From toasty@nfs.dragondata.com Sun May 30 15:40:41 1999
Return-Path: <toasty@nfs.dragondata.com>
Received: from nfs.dragondata.com (nfs.dragondata.com [204.137.237.7])
	by hub.freebsd.org (Postfix) with ESMTP id 9C54C14E1B
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 30 May 1999 15:40:39 -0700 (PDT)
	(envelope-from toasty@nfs.dragondata.com)
Received: (from root@localhost)
	by nfs.dragondata.com (8.9.3/8.9.3) id RAA83486;
	Sun, 30 May 1999 17:40:39 -0500 (CDT)
	(envelope-from toasty)
Message-Id: <199905302240.RAA83486@nfs.dragondata.com>
Date: Sun, 30 May 1999 17:40:39 -0500 (CDT)
From: toasty@dragondata.com
Sender: toasty@nfs.dragondata.com
Reply-To: toasty@dragondata.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: mmaping memory device, then forking causes negative rss
X-Send-Pr-Version: 3.2

>Number:         11948
>Category:       kern
>Synopsis:       mmaping memory device, then forking causes negative rss
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 30 15:50:01 PDT 1999
>Closed-Date:    Sat Jun 5 09:19:02 PDT 1999
>Last-Modified:  Sat Jun  5 09:20:34 PDT 1999
>Originator:     Kevin Day
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
DragonData Internet Services, Inc.
>Environment:

3.1 or 4.0 system, with some mmapable device (/dev/mem or similar)

>Description:

When mmap'ing a device, then forking, the resident size of the child process
becomes negative.


>How-To-Repeat:

1.c:
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/mman.h>

void main(void) {
 int k;
 char *low;
 int devmem;

    devmem = open("/dev/mem",O_RDWR);   
    low1mb = (char *)mmap(0, 0x800000, (PROT_READ | PROT_WRITE), MAP_INHERIT | MAP_SHARED, devmem, 0);

   printf("Starting 2...\n");      
   if (rfork(RFCFDG|RFPROC)) {             
        usleep(100);    
   } else {
        k = execl("./2", "2", (char *) 0);              
        if (k) {
                printf("io returned %d errno %d\n",k, errno);           
        }
   _exit(0);       
   }

}




2.c:

void main(void) { 
     while(1)   
        sleep(10000);
}



Compile, and run '1'.

top shows:


  PID USERNAME PRI NICE  SIZE    RES STATE    TIME   WCPU    CPU COMMAND
  899 root      10   0   748K 32760M nanslp   0:00  0.00%  0.00% 2


ps shows:

root     899  0.0 53622.9   748 -7960  p1  I     6:14AM   0:00.00 2
0   899     1   0  10  0   748 -7960 nanslp I     p1    0:00.00 2



Repeatedly doing this will cause the kernel to panic with "panic: multiple
frees".


>Fix:

I couldn't find a fix for this within an hour of looking, and had to move
on. This appeared between 3.0 and 3.1, so it shouldn't be *too* hard to
find. :)



Kevin

>Release-Note:
>Audit-Trail:

From: Luoqi Chen <luoqi@watermarkgroup.com>
To: freebsd-gnats-submit@freebsd.org, toasty@dragondata.com
Cc:  
Subject: Re: kern/11948: mmaping memory device, then forking causes negative rss
Date: Fri, 04 Jun 1999 21:20:27 -0400

 Can you try the following patch? It should fix the negative rss size
 problem.
 Please also try to see if you can reproduce the "multiple frees" panic
 after
 the patch.
 
 -lq
 
 Index: pmap.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/i386/i386/pmap.c,v
 retrieving revision 1.237
 diff -u -r1.237 pmap.c
 --- pmap.c      1999/06/01 18:19:44     1.237
 +++ pmap.c      1999/06/05 01:10:07
 @@ -2655,7 +2655,7 @@
                 if (srcptepaddr & PG_PS) {
                         if (dst_pmap->pm_pdir[ptepindex] == 0) {
                                 dst_pmap->pm_pdir[ptepindex] =
 (pd_entry_t) srcptepaddr;
 -                               dst_pmap->pm_stats.resident_count +=
 NBPDR;
 +                               dst_pmap->pm_stats.resident_count +=
 NBPDR / PAGE_SIZE;
                         }
                         continue;
                 }
 
State-Changed-From-To: open->closed 
State-Changed-By: luoqi 
State-Changed-When: Sat Jun 5 09:19:02 PDT 1999 
State-Changed-Why:  
Fixed. 
>Unformatted:
