Bug 25603

Summary: mmap + fork = panic: vm_object_deallocate: object deallocated too may times: 0
Product: Base System Reporter: Shingo Nishioka <nis>
Component: i386Assignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.2-RELEASE   
Hardware: Any   
OS: Any   

Description Shingo Nishioka 2001-03-08 06:40:05 UTC 
	The code blow causes a "panic: vm_object_deallocate: object deallocated too may times: 0"

How-To-Repeat: 
Compile and run the following code.

#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>

main()
{
	char *path = "foo.c";
	int d;
	struct stat sb;
	void *p;
	size_t len;

	if ((d = open(path, O_RDONLY))==-1) {
		perror(path);
		return 1;
	}

	if (fstat(d, &sb)==-1) {
		perror(path);
		return 1;
	}

	len = sb.st_size;
	if ((p = mmap(0, len, PROT_READ, MAP_INHERIT, d, 0))==MAP_FAILED) {
		perror("mmap");
		return 1;
	}

	fork();

	return 0;
}
Comment 1 iedowse 2001-03-08 15:54:13 UTC 
In message <200103080633.f286XnB02074@pc3.geta.hatoyama.hitachi.co.jp>, Shingo 
Nishioka writes:
>
>	The code blow causes a "panic: vm_object_deallocate: object deallocated
> too may times: 0"

The following patch seems to solve this problem, though I have
no idea whether or not it is correct, and I've only done minimal
testing. It seems that when a shadow object is created in
vmspace_fork(), only one of the two object references gets
transferred to the shadow object. Matt? Anyone?

Ian

Index: vm_map.c
===================================================================
RCS file: /dump/FreeBSD-CVS/src/sys/vm/vm_map.c,v
retrieving revision 1.194
diff -u -r1.194 vm_map.c
--- vm_map.c	2001/02/04 06:19:28	1.194
+++ vm_map.c	2001/03/08 15:47:42
@@ -2155,6 +2155,10 @@
 					&old_entry->offset,
 					atop(old_entry->end - old_entry->start));
 				old_entry->eflags &= ~MAP_ENTRY_NEEDS_COPY;
+				/* Transfer the original reference too. */
+				vm_object_reference(
+				    old_entry->object.vm_object);
+				vm_object_deallocate(object);
 				object = old_entry->object.vm_object;
 			}
 			vm_object_clear_flag(object, OBJ_ONEMAPPING);
Comment 2 iedowse freebsd_committer freebsd_triage 2001-03-09 18:28:34 UTC 
State Changed
From-To: open->closed


Fixed in revision 1.195 of sys/vm/vm_map.c. Thanks for 
the bug report!