From 05457439ab275d51c6a5f1b03753e052ac81a858 Mon Sep 17 00:00:00 2001 From: Richard Fuchs Date: Tue, 16 Sep 2025 08:12:09 -0400 Subject: [PATCH] MT#55283 delegate shm refcount to table We don't track individual uses of the shared memory, so we can't safely free it when the mapping is closed, as the internal forwarding targets may still point into it. Delay freeing until the table itself is freed. Each mmap then counts as another reference on the table. Unmap then simply decreases the reference count but never actually frees the pages. Change-Id: Ic33454155cd0083f733711ce52699047cff9e56c (cherry picked from commit de961d5b4327b9d23059afa308b83dad31c0de0c) --- kernel-module/xt_RTPENGINE.c | 23 +++++------------------ 1 file changed, 5 insertions(+), 18 deletions(-) diff --git a/kernel-module/xt_RTPENGINE.c b/kernel-module/xt_RTPENGINE.c index 3ca24502b..02b10c877 100644 --- a/kernel-module/xt_RTPENGINE.c +++ b/kernel-module/xt_RTPENGINE.c @@ -478,7 +478,6 @@ struct re_hmac { }; struct re_shm { - atomic_t users; void *head; struct rtpengine_table *table; struct list_head list_entry; @@ -1993,31 +1992,20 @@ static void vm_mmap_open(struct vm_area_struct *vma) { if (!(shm = vma->vm_private_data)) return; - atomic_inc(&shm->users); + ref_get(shm->table); } static void vm_mmap_close(struct vm_area_struct *vma) { struct re_shm *shm; - struct rtpengine_table *t; if (vma->vm_ops != &vm_mmap_ops) return; if (!(shm = vma->vm_private_data)) return; - if (!atomic_dec_and_test(&shm->users)) - return; - - t = shm->table; - - spin_lock(&t->shm_lock); - list_del_init(&shm->list_entry); - spin_unlock(&t->shm_lock); - - vfree(shm->head); - kfree(shm); - vma->vm_private_data = NULL; + + table_put(shm->table); } static void *shm_map_resolve(void *p, size_t size) { @@ -2885,8 +2873,7 @@ static int proc_control_mmap(struct file *file, struct vm_area_struct *vma) { } shm->head = pages; - atomic_set(&shm->users, 1); - shm->table = t; + shm->table = t; // not a reference vma->vm_private_data = shm; vma->vm_ops = &vm_mmap_ops; @@ -2910,7 +2897,7 @@ static int proc_control_mmap(struct file *file, struct vm_area_struct *vma) { list_add(&shm->list_entry, &t->shm_list); spin_unlock(&t->shm_lock); - table_put(t); + // retain reference on table - belongs to the shm list now return 0; }