But since exit1() decrements the ref
>   count it is possible for a double-free to occur if someone else, such as
>   the process swapout code, references and then dereferences the structure.
>   Additionally, the final cleanup of the structure should not occur until
>   the last process referencing it is reaped.
>   
>   This commit solves the problem by introducing a secondary reference count,
>   calling 'vm_exitingcnt'.  The normal reference count is decremented on exit
>   and vm_exitingcnt is incremented.  vm_exitingcnt is decremented when the
>   process is reaped.  When both vm_exitingcnt and vm_refcnt are 0, the
>   structure is freed for real.

Will you merge this change into RELENG_5_0 as well?  The bug still exists
there I think and needs to be fixed for 5.0-R.

Thanks,
Jake

>   
>   MFC after:      3 weeks
>   
>   Revision  Changes    Path
>   1.188     +8 -1      src/sys/kern/kern_exit.c
>   1.275     +17 -6     src/sys/vm/vm_map.c
>   1.93      +2 -2      src/sys/vm/vm_map.h

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message