Fix ipc session close race properly

nx/include/switch/kernel/ipc.h

@@ -449,6 +449,16 @@ static inline Result ipcQueryPointerBufferSize(Handle session, size_t *size) {
     return rc;
 }
 
+/**
+ * @brief Closes the IPC session with proper clean up.
+ * @param session IPC session handle.
+ * @return Result code.
+ */
+static inline Result ipcCloseSession(Handle session) {
+    u32* buf = (u32*)armGetTls();
+    buf[0] = 2;
+    return ipcDispatch(session);
+}
 ///@}
 
 ///@name IPC domain handling

nx/include/switch/services/sm.h

@@ -134,6 +134,7 @@ static inline void serviceClose(Service* s) {
 
     case ServiceType_Normal:
     case ServiceType_Domain:
+        ipcCloseSession(s->handle);
         svcCloseHandle(s->handle);
         break;
 

nx/source/kernel/tmem.c

@@ -92,25 +92,7 @@ Result tmemClose(TransferMemory* t)
             rc = svcCloseHandle(t->handle);
         }
 
-        if (t->src_addr != NULL)
+        if (t->src_addr != NULL) {
-        {
-            // This fixes a race condition where a remote process that has transfer
-            // memory mapped, but has not yet had time to unmap it.
-            // It will still be non-readable in our process until the other process has
-            // unmapped it, and we cannot free() it without crashing.
-            while (1) {
-                MemoryInfo info;
-                u32 who_cares;
-
-                if (R_FAILED(svcQueryMemory(&info, &who_cares, (u64) t->src_addr)))
-                    fatalSimple(MAKERESULT(Module_Libnx, LibnxError_BadQueryMemory));
-
-                if (!(info.attr & MemAttr_IsBorrowed))
-                    break;
-
-                svcSleepThread(1000000);
-            }
-
             free(t->src_addr);
         }