From owner-freebsd-bugs  Sun May 30 15:50:10 1999
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 216A615399
	for <freebsd-bugs@FreeBSD.org>; Sun, 30 May 1999 15:50:02 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id PAA94770;
	Sun, 30 May 1999 15:50:01 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from nfs.dragondata.com (nfs.dragondata.com [204.137.237.7])
	by hub.freebsd.org (Postfix) with ESMTP id 9C54C14E1B
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 30 May 1999 15:40:39 -0700 (PDT)
	(envelope-from toasty@nfs.dragondata.com)
Received: (from root@localhost)
	by nfs.dragondata.com (8.9.3/8.9.3) id RAA83486;
	Sun, 30 May 1999 17:40:39 -0500 (CDT)
	(envelope-from toasty)
Message-Id: <199905302240.RAA83486@nfs.dragondata.com>
Date: Sun, 30 May 1999 17:40:39 -0500 (CDT)
From: toasty@dragondata.com
Reply-To: toasty@dragondata.com
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/11948: mmaping memory device, then forking causes negative rss
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         11948
>Category:       kern
>Synopsis:       mmaping memory device, then forking causes negative rss
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 30 15:50:01 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator:     Kevin Day
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
DragonData Internet Services, Inc.
>Environment:

3.1 or 4.0 system, with some mmapable device (/dev/mem or similar)

>Description:

When mmap'ing a device, then forking, the resident size of the child process
becomes negative.


>How-To-Repeat:

1.c:
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/mman.h>

void main(void) {
 int k;
 char *low;
 int devmem;

    devmem = open("/dev/mem",O_RDWR);   
    low1mb = (char *)mmap(0, 0x800000, (PROT_READ | PROT_WRITE), MAP_INHERIT | MAP_SHARED, devmem, 0);

   printf("Starting 2...\n");      
   if (rfork(RFCFDG|RFPROC)) {             
        usleep(100);    
   } else {
        k = execl("./2", "2", (char *) 0);              
        if (k) {
                printf("io returned %d errno %d\n",k, errno);           
        }
   _exit(0);       
   }

}




2.c:

void main(void) { 
     while(1)   
        sleep(10000);
}



Compile, and run '1'.

top shows:


  PID USERNAME PRI NICE  SIZE    RES STATE    TIME   WCPU    CPU COMMAND
  899 root      10   0   748K 32760M nanslp   0:00  0.00%  0.00% 2


ps shows:

root     899  0.0 53622.9   748 -7960  p1  I     6:14AM   0:00.00 2
0   899     1   0  10  0   748 -7960 nanslp I     p1    0:00.00 2



Repeatedly doing this will cause the kernel to panic with "panic: multiple
frees".


>Fix:

I couldn't find a fix for this within an hour of looking, and had to move
on. This appeared between 3.0 and 3.1, so it shouldn't be *too* hard to
find. :)



Kevin

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message