From nobody@FreeBSD.org  Wed Feb 15 16:38:14 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8325616A45C
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 15 Feb 2006 16:38:14 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5120543D49
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 15 Feb 2006 16:38:14 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k1FGcDC5071408
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 15 Feb 2006 16:38:14 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k1FGcDI2071407;
	Wed, 15 Feb 2006 16:38:13 GMT
	(envelope-from nobody)
Message-Id: <200602151638.k1FGcDI2071407@www.freebsd.org>
Date: Wed, 15 Feb 2006 16:38:13 GMT
From: Fabien THOMAS <fabien.thomas@netasq.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: dlopen crash with locked page
X-Send-Pr-Version: www-2.3

>Number:         93396
>Category:       kern
>Synopsis:       dlopen crash with locked page
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    jh
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 15 16:40:03 GMT 2006
>Closed-Date:    Fri May 21 10:45:01 UTC 2010
>Last-Modified:  Fri May 21 15:50:00 UTC 2010
>Originator:     Fabien THOMAS
>Release:        6.1 BETA1
>Organization:
NETASQ
>Environment:
FreeBSD build 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #0: Fri Feb 10 18:39:05 CET 2006     root@build:/usr/obj/usr/src/sys/SMP  i386            
>Description:
When process page are locked any dlopen will crash.
It is not related to 6.1 BETA version (it crash under 6.0 RELEASE).

>How-To-Repeat:
cc -pthread -o dltest dltest.c
./dltest
Bus error (core dumped)
gdb:
(gdb) bt
#0  0x28058e7c in memset () from /libexec/ld-elf.so.1
#1  0x2806d060 in ?? ()
#2  0x28051909 in map_object () from /libexec/ld-elf.so.1
#3  0x2804e9ed in elf_hash () from /libexec/ld-elf.so.1
#4  0x2805073d in dlopen () from /libexec/ld-elf.so.1
#5  0x080487ec in main ()

dltest.c:
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/mman.h>
#include <pthread.h>
#include <stdio.h>
#include <dlfcn.h>

static void page_lockall (void)
{
        int res;
        struct rlimit rlimit;

        rlimit.rlim_cur = RLIM_INFINITY;
        rlimit.rlim_max = RLIM_INFINITY;
        setrlimit (RLIMIT_MEMLOCK, &rlimit);

        mlockall (MCL_CURRENT | MCL_FUTURE);
}

int main (int argc, char **argv)
{
        void *dl_handle;

        page_lockall();

        dl_handle = dlopen ("/usr/lib/pam_guest.so", RTLD_NOW);
        dlclose(dl_handle);
}

>Fix:
              
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-i386->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Feb 20 15:06:32 UTC 2006 
Responsible-Changed-Why:  
This does not sound i386-specific. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93396 

From: "Zachary Loafman" <zachary.loafman@isilon.com>
To: <bug-followup@FreeBSD.org>,
	<fabien.thomas@netasq.com>
Cc:  
Subject: Re: kern/93396: dlopen crash with locked page
Date: Fri, 4 Jan 2008 15:59:05 -0800

 I debugged this issue a bit further before checking the FreeBSD PR
 database. The fault in question ends up in this patch of code in
 vm_map_lookup:
 
 	if ((entry->eflags & MAP_ENTRY_USER_WIRED) &&
 	    (entry->eflags & MAP_ENTRY_COW) &&
 	    (fault_type & VM_PROT_WRITE) &&
 	    (fault_typea & VM_PROT_OVERRIDE_WRITE) =3D=3D 0) {
 		RETURN(KERN_PROTECTION_FAILURE);
 	}
 
 I can't discern why this check in vm_map_lookup even exists, but it
 borks RTLD completely after mlockall is called. Specifically, it breaks
 map_object, which does an mprotect to make the last page of a segment
 writable then tries to do a memset to test it, resulting in the crash
 above.
 

From: "Zachary Loafman" <zachary.loafman@isilon.com>
To: <bug-followup@FreeBSD.org>,
	<fabien.thomas@netasq.com>
Cc:  
Subject: Re: kern/93396: dlopen crash with locked page
Date: Fri, 4 Jan 2008 17:59:57 -0800

 Testcase that takes out any RTLD interaction, demonstrates the problem
 quickly, and works just fine if you take out the mlockall:
 
 --
 #include <sys/mman.h>
 #include <sys/param.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <unistd.h>
 
 #define EXIT_IF(__cond, __str) do { if (__cond) { perror(__str);
 exit(-1); } } while(0)
 
 int
 main()
 {
 	char name[] =3D "/tmp/pr93396.XXXXXX";
 	char buf[PAGE_SIZE];
 	int rc, fd;
 	char *map;
 
 	fd =3D mkstemp(name);
 	EXIT_IF(fd < 0, "mkstemp");
 
 	rc =3D write(fd, buf, PAGE_SIZE);
 	EXIT_IF(rc < PAGE_SIZE, "write");
 
 	rc =3D mlockall(MCL_CURRENT | MCL_FUTURE);
 	EXIT_IF(rc, "mlockall");
 
 	map =3D mmap(NULL, PAGE_SIZE, PROT_READ, MAP_PRIVATE, fd, 0);
 	EXIT_IF(!map, "mmap");
 
 	rc =3D mprotect(map, PAGE_SIZE, PROT_READ|PROT_WRITE);
 	EXIT_IF(rc, "mprotect");
 
 	*map =3D 'a';
 =09
 	return 0;
 }
 
State-Changed-From-To: open->feedback 
State-Changed-By: jh 
State-Changed-When: Fri May 21 08:39:56 UTC 2010 
State-Changed-Why:  
I couldn't reproduce this on 9.0-CURRENT. Is this report still relevant? 


Responsible-Changed-From-To: freebsd-bugs->jh 
Responsible-Changed-By: jh 
Responsible-Changed-When: Fri May 21 08:39:56 UTC 2010 
Responsible-Changed-Why:  
Track. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93396 

From: Fabien Thomas <fabien.thomas@netasq.com>
To: bug-followup@FreeBSD.org,
 fabien.thomas@netasq.com
Cc:  
Subject: Re: kern/93396: dlopen crash with locked page
Date: Fri, 21 May 2010 10:46:37 +0200

 yes seems to works fine on head.
 
 fabien
State-Changed-From-To: feedback->closed 
State-Changed-By: jh 
State-Changed-When: Fri May 21 10:45:00 UTC 2010 
State-Changed-Why:  
Fixed in head and probably in stable/8. (Likely r198505 / r199416.) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93396 

From: "Zachary Loafman" <zachary.loafman@isilon.com>
To: <bug-followup@FreeBSD.org>,
	<fabien.thomas@netasq.com>
Cc:  
Subject: Re: kern/93396: dlopen crash with locked page
Date: Fri, 21 May 2010 08:34:49 -0700

 Yup, I tried my repro on head and it seems to work fine.
>Unformatted:
