From 68abd1cb29095b3384c33e8d676ffa252d8f9153 Mon Sep 17 00:00:00 2001
From: Tom <tomut@yahoo.com>
Date: Tue, 24 Nov 2020 10:26:32 -0700
Subject: Kernel: Fix SharedBuffer reference counting on fork

We need to not only add a record for a reference, but we need
to copy the reference count on fork as well, because the code
in the fork assumes that it has the same amount of references,
still.

Also, once all references are dropped when a process is disowned,
delete the shared buffer.

Fixes #4076
---
 Kernel/SharedBuffer.cpp | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

(limited to 'Kernel/SharedBuffer.cpp')

diff --git a/Kernel/SharedBuffer.cpp b/Kernel/SharedBuffer.cpp
index 39cd8681aa..0e0682a590 100644
--- a/Kernel/SharedBuffer.cpp
+++ b/Kernel/SharedBuffer.cpp
@@ -126,11 +126,14 @@ void SharedBuffer::share_all_shared_buffers(Process& from_process, Process& with
     LOCKER(shared_buffers().lock());
     for (auto& shbuf : shared_buffers().resource()) {
         auto& shared_buffer = *shbuf.value;
-        if (shared_buffer.m_global)
-            continue;
+        // We need to clone all references (including for global shared buffers),
+        // and the reference counts as well.
         for (auto& ref : shared_buffer.m_refs) {
             if (ref.pid == from_process.pid()) {
-                shared_buffer.share_with(with_process.pid());
+                auto ref_count = ref.count;
+                shared_buffer.m_refs.append(Reference(with_process.pid(), ref_count));
+                // NOTE: ref may become invalid after we appended!
+                shared_buffer.m_total_refs += ref_count;
                 break;
             }
         }
@@ -143,7 +146,9 @@ void SharedBuffer::deref_for_process(Process& process)
     for (size_t i = 0; i < m_refs.size(); ++i) {
         auto& ref = m_refs[i];
         if (ref.pid == process.pid()) {
+            ASSERT(ref.count > 0);
             ref.count--;
+            ASSERT(m_total_refs > 0);
             m_total_refs--;
             if (ref.count == 0) {
 #ifdef SHARED_BUFFER_DEBUG
@@ -164,7 +169,7 @@ void SharedBuffer::deref_for_process(Process& process)
     ASSERT_NOT_REACHED();
 }
 
-void SharedBuffer::disown(ProcessID pid)
+bool SharedBuffer::disown(ProcessID pid)
 {
     LOCKER(shared_buffers().lock());
     for (size_t i = 0; i < m_refs.size(); ++i) {
@@ -173,15 +178,18 @@ void SharedBuffer::disown(ProcessID pid)
 #ifdef SHARED_BUFFER_DEBUG
             dbg() << "Disowning shared buffer " << m_shbuf_id << " of size " << size() << " by PID " << pid.value();
 #endif
+            ASSERT(m_total_refs >= ref.count);
             m_total_refs -= ref.count;
             m_refs.unstable_take(i);
 #ifdef SHARED_BUFFER_DEBUG
             dbg() << "Disowned shared buffer " << m_shbuf_id << " of size " << size() << " by PID " << pid.value();
 #endif
             destroy_if_unused();
-            return;
+            break;
         }
     }
+
+    return m_total_refs == 0;
 }
 
 void SharedBuffer::destroy_if_unused()
-- 
cgit v1.2.3