From owner-freebsd-bugs  Mon Jul 27 22:01:17 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA02056
          for freebsd-bugs-outgoing; Mon, 27 Jul 1998 22:01:17 -0700 (PDT)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA02049
          for <freebsd-bugs@FreeBSD.org>; Mon, 27 Jul 1998 22:01:14 -0700 (PDT)
          (envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.8.8/8.8.5) id WAA08479;
	Mon, 27 Jul 1998 22:00:03 -0700 (PDT)
Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA01485
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 27 Jul 1998 21:53:48 -0700 (PDT)
          (envelope-from dillon@backplane.com)
Received: (dillon@localhost) by apollo.backplane.com (8.8.8/8.6.5) id VAA18002; Mon, 27 Jul 1998 21:53:18 -0700 (PDT)
Message-Id: <199807280453.VAA18002@apollo.backplane.com>
Date: Mon, 27 Jul 1998 21:53:18 -0700 (PDT)
From: Matthew Dillon <dillon@backplane.com>
Reply-To: dillon@backplane.com
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: kern/7422: VM system fails to remove mapped page on truncate in some situations
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         7422
>Category:       kern
>Synopsis:       FreeBSD-current VM systems do not properly remove mapped pages on truncate in some situations.  -stable does.
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 27 22:00:02 PDT 1998
>Last-Modified:
>Originator:     Matthew Dillon
>Organization:
Best Internet Communications, Inc.
>Release:        FreeBSD 3.0-CURRENT i386
>Environment:

	Generic FreeBSD-current machine (CVS as of 26 Jul 98)
	Generic FreeBSD-stable machine (CVS somewhere between 2.2.6 and 2.2.7)

>Description:

	ON a -current machine:

	If you open a file and use write() to write to it and either
	you or another process mmap()'s the file, if the file is then
	truncated mmap()'d pages that should have been removed (made
	illegal) are sometimes not and can still be referenced with
	the original data still intact.

	Example:  create a file, write 4096+(512 to 4095) bytes to it.
	mmap the file, reference the second page of the mmap 
	(volatile x = ptr[4096];), then ftruncate the file to 4096
	bytes.  You can still reference the second page of the mmap
	(which should now be illegal) and it still contains the 
	original data written to it.  

	Now repeat the process but write 4096+4096 bytes to the
	file.  now when you ftruncate, referencing ptr[4096]
	after the ftruncate call will correctly segfault.

	(NOTE:  This is different from the file corruption bug
	previously reported.  This bug does not corrupt the file
	but does 'corrupt' the mmap.  It may or may not be
	related to the previously reported file corruption-on-
	mmap while appending bug).

	(NOTE:  The program properly segfaults in both cases on
	a -stable machine).

>How-To-Repeat:


/*
 * BADVM.C
 */

#include <sys/types.h>
#include <sys/fcntl.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdarg.h>

int
main(int ac, char **av)
{
    int fd;
    char buf[4096 + 4096];
    volatile char *base;
    volatile int x;
    int n;

    if (ac == 1) {
	printf("Run with an argument of '512' and then run with an argument of '4096'\n");
	exit(1);
    }
    n = strtol(av[1], NULL, 0);
    if (n < 0 || n > 4096) {
	printf("argument out of bounds\n");
	exit(1);
    }

    remove("test");
    if ((fd = open("test", O_RDWR|O_CREAT, 0644)) < 0)
	perror("open");
    memset(buf, 1, sizeof(buf));
    if (write(fd, buf, 4096 + n) != 4096 + n)
	perror("write");
    base = mmap((caddr_t)0, 8192, PROT_READ, MAP_SHARED, fd, 0);
    printf("map: %08lx\n", (long)base);
    printf("base[4096] should be 1: %d\n", base[4096]);
    ftruncate(fd, 4096);
    printf("base[4096] should fault: ");
    fflush(stdout);
    printf("%d\n", base[4096]);
    puts("oops, it didn't");
    lseek(fd, 4096, 0);
    memset(buf, 2, sizeof(buf));
    if (write(fd, buf, 4096) != 4096)
	perror("write");
    printf("base[4096] should be 2: %d\n", base[4096]);
    return(0);
}

>Fix:
	

>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message