Patch Name: PHKL_21925 Patch Description: s700 10.20 smmap, munmap, fcntl/mmap, mmap64 Fixes Creation Date: 00/07/07 Post Date: 00/07/18 Repost: 01/07/19 A problem has been discovered with superseding patch PHKL_24294. With PHKL_24294 installed, certain types of applications can cause system panics on PA2.0 architecture systems. PHKL_21925 does not exhibit this same behavior so it is being re-released until a replacement patch is available. Hardware Platforms - OS Releases: s700: 10.20 Products: N/A Filesets: OS-Core.CORE-KRN Automatic Reboot?: Yes Status: General Superseded Critical: Yes PHKL_21925: PANIC PHKL_20605: PANIC Path Name: /hp-ux_patches/s700/10.X/PHKL_21925 Symptoms: PHKL_21925: (SR: 8606136642 CR: JAGad05766) panic: "rmfree: overlap" when unmaping an mmap (shared mmf) segment. (SR: 8606146018 CR: JAGad15354) panic: "Data page fault" while trying to mmap maximum number of allowed pregions to a shared region. PHKL_20605: ( SR: 8606105836 CR: JAGab74182 ) Data page fault panic in hdl_choose_protid(). Stack trace looks like: panic+0x10 report_trap_or_int_and_panic+0xe8 trap+0x1054 $RDB_trap_patch+0x20 hdl_choose_protid+0xe4 hdl_changerange_0xe4 hdl_mprotect+0x404 choose_shared_mmap_space+0x2c8 choose_space+0xcc hdl_attach+0x1a4 attachreg+0x88 smmap_common+0x27c smmap+0x38 syscall+0x1a4 $syscallrtn+0x0 ( SR: 8606110048 CR: JAGab82751 ) Data page fault panic on multiprocessor system. Stack trace might look like: panic+0x10 report_trap_or_int_and_panic+0xe8 trap+0xa48 $RDB_trap_patch+0x20 hdl_range_same+0x68 hdl_changerange+0x90 hdl_mprotect+0x404 choose_shared_mmap_space+0x268 choose_space+0x9c hdl_attach+0x1a4 attachreg+0x88 smmap_common+0x728 smmap+0x38 syscall+0x1a4 or panic+0x10 report_trap_or_int_and_panic+0xe8 trap+0xa48 $call_trap+0x20 hdl_range_same+0x68 hdl_changerange+0x90 hdl_mprotect+0x404 do_shared_munmap+0xe8 do_munmap+0x14c foreach_pregion+0xb8 munmap+0x64 syscall+0x1a4 PHKL_19383: mmap64(2) returns an error when used to map portions of a file beyond the 2 GB file offset. PHKL_16880: It is possible for "munmap" to unexpectedly release the lock that is obtained from "fcntl". The application may experience an unexpected behavior because of this. Therefore, this patch is to rectify this unexpected behavior. Defect Description: PHKL_21925: (SR: 8606146018 CR: JAGad15354) The defect is due to a race condition in mmap(2) code which was using a recursive algorithm to map all of the file. A lock was being dropped and reacquired each time the algorithm recursed. While trying to do an attach operation, we drop the reglock() before we are done in the routine hdl_mmf_attach() as it was a recursive routine. Since hdl_mmf_attach() is a recursive routine, there can be a race condition with someone doing a attach operation and another process doing a detach/munmap operation. The fix is not to drop the reglock before being done with the attach operation thus removing the potential race conditions with someone doing a detach/munmap operation. Resolution: This patch fixes recursive hdl_mmf_attach() problem causing mmap/munmap MP race conditions (SR: 8606146018 CR: JAGad15354) The system panic's while trying to mmap() more than the maximum allowed limit of pregions to a shared region. (limited by r_refcnt, which is of type ushort). This was caused by r_refcnt overflow which caused it to reset. If a program mmap's more than this limit, the counter r_refcnt overflow which causes the system to panic. The fix is to check for the overflow and return ENOMEM. Resolution: This patch ensures that we check for maximum limit of pregions attached to a region and if that is reached we return ENOMEM. PHKL_20605: ( SR: 8606105836 CR: JAGab74182 ) When removing a pregion from a region's pregion list, the appropriate pregion structure field was not always cleared. Resolution: This patch ensures that the pregion structure is properly updated when we remove it from a region's pregion list. ( SR: 8606110048 CR: JAGab82751 ) A multiprocessor race condition between mmap/munmap resulted in attempting to access a subpregion before it had been initialized. Resolution: This patch ensures we initialize the subpregion before attempting to access it. PHKL_19383: mmap64(2) previously only supported file offsets up to 2 GB. Resolution: The mmap64(2) system call has been enhanced to support file offsets up to 4 GB. PHKL_16880: To correct the problem, the associations between "memory mapped file" and the system-wide file table reference count is removed. (i.e. The reference count is no longer stored in the system wide file table, however, the vnode reference counter still gets updated when "mmap" and "munmap".) SR: 1653270546 1653277004 8606105836 8606110048 8606136642 8606146018 Patch Files: /usr/conf/lib/libhp-ux.a(hdl_policy.o) /usr/conf/lib/libhp-ux.a(vm_mmap.o) /usr/conf/lib/libhp-ux.a(vm_pregion.o) what(1) Output: /usr/conf/lib/libhp-ux.a(hdl_policy.o): hdl_policy.c $Date: 2000/07/06 17:54:31 $ $Revision: 1.15.98.17 $ PATCH_10.20 (PHKL_21925) /usr/conf/lib/libhp-ux.a(vm_mmap.o): vm_mmap.c $Date: 2000/07/06 17:39:35 $ $Revision: 1. 17.98.22 $ PATCH_10.20 (PHKL_21925) /usr/conf/lib/libhp-ux.a(vm_pregion.o): vm_pregion.c $Date: 2000/06/29 11:25:43 $ $Revision: 1.16.98.16 $ PATCH_10.20 (PHKL_21925) cksum(1) Output: 2041616040 10764 /usr/conf/lib/libhp-ux.a(hdl_policy.o) 4002093950 22464 /usr/conf/lib/libhp-ux.a(vm_mmap.o) 1687754910 12004 /usr/conf/lib/libhp-ux.a(vm_pregion.o) Patch Conflicts: None Patch Dependencies: s700: 10.20: PHKL_16750 Hardware Dependencies: None Other Dependencies: None Supersedes: PHKL_16880 PHKL_19383 PHKL_20605 Equivalent Patches: PHKL_21926: s800: 10.20 Patch Package Size: 110 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHKL_21925 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHKL_21925.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHKL_21925. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHKL_21925.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHKL_21925.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: This patch depends on base patch PHKL_16750. For successful installation, please ensure that PHKL_16750 is in the same depot with this patch, or PHKL_16750 is already installed.