From jason@jason.kmost.express.ru  Mon Feb  7 14:00:26 2000
Return-Path: <jason@jason.kmost.express.ru>
Received: from jason.kmost.express.ru (jason.kmost.express.ru [212.24.37.101])
	by builder.freebsd.org (Postfix) with ESMTP id 59C794011
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  7 Feb 2000 14:00:21 -0800 (PST)
Received: (from jason@localhost)
	by jason.kmost.express.ru (8.9.3/8.9.3) id AAA00553;
	Tue, 8 Feb 2000 00:57:28 +0300 (MSK)
	(envelope-from jason)
Message-Id: <200002072157.AAA00553@jason.kmost.express.ru>
Date: Tue, 8 Feb 2000 00:57:28 +0300 (MSK)
From: jason@express.ru
Sender: jason@jason.kmost.express.ru
Reply-To: jason@express.ru
To: FreeBSD-gnats-submit@freebsd.org
Subject: extensive fork()+mmap() causes 4.0 kernel to panic()
X-Send-Pr-Version: 3.2

>Number:         16573
>Category:       kern
>Synopsis:       extensive fork()+mmap() causes 4.0 kernel to panic()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    dillon
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb  7 14:10:01 PST 2000
>Closed-Date:    Thu Feb 17 00:46:09 PST 2000
>Last-Modified:  Thu Feb 17 00:47:10 PST 2000
>Originator:     Dmitry Kim
>Release:        FreeBSD 4.0-20000127-CURRENT i386
>Organization:
BTU "Russian Express"
>Environment:

[jason@jsn jason]$ uname -a
FreeBSD jsn.kmost.express.ru 4.0-20000127-CURRENT FreeBSD 4.0-20000127-CURRENT #3: Mon Feb  7 23:31:48 MSK 2000     root@jsn.kmost.express.ru:/usr/src/sys/compile/JSN  i386

>Description:

on 4.0-20000127-CURRENT i386:
   when doing while(1) { if( !fork() { mmap(); exit() } }, after certain
  number of iteraions (probably ~10000), fork() ends up with kernel panic.

>How-To-Repeat:

file x.c

#include        <stdio.h>
#include        <sys/types.h>
#include	<unistd.h>
#include        <sys/stat.h>
#include        <sys/mman.h>
#include        <fcntl.h>

#define         MAX             1048576

int		fork_and_mmap( char *fname ) {
	int	pid = fork() ;

	if( pid == -1 ) {
	    perror( "fork()" ) ;
	    sleep( 1 ) ;
	} else if ( pid == 0 ) {
		int		fd ;
        	struct stat	s;
		caddr_t		this ;

                if ((fd = open(fname, O_RDONLY, 0)) < 0) {
                        perror(fname);
			exit( 1 ) ;
		}

		if (fstat(fd, &s) < 0) {
			perror("fstat") ;
			exit(0) ;
		}
		this = mmap((caddr_t) 0, s.st_size, PROT_READ,
				    MAP_PRIVATE, fd, (off_t) 0) ;
		if ((int) this == -1) {
			perror("mmap");
			sleep(1);
		}
		close( fd ) ;
		fprintf( stderr, "!" ) ;
		exit( 0 ) ;
	} else {
	    fprintf( stderr, "(" ) ;
	    /* wait(&pid) ; */
	    fprintf( stderr, ")" ) ;
	}
}

int main()
{
        int i = 0;
        int fd;
        char filename[2048];
        caddr_t this;

        while (i ++ < MAX) {
                if( gets(filename) == NULL ) {
		    fprintf( stderr, "end of file list reached\n" ) ;
		    break ;
		}
		fork_and_mmap( filename ) ;
                if (! (i % 512)) {
                        fprintf(stderr, "[%d] .. ", i);
                }

		if ( i > 200000 ) {
		    fprintf( stderr, "200000 reached, exiting\n" ) ;
		    return 0 ;
                }
        }
}

gcc -o x x.c
find / -type f -print > filelist
./x < filelist

>Fix:

	


>Release-Note:
>Audit-Trail:

From: Dmitry Kim <jason@nichego.net>
To: freebsd-gnats-submit@FreeBSD.org, jason@express.ru
Cc:  
Subject: Re: kern/16573: extensive fork()+mmap() causes 4.0 kernel to panic()
Date: Tue, 08 Feb 2000 01:32:30 +0300

 it just hit me that the following appendix to the previous message may
 be of
 interest to someone :)
 
 IdlePTD 3534848
 initial pcb at 2d8f40
 panicstr: (fmt null)
 
 panic messages:
 ---
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0x8
 fault code              = supervisor write, page not present
 instruction pointer     = 0x8:0xc021be97
 stack pointer           = 0x10:0xc9605e28
 frame pointer           = 0x10:0xc9605e44
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 206 (y)
 interrupt mask          = none
 panic: (fmt null)
 
 panic: (fmt null)
 
 Uptime: 32s
 
 dumping to dev #wd/0x20001, offset 131200
 dump 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41
 40 39 38
 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14
 13 12 11
  10 9 8 7 6 5 4 3 2 1 0
 ---
 #0  boot (howto=260) at ../../kern/kern_shutdown.c:304
 304                     dumppcb.pcb_cr3 = rcr3();
 (kgdb) bt
 #0  boot (howto=260) at ../../kern/kern_shutdown.c:304
 #1  0xc014f6a1 in panic (fmt=0x0) at ../../kern/kern_shutdown.c:554
 #2  0xc0128211 in db_fncall (dummy1=0, dummy2=0, dummy3=0,
     dummy4=0xc9605c94 "\236I\025I\025") at ../../ddb/db_command.c:532
 
 #3  0xc012803d in db_command (last_cmdp=0xc02aa95c,
 cmd_table=0xc02aa7bc,
     aux_cmd_tablep=0xc02d54f0) at ../../ddb/db_command.c:333
 #4  0xc0128102 in db_command_loop () at ../../ddb/db_command.c:455
 #5  0xc012a18b in db_trap (type=12, code=0) at ../../ddb/db_trap.c:71
 #6  0xc024bf15 in kdb_trap (type=12, code=0, regs=0xc9605de8)
     at ../../i386/i386/db_interface.c:158
 #7  0xc02586b0 in trap_fatal (frame=0xc9605de8, eva=8)
     at ../../i386/i386/trap.c:901
 #8  0xc0258389 in trap_pfault (frame=0xc9605de8, usermode=0, eva=8)
     at ../../i386/i386/trap.c:799
 #9  0xc0257f2f in trap (frame={tf_fs = -1069088752, tf_es = -1071513584,
 
       tf_ds = 16, tf_edi = -1070730488, tf_esi = 0, tf_ebp = -916431292,
 
       tf_isp = -916431340, tf_ebx = -1070737056, tf_edx = 0,
       tf_ecx = -891138048, tf_eax = 0, tf_trapno = 12, tf_err = 2,
       tf_eip = -1071530345, tf_cs = 8, tf_eflags = 66118,
       tf_esp = -1070730488, tf_ss = -1070730488}) at
 ../../i386/i386/trap.c:423
 #10 0xc021be97 in vm_map_insert (map=0xc02df308, object=0x0, offset=0,
     start=3403829248, end=3403837440, prot=7 '\a', max=7 '\a', cow=4)
     at ../../vm/vm_map.c:521
 #11 0xc021c0c8 in vm_map_find (map=0xc02df308, object=0x0, offset=0,
     addr=0xc9605eb4, length=8192, find_space=1, prot=7 '\a', max=7 '\a',
 cow=4)
     at ../../vm/vm_map.c:655
 #12 0xc021b28f in kmem_alloc_nofault (map=0xc02df308, size=8192)
     at ../../vm/vm_kern.c:135
 #13 0xc0254576 in pmap_new_proc (p=0xcae08200) at
 ../../i386/i386/pmap.c:891
 #14 0xc021ae18 in vm_fork (p1=0xc9104480, p2=0xcae08200, flags=20)
     at ../../vm/vm_glue.c:245
 #15 0xc0149813 in fork1 (p1=0xc9104480, flags=20, procp=0xc9605f38)
     at ../../kern/kern_fork.c:485
 #16 0xc0148fd2 in fork (p=0xc9104480, uap=0xc9605f80)
     at ../../kern/kern_fork.c:100
 #17 0xc0258922 in syscall (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
       tf_edi = -1077937248, tf_esi = -1077937256, tf_ebp = -1077939436,
       tf_isp = -916430892, tf_ebx = 1, tf_edx = 10, tf_ecx =
 -1077940340,
       tf_eax = 2, tf_trapno = 12, tf_err = 2, tf_eip = 671610772, tf_cs
 = 31,
       tf_eflags = 662, tf_esp = -1077939560, tf_ss = 47})
     at ../../i386/i386/trap.c:1055
 #18 0xc024c816 in Xint0x80_syscall ()
 #19 0x8048797 in ?? ()
 #20 0x8048575 in ?? ()
 (kgdb)
 
 
 
Responsible-Changed-From-To: freebsd-bugs->dillon 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Wed Feb 16 00:43:53 PST 2000 
Responsible-Changed-Why:  
Matt, is the panic in vm_map_insert() expected behaviour inside an 
mmapping fork-bomb? 
State-Changed-From-To: open->closed 
State-Changed-By: dillon 
State-Changed-When: Thu Feb 17 00:46:09 PST 2000 
State-Changed-Why:  
Committed change for 4.0 release, added sysctl vm.max_proc_mmap with 
reasonable defaults set. 
>Unformatted:
