From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: Re: Detect `wired_count' wraparound earlier
To: tech@openbsd.org
Date: Tue, 17 Feb 2026 14:17:40 +0100

On Tue, Feb 17, 2026 at 09:31:02AM +0100, Martin Pieuchot wrote:
> The wraparound bug is still alive and hit by syzkaller:
>   https://syzkaller.appspot.com/bug?extid=db99726653fba0697bd8
> 
> I'd like to be sure that the amap_copy() in uvm_map_pageable_wire() is not
> responsible for inserting a new entry with a `wired_count' of 0.
> 
> ok?

sure. If this helps to find this error. If it does not trigger then we
should revert this diff at a later stage.
 
> Index: uvm/uvm_map.c
> ===================================================================
> RCS file: /cvs/src/sys/uvm/uvm_map.c,v
> diff -u -p -r1.354 uvm_map.c
> --- uvm/uvm_map.c	11 Feb 2026 22:34:40 -0000	1.354
> +++ uvm/uvm_map.c	13 Feb 2026 11:22:39 -0000
> @@ -2151,6 +2151,7 @@ uvm_map_pageable_wire(struct vm_map *map
>  			    first->protection == PROT_NONE)
>  				continue;
>  
> +			KASSERT(first->wired_count >= 1);
>  			first->wired_count--;
>  			if (!VM_MAPENT_ISWIRED(first)) {
>  				uvm_fault_unwire_locked(map,
> @@ -2165,6 +2166,7 @@ uvm_map_pageable_wire(struct vm_map *map
>  			    iter->protection == PROT_NONE)
>  				continue;
>  
> +			KASSERT(iter->wired_count >= 1);
>  			iter->wired_count--;
>  		}
>  
> 
> 

-- 
:wq Claudio