From: Martin Pieuchot <mpi@grenadille.net>
Subject: Detect `wired_count' wraparound earlier
To: tech@openbsd.org
Date: Tue, 17 Feb 2026 09:31:02 +0100

The wraparound bug is still alive and hit by syzkaller:
  https://syzkaller.appspot.com/bug?extid=db99726653fba0697bd8

I'd like to be sure that the amap_copy() in uvm_map_pageable_wire() is not
responsible for inserting a new entry with a `wired_count' of 0.

ok?

Index: uvm/uvm_map.c
===================================================================
RCS file: /cvs/src/sys/uvm/uvm_map.c,v
diff -u -p -r1.354 uvm_map.c
--- uvm/uvm_map.c	11 Feb 2026 22:34:40 -0000	1.354
+++ uvm/uvm_map.c	13 Feb 2026 11:22:39 -0000
@@ -2151,6 +2151,7 @@ uvm_map_pageable_wire(struct vm_map *map
 			    first->protection == PROT_NONE)
 				continue;
 
+			KASSERT(first->wired_count >= 1);
 			first->wired_count--;
 			if (!VM_MAPENT_ISWIRED(first)) {
 				uvm_fault_unwire_locked(map,
@@ -2165,6 +2166,7 @@ uvm_map_pageable_wire(struct vm_map *map
 			    iter->protection == PROT_NONE)
 				continue;
 
+			KASSERT(iter->wired_count >= 1);
 			iter->wired_count--;
 		}