From owner-freebsd-bugs@FreeBSD.ORG  Sat Jan  5 00:20:03 2008
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 192FA16A417
	for <freebsd-bugs@hub.freebsd.org>;
	Sat,  5 Jan 2008 00:20:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 0397713C455
	for <freebsd-bugs@hub.freebsd.org>;
	Sat,  5 Jan 2008 00:20:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m050K2SF034998
	for <freebsd-bugs@freefall.freebsd.org>; Sat, 5 Jan 2008 00:20:02 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m050K24m034997;
	Sat, 5 Jan 2008 00:20:02 GMT (envelope-from gnats)
Date: Sat, 5 Jan 2008 00:20:02 GMT
Message-Id: <200801050020.m050K24m034997@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: "Zachary Loafman" <zachary.loafman@isilon.com>
Cc: 
Subject: Re: kern/93396: dlopen crash with locked page
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Zachary Loafman <zachary.loafman@isilon.com>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Jan 2008 00:20:03 -0000

The following reply was made to PR kern/93396; it has been noted by GNATS.

From: "Zachary Loafman" <zachary.loafman@isilon.com>
To: <bug-followup@FreeBSD.org>,
	<fabien.thomas@netasq.com>
Cc:  
Subject: Re: kern/93396: dlopen crash with locked page
Date: Fri, 4 Jan 2008 15:59:05 -0800

 I debugged this issue a bit further before checking the FreeBSD PR
 database. The fault in question ends up in this patch of code in
 vm_map_lookup:
 
 	if ((entry->eflags & MAP_ENTRY_USER_WIRED) &&
 	    (entry->eflags & MAP_ENTRY_COW) &&
 	    (fault_type & VM_PROT_WRITE) &&
 	    (fault_typea & VM_PROT_OVERRIDE_WRITE) =3D=3D 0) {
 		RETURN(KERN_PROTECTION_FAILURE);
 	}
 
 I can't discern why this check in vm_map_lookup even exists, but it
 borks RTLD completely after mlockall is called. Specifically, it breaks
 map_object, which does an mprotect to make the last page of a segment
 writable then tries to do a memset to test it, resulting in the crash
 above.