From dada@sbox.tugraz.at  Wed Sep  1 17:48:55 2004
Return-Path: <dada@sbox.tugraz.at>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B724916A4CE
	for <freebsd-gnats-submit@freebsd.org>; Wed,  1 Sep 2004 17:48:55 +0000 (GMT)
Received: from mailrelay01.tugraz.at (mailrelay.tu-graz.ac.at [129.27.3.7])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C0DFD43D1F
	for <freebsd-gnats-submit@freebsd.org>; Wed,  1 Sep 2004 17:48:54 +0000 (GMT)
	(envelope-from dada@sbox.tugraz.at)
Received: from webmail.tugraz.at (webmail02.tu-graz.ac.at [129.27.3.144])
	by mailrelay01.tugraz.at (8.13.1/8.13.1) with ESMTP id i81Hmqhm011390
	for <freebsd-gnats-submit@freebsd.org>; Wed, 1 Sep 2004 19:48:52 +0200 (CEST)
Received: from ARP410.kfunigraz.ac.at (ARP410.kfunigraz.ac.at
	[143.50.129.135]) by webmail.tugraz.at (Horde) with HTTP for <dada@sbox>;
	Wed,  1 Sep 2004 19:48:53 +0200
Message-Id: <20040901194853.8fdww4w80gcg80ks@webmail.tugraz.at>
Date: Wed,  1 Sep 2004 19:48:53 +0200
From: dada@sbox.tugraz.at
To: FreeBSD problem reports <freebsd-gnats-submit@freebsd.org>
Subject: [patch] anonymous mmappings not always page aligned

>Number:         71258
>Category:       kern
>Synopsis:       [vm] [patch] anonymous mmappings not always page aligned
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    jhb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 01 17:50:26 GMT 2004
>Closed-Date:    Wed Apr 14 15:23:43 UTC 2010
>Last-Modified:  Sun May 30 19:30:04 UTC 2010
>Originator:     Martin Kammerhofer
>Release:        FreeBSD 4.10-RELEASE-p2 i386
>Organization:
Graz Uni
>Environment:
System: FreeBSD Martin.liebt.Susi 4.10-RELEASE-p2 FreeBSD 4.10-RELEASE-p2 #3: Mon Aug 30 22:43:58 CEST 2004 toor@Martin.liebt.Susi:/mnt/redhat/freebsd/usr/src/sys/compile/GEIDORF4 i386
>Description:
Quote from the mmap(2) manpage:

     MAP_ANON          Map anonymous memory not associated with any specific
		       file.  The file descriptor used for creating MAP_ANON
		       must be -1.  The offset argument is ignored.
		                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The actual implementation _does_ use the offset argument. The offset
modulo the hardware page size is used for size calculation and added
to the return value.

(This should be no problem with POSIX conforming applications because
POSIX _mandates_ EINVAL for nonaligned offsets.)
>How-To-Repeat:
#include <sys/types.h>
#include <sys/mman.h>
#include <stdio.h>

main() {
    printf("%p\n", mmap(0, 0x1000, PROT_NONE, MAP_ANON, -1, 0x12345678));
}
>Fix:
--- vm_mmap.c.orig	Thu Aug  5 09:04:33 2004
+++ vm_mmap.c	Tue Aug 31 12:47:11 2004
@@ -227,25 +227,28 @@
 
 	if (flags & MAP_STACK) {
 		if ((uap->fd != -1) ||
 		    ((prot & (PROT_READ | PROT_WRITE)) != (PROT_READ | PROT_WRITE)))
 			return (EINVAL);
 		flags |= MAP_ANON;
-		pos = 0;
 	}
 
-	/*
-	 * Align the file position to a page boundary,
-	 * and save its page offset component.
-	 */
-	pageoff = (pos & PAGE_MASK);
-	pos -= pageoff;
+	if (flags & MAP_ANON) {
+		pageoff = pos = 0;
+	} else {
+		/*
+		 * Align the file position to a page boundary,
+		 * and save its page offset component.
+		 */
+		pageoff = (pos & PAGE_MASK);
+		pos -= pageoff;
 
-	/* Adjust size for rounding (on both ends). */
-	size += pageoff;			/* low end... */
-	size = (vm_size_t) round_page(size);	/* hi end */
+		/* Adjust size for rounding (on both ends). */
+		size += pageoff;			/* low end... */
+		size = (vm_size_t) round_page(size);	/* hi end */
+	}
 
 	/*
 	 * Check for illegal addresses.  Watch out for address wrap... Note
 	 * that VM_*_ADDRESS are not constants due to casts (argh).
 	 */
 	if (flags & MAP_FIXED) {
@@ -284,13 +287,12 @@
 	if (flags & MAP_ANON) {
 		/*
 		 * Mapping blank space is trivial.
 		 */
 		handle = NULL;
 		maxprot = VM_PROT_ALL;
-		pos = 0;
 	} else {
 		/*
 		 * Mapping file, get fp for validation. Obtain vnode and make
 		 * sure it is of appropriate type.
 		 * don't let the descriptor disappear on us if we block
 		 */

--=_3r61v0pks0u8--

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: kmacy 
State-Changed-When: Fri Nov 16 09:53:24 UTC 2007 
State-Changed-Why:  

Is this still an issue on RELENG_7? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71258 
State-Changed-From-To: feedback->open 
State-Changed-By: kmacy 
State-Changed-When: Fri Nov 16 16:59:21 UTC 2007 
State-Changed-Why:  

Please comment on whether or not it is worth updating the docs 
or this is just blatant pilot error. 


Responsible-Changed-From-To: freebsd-bugs->alc 
Responsible-Changed-By: kmacy 
Responsible-Changed-When: Fri Nov 16 16:59:21 UTC 2007 
Responsible-Changed-Why:  

Please comment on whether or not it is worth updating the docs  
or this is just blatant pilot error.  


http://www.freebsd.org/cgi/query-pr.cgi?pr=71258 

From: Martin Kammerhofer <dada@sbox.tugraz.at>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/71258: [vm] [patch] anonymous mmappings not always page
	aligned
Date: Mon, 19 Nov 2007 11:47:22 +0100

 Changing the mmap(2) wording like
 s/The offset argument is ignored/The offset argument must be zero/
 should suffice.
 
 HTH Martin
 
 

From: Alexander Best <alexbestms@math.uni-muenster.de>
To: <bug-followup@FreeBSD.org>,
 <dada@sbox.tugraz.at>
Cc:  
Subject: Re: kern/71258: [vm] [patch] anonymous mmappings not always page
 aligned
Date: Sun, 08 Nov 2009 03:23:32 +0100 (CET)

   This is a MIME encoded multipart message.
 
 --+permail-20091108022332f0889e840000217b-a_best01+
 Content-Type: text/plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 the problem described in this pr has been discussed with John Baldwin and Alan
 Cox in this thread
 
 http://lists.freebsd.org/pipermail/freebsd-hackers/2009-October/029773.html
 
 attached is a new patch to deal with the problem. this changes the semantics
 of mmap like so:
 
 1) if MAP_ANON is defined and offset !=0 ====>  return EINVAL
 2) if MAP_STACK is defined and offset !=0 ====> offset = 0
 
 please set this pr into analysed state.
 
 thanks.
 alex
 
 --+permail-20091108022332f0889e840000217b-a_best01+
 Content-Type: text/plain
 Content-Transfer-Encoding: Base64
 Content-Disposition: attachment; filename="vmmmap.c.patch.txt"
 
 SW5kZXg6IHN5cy92bS92bV9tbWFwLmMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gc3lzL3ZtL3ZtX21tYXAuYwko
 cmV2aXNpb24gMTk5MDE2KQorKysgc3lzL3ZtL3ZtX21tYXAuYwkod29ya2luZyBjb3B5KQpAQCAt
 MjQ0LDYgKzI0NCw5IEBACiAJCXBvcyA9IDA7CiAJfQogCisJaWYgKGZsYWdzICYgTUFQX0FOT04g
 JiYgcG9zICE9IDApCisJCXJldHVybiAoRUlOVkFMKTsKKwogCS8qCiAJICogQWxpZ24gdGhlIGZp
 bGUgcG9zaXRpb24gdG8gYSBwYWdlIGJvdW5kYXJ5LAogCSAqIGFuZCBzYXZlIGl0cyBwYWdlIG9m
 ZnNldCBjb21wb25lbnQuCkBAIC0zMDAsNyArMzAzLDYgQEAKIAkJaGFuZGxlID0gTlVMTDsKIAkJ
 aGFuZGxlX3R5cGUgPSBPQkpUX0RFRkFVTFQ7CiAJCW1heHByb3QgPSBWTV9QUk9UX0FMTDsKLQkJ
 cG9zID0gMDsKIAl9IGVsc2UgewogCQkvKgogCQkgKiBNYXBwaW5nIGZpbGUsIGdldCBmcCBmb3Ig
 dmFsaWRhdGlvbiBhbmQK
 
 --+permail-20091108022332f0889e840000217b-a_best01+--

From: Alexander Best <alexbestms@math.uni-muenster.de>
To: <bug-followup@FreeBSD.org>,
 <dada@sbox.tugraz.at>
Cc:  
Subject: Re: kern/71258: [vm] [patch] anonymous mmappings not always page
 aligned
Date: Sun, 08 Nov 2009 03:50:44 +0100 (CET)

   This is a MIME encoded multipart message.
 
 --+permail-200911080250441e86ffa80000336a-a_best01+
 Content-Type: text/plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 this patch changes mmap(2) to reflect the changes made by the previous patch.
 
 alex
 
 --+permail-200911080250441e86ffa80000336a-a_best01+
 Content-Type: text/plain
 Content-Transfer-Encoding: Base64
 Content-Disposition: attachment; filename="mmap.2.patch.txt"
 
 SW5kZXg6IGxpYi9saWJjL3N5cy9tbWFwLjIKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gbGliL2xpYmMvc3lzL21t
 YXAuMgkocmV2aXNpb24gMTk5MDE2KQorKysgbGliL2xpYmMvc3lzL21tYXAuMgkod29ya2luZyBj
 b3B5KQpAQCAtMTAyLDEwICsxMDIsOSBAQAogTWFwIGFub255bW91cyBtZW1vcnkgbm90IGFzc29j
 aWF0ZWQgd2l0aCBhbnkgc3BlY2lmaWMgZmlsZS4KIFRoZSBmaWxlIGRlc2NyaXB0b3IgdXNlZCBm
 b3IgY3JlYXRpbmcKIC5EdiBNQVBfQU5PTgotbXVzdCBiZSBcLTEuCi1UaGUKK211c3QgYmUgXC0x
 IGFuZCB0aGUKIC5GYSBvZmZzZXQKLWFyZ3VtZW50IGlzIGlnbm9yZWQuCithcmd1bWVudCBtdXN0
 IGJlIHplcm8uCiAuXCIuSXQgRHYgTUFQX0ZJTEUKIC5cIk1hcHBlZCBmcm9tIGEgcmVndWxhciBm
 aWxlIG9yIGNoYXJhY3Rlci1zcGVjaWFsIGRldmljZSBtZW1vcnkuCiAuSXQgRHYgTUFQX0FOT05Z
 TU9VUwpAQCAtMzE1LDcgKzMxNCw5IEBACiAuRHYgTUFQX0FOT04KIHdhcyBzcGVjaWZpZWQgYW5k
 IHRoZQogLkZhIGZkCi1hcmd1bWVudCB3YXMgbm90IC0xLgorYXJndW1lbnQgd2FzIG5vdCAtMSBv
 ciB0aGUKKy5GYSBvZmZzZXQKK2FyZ3VtZW50IHdhcyBub3QgemVyby4KIC5JdCBCcSBFciBFTk9E
 RVYKIC5EdiBNQVBfQU5PTgogaGFzIG5vdCBiZWVuIHNwZWNpZmllZCBhbmQK
 
 --+permail-200911080250441e86ffa80000336a-a_best01+--

From: Martin Kammerhofer <dada@sbox.tugraz.at>
To: Alexander Best <alexbestms@math.uni-muenster.de>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/71258: [vm] [patch] anonymous mmappings not always page
 aligned
Date: Sun, 08 Nov 2009 13:53:42 +0100

 Mmap(2) behavior with Alexander's patch is the standards conforming  
 way of doing it.  My original patch made mmap(2) behave like the  
 manpage said.
 
 Wether mmap(2) ignores non-zero MAP_ANON offsets (my patch; matches  
 current manpage) or returns EINVAL (Alexander's patch; POSIX specified  
 behavior) is not important to me.  Standards conformance is good, but  
 doing it the POSIX way incurs a slight possibility of breaking  
 existing software.
 Any way, the manpage should describe mmap(2) behavior accurately!
 

From: Alexander Best <alexbestms@wwu.de>
To: <bug-followup@FreeBSD.org>,
 <dada@sbox.tugraz.at>
Cc:  
Subject: Re: kern/71258: [vm] [patch] anonymous mmappings not always page
 aligned
Date: Mon, 09 Nov 2009 20:29:27 +0100 (CET)

 jhb@ mentioned in this post
 
 http://lists.freebsd.org/pipermail/freebsd-hackers/2009-November/029982.html
 
 that of the following changes:
 
 1) if MAP_ANON is defined and offset !=0 ====> return EINVAL
 2) if MAP_STACK is defined and offset !=0 ====> offset = 0
 
 2) isn't true, because that's the way mmap has always behaved. this leaves 1)
 being the only patch-change in the mmap semantics.
 
 alex
State-Changed-From-To: open->analyzed 
State-Changed-By: linimon 
State-Changed-When: Fri Feb 26 22:26:54 UTC 2010 
State-Changed-Why:  
A patch has been circulated and an approach agreed on. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71258 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/71258: commit references a PR
Date: Tue, 23 Mar 2010 21:08:17 +0000 (UTC)

 Author: jhb
 Date: Tue Mar 23 21:08:07 2010
 New Revision: 205536
 URL: http://svn.freebsd.org/changeset/base/205536
 
 Log:
   Reject attempts to create a MAP_ANON mapping with a non-zero offset.
   
   PR:		kern/71258
   Submitted by:	Alexander Best
   MFC after:	2 weeks
 
 Modified:
   head/lib/libc/sys/mmap.2
   head/sys/vm/vm_mmap.c
 
 Modified: head/lib/libc/sys/mmap.2
 ==============================================================================
 --- head/lib/libc/sys/mmap.2	Tue Mar 23 20:12:53 2010	(r205535)
 +++ head/lib/libc/sys/mmap.2	Tue Mar 23 21:08:07 2010	(r205536)
 @@ -105,7 +105,7 @@ The file descriptor used for creating
  must be \-1.
  The
  .Fa offset
 -argument is ignored.
 +argument must be 0.
  .\".It Dv MAP_FILE
  .\"Mapped from a regular file or character-special device memory.
  .It Dv MAP_ANONYMOUS
 @@ -316,6 +316,11 @@ was equal to zero.
  was specified and the
  .Fa fd
  argument was not -1.
 +.It Bq Er EINVAL
 +.Dv MAP_ANON
 +was specified and the
 +.Fa offset
 +argument was not 0.
  .It Bq Er ENODEV
  .Dv MAP_ANON
  has not been specified and
 
 Modified: head/sys/vm/vm_mmap.c
 ==============================================================================
 --- head/sys/vm/vm_mmap.c	Tue Mar 23 20:12:53 2010	(r205535)
 +++ head/sys/vm/vm_mmap.c	Tue Mar 23 21:08:07 2010	(r205536)
 @@ -233,7 +233,7 @@ mmap(td, uap)
  	/* Make sure mapping fits into numeric range, etc. */
  	if ((uap->len == 0 && !SV_CURPROC_FLAG(SV_AOUT) &&
  	     curproc->p_osrel >= 800104) ||
 -	    ((flags & MAP_ANON) && uap->fd != -1))
 +	    ((flags & MAP_ANON) && (uap->fd != -1 || pos != 0)))
  		return (EINVAL);
  
  	if (flags & MAP_STACK) {
 @@ -300,7 +300,6 @@ mmap(td, uap)
  		handle = NULL;
  		handle_type = OBJT_DEFAULT;
  		maxprot = VM_PROT_ALL;
 -		pos = 0;
  	} else {
  		/*
  		 * Mapping file, get fp for validation and
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: analyzed->patched 
State-Changed-By: jhb 
State-Changed-When: Tue Mar 23 21:20:21 UTC 2010 
State-Changed-Why:  
A solution was applied to HEAD. 


Responsible-Changed-From-To: alc->jhb 
Responsible-Changed-By: jhb 
Responsible-Changed-When: Tue Mar 23 21:20:21 UTC 2010 
Responsible-Changed-Why:  
A solution was applied to HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71258 
State-Changed-From-To: patched->closed 
State-Changed-By: jhb 
State-Changed-When: Wed Apr 14 15:23:30 UTC 2010 
State-Changed-Why:  
Fix merged to 7. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71258 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/71258: commit references a PR
Date: Sun, 30 May 2010 19:22:45 +0000 (UTC)

 nox         2010-05-30 19:22:32 UTC
 
   FreeBSD ports repository
 
   Modified files:
     emulators/qemu       Makefile 
     emulators/qemu/files patch-osdep.c 
   Log:
   - Avoid using mmap MAP_ANON with a non-zero offset.  [1]
   - Bump PORTREVISION.
   
   PR:             kern/71258 [1]
   
   Revision  Changes    Path
   1.112     +1 -1      ports/emulators/qemu/Makefile
   1.5       +8 -1      ports/emulators/qemu/files/patch-osdep.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
