Download raw body.
Detect `wired_count' wraparound earlier
On Tue, Feb 17, 2026 at 09:31:02AM +0100, Martin Pieuchot wrote:
> The wraparound bug is still alive and hit by syzkaller:
> https://syzkaller.appspot.com/bug?extid=db99726653fba0697bd8
>
> I'd like to be sure that the amap_copy() in uvm_map_pageable_wire() is not
> responsible for inserting a new entry with a `wired_count' of 0.
>
> ok?
sure. If this helps to find this error. If it does not trigger then we
should revert this diff at a later stage.
> Index: uvm/uvm_map.c
> ===================================================================
> RCS file: /cvs/src/sys/uvm/uvm_map.c,v
> diff -u -p -r1.354 uvm_map.c
> --- uvm/uvm_map.c 11 Feb 2026 22:34:40 -0000 1.354
> +++ uvm/uvm_map.c 13 Feb 2026 11:22:39 -0000
> @@ -2151,6 +2151,7 @@ uvm_map_pageable_wire(struct vm_map *map
> first->protection == PROT_NONE)
> continue;
>
> + KASSERT(first->wired_count >= 1);
> first->wired_count--;
> if (!VM_MAPENT_ISWIRED(first)) {
> uvm_fault_unwire_locked(map,
> @@ -2165,6 +2166,7 @@ uvm_map_pageable_wire(struct vm_map *map
> iter->protection == PROT_NONE)
> continue;
>
> + KASSERT(iter->wired_count >= 1);
> iter->wired_count--;
> }
>
>
>
--
:wq Claudio
Detect `wired_count' wraparound earlier