From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: Detect `wired_count' wraparound earlier
To: tech@openbsd.org
Date: Tue, 17 Feb 2026 18:03:47 -0700

This is parked until another the uvm_lock_pageq problem is solved.

Martin Pieuchot <mpi@grenadille.net> wrote:

> The wraparound bug is still alive and hit by syzkaller:
>   https://syzkaller.appspot.com/bug?extid=db99726653fba0697bd8
> 
> I'd like to be sure that the amap_copy() in uvm_map_pageable_wire() is not
> responsible for inserting a new entry with a `wired_count' of 0.
> 
> ok?
> 
> Index: uvm/uvm_map.c
> ===================================================================
> RCS file: /cvs/src/sys/uvm/uvm_map.c,v
> diff -u -p -r1.354 uvm_map.c
> --- uvm/uvm_map.c	11 Feb 2026 22:34:40 -0000	1.354
> +++ uvm/uvm_map.c	13 Feb 2026 11:22:39 -0000
> @@ -2151,6 +2151,7 @@ uvm_map_pageable_wire(struct vm_map *map
>  			    first->protection == PROT_NONE)
>  				continue;
>  
> +			KASSERT(first->wired_count >= 1);
>  			first->wired_count--;
>  			if (!VM_MAPENT_ISWIRED(first)) {
>  				uvm_fault_unwire_locked(map,
> @@ -2165,6 +2166,7 @@ uvm_map_pageable_wire(struct vm_map *map
>  			    iter->protection == PROT_NONE)
>  				continue;
>  
> +			KASSERT(iter->wired_count >= 1);
>  			iter->wired_count--;
>  		}
>  
> 
>