From Tor.Egge@idt.ntnu.no  Sat Mar  1 12:18:00 1997
Received: from pat.idt.unit.no (0@pat.idt.unit.no [129.241.103.5])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA27426
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 1 Mar 1997 12:17:55 -0800 (PST)
Received: from ikke.idt.unit.no (tegge@ikke.idt.unit.no [129.241.111.65])
	by pat.idt.unit.no (8.8.5/8.8.5) with ESMTP id VAA14624
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 1 Mar 1997 21:17:49 +0100 (MET)
Received: (from tegge@localhost) by ikke.idt.unit.no (8.8.5/8.8.3) id VAA00598; Sat, 1 Mar 1997 21:17:49 +0100 (MET)
Message-Id: <199703012017.VAA00598@ikke.idt.unit.no>
Date: Sat, 1 Mar 1997 21:17:49 +0100 (MET)
From: Tor Egge <Tor.Egge@idt.ntnu.no>
Reply-To: Tor.Egge@idt.ntnu.no
To: FreeBSD-gnats-submit@freebsd.org
Subject: mlock+minherit+fork+munlock causes panics or freezes
X-Send-Pr-Version: 3.2

>Number:         2840
>Category:       kern
>Synopsis:       mlock+minherit+fork+munlock causes panics or freezes
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    tegge
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Mar  1 12:20:01 PST 1997
>Closed-Date:    Thu Nov 15 18:03:49 2001
>Last-Modified:  Thu Nov 15 18:04:57 PST 2001
>Originator:     Tor Egge
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
Norwegian University of Science and Technology, Trondheim, Norway

>Environment:

FreeBSD ikke.idt.unit.no 3.0-CURRENT FreeBSD 3.0-CURRENT #2: Sat Feb  1 03:55:57 MET 1997     root@ikke.idt.unit.no:/usr/src/sys-UP/compile/TEGGE  i386

>Description:

Accounting of wired pages is not consistent under all circumstances.
By using mlock() and minherit(), then fork(), then munlock() in both child
and parent processes, the wired count is reduced by both munlocks(), causing
a too small (or even negative) value.for wired count. 

Other side effects are freezes (i.e. kernel is alive, but all programs hangs),
or panics.

>How-To-Repeat:

Look at wire count (using top or systat). Run the appended program as root.
If the program crashes, run it again. Look at wire count again.

---
#include <sys/types.h>
#include <sys/param.h>
#include <sys/time.h>
#include <time.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
#include <errno.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <vm/vm.h>
#include <vm/vm_inherit.h>

int main(int argc,char **argv)
{
  int i;
  int j;
  char *a;
  char *b;
  char *aend;
  char *p;
  size_t alen;
  size_t blen;
  pid_t pid;
  int wres;
  int sum;
  int res;

  alen = 1024 * 1024 * 1;
  blen = 1024 * 1024 * 1;
  a = malloc(alen);
  assert(a);
  aend = a + alen;
  sum = 0;
  for (p=a;p<aend;p++) 
    sum += *p; 
  res = minherit(a,alen,VM_INHERIT_SHARE);
  printf("minherit: a=%p, alen=0x%x, res=%d, errno=%d\n",a,alen, res,errno);
  for (j=0;j<10;j++) {
    b = malloc(blen);
    assert(b);
    res = mlock(b,blen);
    printf("mlock: res=%d, errno=%d\n",res,errno);
    printf("pass %d\n",j);
    for (i=0;i<3;i++) {
      pid = fork();
      if (pid<0) {
	perror("fork");
	exit(1);
      }
      if (pid==0) {
	munlock(b,blen);
	printf("munlock: res=%d, errno=%d\n",res,errno);
	free(b);
	sleep(2);
	exit(0);
      }
    }
    for (p=a;p<aend;p++) 
      sum += *p; 
    sleep(3);
    while (waitpid(-1,&wres,WNOHANG)>0) {
      /* */
    }
    munlock(b,blen);
    printf("munlock: res=%d, errno=%d\n",res,errno);
    free(b);
  }
  exit(0);
}

>Fix:
	

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: johan 
State-Changed-When: Fri Oct 27 13:10:31 PDT 2000 
State-Changed-Why:  
Hi Tor 

Is this still a problem in more recent version of FreeBSD 
(for example 4.x or current). 

The supplied how-to-repeate program does not compile 
on a 4.1-STABLE system. Can you please close the PR 
if the problem is solved. 



http://www.freebsd.org/cgi/query-pr.cgi?pr=2840 
Responsible-Changed-From-To: freebsd-bugs->tegge 
Responsible-Changed-By: kris 
Responsible-Changed-When: Thu May 24 12:41:44 PDT 2001 
Responsible-Changed-Why:  
Assigning to submitter 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=2840

State-Changed-From-To: feedback->closed
State-Changed-By: tegge
State-Changed-When: Thu Nov 15 18:03:49 2001
State-Changed-Why:
Fixed in revision 1.192 and 1.187.2.4 of sys/vm/vm_map.c. 
>Unformatted:
