From owner-freebsd-current@FreeBSD.ORG Sun Aug 5 16:36:55 2007 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B30916A419 for ; Sun, 5 Aug 2007 16:36:55 +0000 (UTC) (envelope-from rdivacky@vlk.vlakno.cz) Received: from vlakno.cz (vlk.vlakno.cz [62.168.28.247]) by mx1.freebsd.org (Postfix) with ESMTP id 2DDE913C465 for ; Sun, 5 Aug 2007 16:36:55 +0000 (UTC) (envelope-from rdivacky@vlk.vlakno.cz) Received: from localhost (localhost [127.0.0.1]) by vlakno.cz (Postfix) with ESMTP id 57A348C0B2A; Sun, 5 Aug 2007 18:21:15 +0200 (CEST) X-Virus-Scanned: amavisd-new at vlakno.cz Received: from vlakno.cz ([127.0.0.1]) by localhost (vlk.vlakno.cz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aCTsIut4IYVT; Sun, 5 Aug 2007 18:21:14 +0200 (CEST) Received: from vlk.vlakno.cz (localhost [127.0.0.1]) by vlakno.cz (Postfix) with ESMTP id 241F08C0B16; Sun, 5 Aug 2007 18:21:14 +0200 (CEST) Received: (from rdivacky@localhost) by vlk.vlakno.cz (8.13.8/8.13.8/Submit) id l75GLCUv006435; Sun, 5 Aug 2007 18:21:12 +0200 (CEST) (envelope-from rdivacky) Date: Sun, 5 Aug 2007 18:21:12 +0200 From: Roman Divacky To: Tijl Coosemans Message-ID: <20070805162112.GA6412@freebsd.org> References: <200708051656.50168.tijl@ulyssis.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200708051656.50168.tijl@ulyssis.org> User-Agent: Mutt/1.4.2.3i Cc: wine-freebsd@hub.org, Gardner Bell , freebsd-current@freebsd.org, Robert Watson , Volker Subject: Re: mmap(2) MAP_FIXED isn't thread-safe (+testcase) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Aug 2007 16:36:55 -0000 On Sun, Aug 05, 2007 at 04:56:46PM +0200, Tijl Coosemans wrote: > Hi all, > > While investigating ports/115092 and other reports of seemingly random > page faults when running Wine, I think I've found the cause to be mmap > not being thread-safe when MAP_FIXED is used. It causes mmap(MAP_FIXED) > to return -1(ENOMEM) sometimes when it shouldn't, but also to return an > address with wrong protections, hence the protection faults occuring. > > Attached is a test program that shows this. It runs two threads. The > first mmap()'s a region, starts a second thread and then goes in a loop > calling mmap(PROT_WRITE,MAP_FIXED) on that region, essentially > replacing that mapping. This is basically what rtld does to map an ELF > object for instance when dlopen(3) is called. The second thread tries > to steal the mapping from the first by calling mmap(PROT_NONE) in a > loop. After a while the program segfaults when the first thread tries > to write to the mapped region. > > Some lines are commented out. If you remove the commenting, I hit on > the case where mmap(MAP_FIXED) returns -1. > > The problem is in sys/vm/vm_mmap.c:vm_mmap(). In case of MAP_FIXED > first vm_map_remove() is called and then later vm_map_find(). This > would need some locking, but I don't know which lock or how to approach > this, so can somebody have a look at this? man, you are fantastic! this www.vlakno.cz/~rdivacky/tijl.patch simple/stupid patch makes flash9 work. this is of course wrong solution but can be used as a proof of concept.. I wonder what else is broken by the MPunSAFEness of the mmap() MAP_FIXED. thnx a lot for investigating this! roman