From nobody Sat Nov 22 18:45:32 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dDLd52RKBz6HMtD for ; Sat, 22 Nov 2025 18:45:45 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4dDLd43XP1z3pCv; Sat, 22 Nov 2025 18:45:44 +0000 (UTC) (envelope-from kostikbel@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: from tom.home (kib@localhost [127.0.0.1] (may be forged)) by kib.kiev.ua (8.18.1/8.18.1) with ESMTP id 5AMIjW30018765; Sat, 22 Nov 2025 20:45:35 +0200 (EET) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua 5AMIjW30018765 Received: (from kostik@localhost) by tom.home (8.18.1/8.18.1/Submit) id 5AMIjWhg018764; Sat, 22 Nov 2025 20:45:32 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Sat, 22 Nov 2025 20:45:32 +0200 From: Konstantin Belousov To: Michal Meloun Cc: FreeBSD Current Subject: Re: mmap( MAP_ANON) is broken on current. (was Still seeing Failed assertion: "p[i] == 0" on armv7 buildworld) Message-ID: References: <07201c46-6fb4-4514-aa88-490830edb010@freebsd.org> <603e75f8-7064-4fca-8520-282331c20ec0@freebsd.org> List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Queue-Id: 4dDLd43XP1z3pCv On Sat, Nov 22, 2025 at 07:01:03PM +0100, Michal Meloun wrote: > > Would you please gather the same ddebugging info, with this patch applied? > Oups, sorry. > In meantime, next round with he vm_map patch finished successfully. It was still the case of coalescing previous entry and the mapping. It is weird, the patch ensures that there is no pages in the object backing the new region, and due to the ensured properties of the object, there should be no way to create pages under us. I am almost sure that the provided patch is correct, but it might be some additional cases that I miss. Please apply the following debugging patch, it includes the vm_object' part. Instead of allowing the corruption in userspace, kernel should panic now. Can you confirm that? diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c index 6b09552c5fee..76808b5ad7f1 100644 --- a/sys/vm/vm_map.c +++ b/sys/vm/vm_map.c @@ -1743,6 +1743,27 @@ vm_map_insert1(vm_map_t map, vm_object_t object, vm_ooffset_t offset, (vm_size_t)(prev_entry->end - prev_entry->start), (vm_size_t)(end - prev_entry->end), cred != NULL && (protoeflags & MAP_ENTRY_NEEDS_COPY) == 0)) { + vm_object_t obj = prev_entry->object.vm_object; + if (obj != NULL) { + struct pctrie_iter pages; + vm_page_t p; + + vm_page_iter_init(&pages, obj); + p = vm_radix_iter_lookup_ge(&pages, + OFF_TO_IDX(prev_entry->offset + + prev_entry->end - prev_entry->start)); + if (p != NULL) { + KASSERT(p->pindex >= OFF_TO_IDX(prev_entry->offset + + prev_entry->end - prev_entry->start + + end - start), + ("FOUND page %p pindex %#jx " + "e %#jx %#jx %#jx %#jx", + p, p->pindex, (uintmax_t)prev_entry->offset, + (uintmax_t)prev_entry->end, + (uintmax_t)prev_entry->start, + (uintmax_t)(end - start))); + } + } /* * We were able to extend the object. Determine if we * can extend the previous map entry to include the diff --git a/sys/vm/vm_object.c b/sys/vm/vm_object.c index 5b4517d2bf0c..9bb4e54edd96 100644 --- a/sys/vm/vm_object.c +++ b/sys/vm/vm_object.c @@ -2189,13 +2189,19 @@ vm_object_coalesce(vm_object_t prev_object, vm_ooffset_t prev_offset, next_size >>= PAGE_SHIFT; next_pindex = OFF_TO_IDX(prev_offset) + prev_size; - if (prev_object->ref_count > 1 && - prev_object->size != next_pindex && + if (prev_object->ref_count > 1 || + prev_object->size != next_pindex || (prev_object->flags & OBJ_ONEMAPPING) == 0) { VM_OBJECT_WUNLOCK(prev_object); return (FALSE); } + KASSERT(next_pindex + next_size > prev_object->size, + ("vm_object_coalesce: " + "obj %p next_pindex %#jx next_size %#jx obj_size %#jx", + prev_object, (uintmax_t)next_pindex, (uintmax_t)next_size, + (uintmax_t)prev_object->size)); + /* * Account for the charge. */ @@ -2222,26 +2228,13 @@ vm_object_coalesce(vm_object_t prev_object, vm_ooffset_t prev_offset, * Remove any pages that may still be in the object from a previous * deallocation. */ - if (next_pindex < prev_object->size) { - vm_object_page_remove(prev_object, next_pindex, next_pindex + - next_size, 0); -#if 0 - if (prev_object->cred != NULL) { - KASSERT(prev_object->charge >= - ptoa(prev_object->size - next_pindex), - ("object %p overcharged 1 %jx %jx", prev_object, - (uintmax_t)next_pindex, (uintmax_t)next_size)); - prev_object->charge -= ptoa(prev_object->size - - next_pindex); - } -#endif - } + vm_object_page_remove(prev_object, next_pindex, next_pindex + + next_size, 0); /* * Extend the object if necessary. */ - if (next_pindex + next_size > prev_object->size) - prev_object->size = next_pindex + next_size; + prev_object->size = next_pindex + next_size; VM_OBJECT_WUNLOCK(prev_object); return (TRUE);