From nis@pc3.geta.hatoyama.hitachi.co.jp  Wed Mar  7 22:33:54 2001
Return-Path: <nis@pc3.geta.hatoyama.hitachi.co.jp>
Received: from pc3.geta.hatoyama.hitachi.co.jp (amaterasu.hatoyama.hitachi.co.jp [133.145.150.129])
	by hub.freebsd.org (Postfix) with ESMTP id E6A3637B71E
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  7 Mar 2001 22:33:52 -0800 (PST)
	(envelope-from nis@pc3.geta.hatoyama.hitachi.co.jp)
Received: (from nis@localhost)
	by pc3.geta.hatoyama.hitachi.co.jp (8.11.1/8.11.1) id f286XnB02074;
	Thu, 8 Mar 2001 15:33:49 +0900 (JST)
	(envelope-from nis)
Message-Id: <200103080633.f286XnB02074@pc3.geta.hatoyama.hitachi.co.jp>
Date: Thu, 8 Mar 2001 15:33:49 +0900 (JST)
From: Shingo Nishioka <nis@pc3.geta.hatoyama.hitachi.co.jp>
Reply-To: nis@pc3.geta.hatoyama.hitachi.co.jp
To: FreeBSD-gnats-submit@freebsd.org
Subject: mmap + fork = panic: vm_object_deallocate: object deallocated too may times: 0
X-Send-Pr-Version: 3.2

>Number:         25603
>Category:       i386
>Synopsis:       mmap + fork = panic: vm_object_deallocate: object deallocated too may times: 0
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 07 22:40:05 PST 2001
>Closed-Date:    Fri Mar 9 10:28:34 PST 2001
>Last-Modified:  Fri Mar 09 10:30:08 PST 2001
>Originator:     Shingo Nishioka
>Release:        FreeBSD 4.2-RELEASE i386
>Organization:
CRL, Hitachi, Ltd.
>Environment:

	FreeBSD 4.2-RELEASE (GENERIC) #0: Mon Nov 20 13:02:55 GMT 2000

>Description:

	The code blow causes a "panic: vm_object_deallocate: object deallocated too may times: 0"

>How-To-Repeat:

Compile and run the following code.

#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>

main()
{
	char *path = "foo.c";
	int d;
	struct stat sb;
	void *p;
	size_t len;

	if ((d = open(path, O_RDONLY))==-1) {
		perror(path);
		return 1;
	}

	if (fstat(d, &sb)==-1) {
		perror(path);
		return 1;
	}

	len = sb.st_size;
	if ((p = mmap(0, len, PROT_READ, MAP_INHERIT, d, 0))==MAP_FAILED) {
		perror("mmap");
		return 1;
	}

	fork();

	return 0;
}

>Fix:


>Release-Note:
>Audit-Trail:

From: Ian Dowse <iedowse@maths.tcd.ie>
To: nis@pc3.geta.hatoyama.hitachi.co.jp
Cc: FreeBSD-gnats-submit@freebsd.org, dillon@freebsd.org,
	iedowse@maths.tcd.ie
Subject: Re: i386/25603: mmap + fork = panic: vm_object_deallocate: object deallocated too may times: 0 
Date: Thu, 08 Mar 2001 15:54:13 +0000

 In message <200103080633.f286XnB02074@pc3.geta.hatoyama.hitachi.co.jp>, Shingo 
 Nishioka writes:
 >
 >	The code blow causes a "panic: vm_object_deallocate: object deallocated
 > too may times: 0"
 
 The following patch seems to solve this problem, though I have
 no idea whether or not it is correct, and I've only done minimal
 testing. It seems that when a shadow object is created in
 vmspace_fork(), only one of the two object references gets
 transferred to the shadow object. Matt? Anyone?
 
 Ian
 
 Index: vm_map.c
 ===================================================================
 RCS file: /dump/FreeBSD-CVS/src/sys/vm/vm_map.c,v
 retrieving revision 1.194
 diff -u -r1.194 vm_map.c
 --- vm_map.c	2001/02/04 06:19:28	1.194
 +++ vm_map.c	2001/03/08 15:47:42
 @@ -2155,6 +2155,10 @@
  					&old_entry->offset,
  					atop(old_entry->end - old_entry->start));
  				old_entry->eflags &= ~MAP_ENTRY_NEEDS_COPY;
 +				/* Transfer the original reference too. */
 +				vm_object_reference(
 +				    old_entry->object.vm_object);
 +				vm_object_deallocate(object);
  				object = old_entry->object.vm_object;
  			}
  			vm_object_clear_flag(object, OBJ_ONEMAPPING);
State-Changed-From-To: open->closed 
State-Changed-By: iedowse 
State-Changed-When: Fri Mar 9 10:28:34 PST 2001 
State-Changed-Why:  

Fixed in revision 1.195 of sys/vm/vm_map.c. Thanks for 
the bug report! 


http://www.freebsd.org/cgi/query-pr.cgi?pr=25603 
>Unformatted:
