Download raw body.
Detect `wired_count' wraparound earlier
The wraparound bug is still alive and hit by syzkaller:
https://syzkaller.appspot.com/bug?extid=db99726653fba0697bd8
I'd like to be sure that the amap_copy() in uvm_map_pageable_wire() is not
responsible for inserting a new entry with a `wired_count' of 0.
ok?
Index: uvm/uvm_map.c
===================================================================
RCS file: /cvs/src/sys/uvm/uvm_map.c,v
diff -u -p -r1.354 uvm_map.c
--- uvm/uvm_map.c 11 Feb 2026 22:34:40 -0000 1.354
+++ uvm/uvm_map.c 13 Feb 2026 11:22:39 -0000
@@ -2151,6 +2151,7 @@ uvm_map_pageable_wire(struct vm_map *map
first->protection == PROT_NONE)
continue;
+ KASSERT(first->wired_count >= 1);
first->wired_count--;
if (!VM_MAPENT_ISWIRED(first)) {
uvm_fault_unwire_locked(map,
@@ -2165,6 +2166,7 @@ uvm_map_pageable_wire(struct vm_map *map
iter->protection == PROT_NONE)
continue;
+ KASSERT(iter->wired_count >= 1);
iter->wired_count--;
}
Detect `wired_count' wraparound earlier