Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 30 May 1999 17:40:39 -0500 (CDT)
From:      toasty@dragondata.com
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   kern/11948: mmaping memory device, then forking causes negative rss
Message-ID:  <199905302240.RAA83486@nfs.dragondata.com>
next in thread | raw e-mail | index | archive | help 

>Number:         11948
>Category:       kern
>Synopsis:       mmaping memory device, then forking causes negative rss
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 30 15:50:01 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator:     Kevin Day
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
DragonData Internet Services, Inc.
>Environment:

3.1 or 4.0 system, with some mmapable device (/dev/mem or similar)

>Description:

When mmap'ing a device, then forking, the resident size of the child process
becomes negative.


>How-To-Repeat:

1.c:
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/mman.h>

void main(void) {
 int k;
 char *low;
 int devmem;

    devmem = open("/dev/mem",O_RDWR);   
    low1mb = (char *)mmap(0, 0x800000, (PROT_READ | PROT_WRITE), MAP_INHERIT | MAP_SHARED, devmem, 0);

   printf("Starting 2...\n");      
   if (rfork(RFCFDG|RFPROC)) {             
        usleep(100);    
   } else {
        k = execl("./2", "2", (char *) 0);              
        if (k) {
                printf("io returned %d errno %d\n",k, errno);           
        }
   _exit(0);       
   }

}




2.c:

void main(void) { 
     while(1)   
        sleep(10000);
}



Compile, and run '1'.

top shows:


  PID USERNAME PRI NICE  SIZE    RES STATE    TIME   WCPU    CPU COMMAND
  899 root      10   0   748K 32760M nanslp   0:00  0.00%  0.00% 2


ps shows:

root     899  0.0 53622.9   748 -7960  p1  I     6:14AM   0:00.00 2
0   899     1   0  10  0   748 -7960 nanslp I     p1    0:00.00 2



Repeatedly doing this will cause the kernel to panic with "panic: multiple
frees".


>Fix:

I couldn't find a fix for this within an hour of looking, and had to move
on. This appeared between 3.0 and 3.1, so it shouldn't be *too* hard to
find. :)



Kevin

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905302240.RAA83486>