NetBSD Problem Report #57622
From martin@duskware.de Wed Sep 20 13:19:41 2023
Return-Path: <martin@duskware.de>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id E62A91A9238
for <gnats-bugs@gnats.NetBSD.org>; Wed, 20 Sep 2023 13:19:40 +0000 (UTC)
From: martin@NetBSD.org
Reply-To: martin@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: memfd mmap does not work for requests < page size
X-Send-Pr-Version: 3.95
>Number: 57622
>Category: kern
>Synopsis: memfd mmap does not work for requests < page size
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Sep 20 13:20:01 +0000 2023
>Last-Modified: Sun Feb 22 17:30:02 +0000 2026
>Originator: Martin Husemann
>Release: NetBSD 10.99.8
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD thirdstage.duskware.de 10.99.8 NetBSD 10.99.8 (MODULAR) #666: Wed Sep 20 15:01:11 CEST 2023 martin@thirdstage.duskware.de:/usr/src/sys/arch/sparc64/compile/MODULAR sparc64
Architecture: sparc64
Machine: sparc64
>Description:
I noticed a new failing test in the sparc64 test runs:
tc-end: 1695216107.518483, seal_grow, failed, /usr/src/tests/kernel/t_memfd_create.c:270: Mmap failed unexpectedly (Invalid argument)
and tracked it down to the test writing 4096 byte to the memfd and then trying
to map that. On sparc64 the page size is 8k.
This makes the code sys/kern/sys_memfd.c line 352 fail:
if (*offp + size > mfd->mfd_size) {
error = EINVAL;
goto leave;
}
because mmap rounded up the requested size "size" to full pages already,
but mfd->mfd_size is smaller:
*offp: 0 + size: 8192 > mfd_size: 4096
>How-To-Repeat:
s/a
>Fix:
Adjust mfd_size to full pages and make sure the surplus bytes are zeroed?
Keep track of the number of pages separately from content size and make the
if test against the #pages?
>Audit-Trail:
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/57622: memfd mmap does not work for requests < page size
Date: Thu, 21 Sep 2023 05:37:57 -0000 (UTC)
martin@NetBSD.org writes:
>This makes the code sys/kern/sys_memfd.c line 352 fail:
> if (*offp + size > mfd->mfd_size) {
> error = EINVAL;
> goto leave;
> }
>because mmap rounded up the requested size "size" to full pages already,
>>Fix:
>Adjust mfd_size to full pages and make sure the surplus bytes are zeroed?
>Keep track of the number of pages separately from content size and make the
>if test against the #pages?
mfd_size must stay as is to keep the correct "file" size for
read/write operations. The partial page must be zero filled when
mapped and that part of the page must not be "written back" in
case it gets modified.
From: Michael van Elst <mlelstv@serpens.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/57622: memfd mmap does not work for requests < page size
Date: Sun, 17 Mar 2024 09:51:05 +0100
Maybe this:
Index: sys/kern/sys_memfd.c
===================================================================
RCS file: /cvsroot/src/sys/kern/sys_memfd.c,v
retrieving revision 1.11
diff -p -u -r1.11 sys_memfd.c
--- sys/kern/sys_memfd.c 12 Aug 2023 23:22:49 -0000 1.11
+++ sys/kern/sys_memfd.c 17 Mar 2024 08:46:34 -0000
@@ -348,7 +348,7 @@ memfd_mmap(file_t *fp, off_t *offp, size
error = EINVAL;
goto leave;
}
- if (*offp + size > mfd->mfd_size) {
+ if (*offp + size < 0) {
error = EINVAL;
goto leave;
}
@@ -359,6 +359,12 @@ memfd_mmap(file_t *fp, off_t *offp, size
goto leave;
}
+ /* Zero fill end of partial page */
+ if (*offp + size > mfd->mfd_size) {
+ ubc_zerorange(mfd->mfd_uobj, mfd->mfd_size,
+ *offp + size - mfd->mfd_size, 0);
+ }
+
uao_reference(fp->f_memfd->mfd_uobj);
*uobjp = fp->f_memfd->mfd_uobj;
Greetings,
--
Michael van Elst
Internet: mlelstv@serpens.de
"A potential Snark may lurk in every tree."
From: Robert Bagdan <kikadf.01@gmail.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/57622: memfd mmap does not work for requests < page size
Date: Sun, 22 Feb 2026 15:17:52 +0100
I encountered the same mmap() EINVAL error with Wayland cursor loading
on NetBSD 11.0_BETA/amd64.
In this case the requested size is 2304 (derived from the cursor size:
24 =C3=97 24 =C3=97 4).
The sequence is:
1) fd =3D memfd_create("wayland-cursor", MFD_CLOEXEC | MFD_ALLOW_SEALING
| MFD_NOEXEC_SEAL)
2) ftruncate(fd, size)
3) mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, pool->fd, 0)
The mmap() call memfd_mmap(), where:
KASSERT(*offp =3D=3D round_page(*offp));
KASSERT(size =3D=3D round_page(size));
and the following check then fails:
if (*offp + size > mfd->mfd_size) {
error =3D EINVAL;
goto leave;
}
where mfd_size is still 2304, while size is already rounded up to 4096.
--=20
Regards,
kikadf
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/57622: memfd mmap does not work for requests < page size
Date: Sun, 22 Feb 2026 14:46:52 -0000 (UTC)
gnats-admin@NetBSD.org ("Robert Bagdan via gnats") writes:
>The following reply was made to PR kern/57622; it has been noted by GNATS.
> The mmap() call memfd_mmap(), where:
>
> KASSERT(*offp =3D=3D round_page(*offp));
> KASSERT(size =3D=3D round_page(size));
>
> and the following check then fails:
>
> if (*offp + size > mfd->mfd_size) {
> error =3D EINVAL;
> goto leave;
> }
>
> where mfd_size is still 2304, while size is already rounded up to 4096.
Maybe this:
Index: sys/kern/sys_memfd.c
===================================================================
RCS file: /cvsroot/src/sys/kern/sys_memfd.c,v
retrieving revision 1.13
diff -p -u -r1.13 sys_memfd.c
--- sys/kern/sys_memfd.c 15 Nov 2025 19:02:26 -0000 1.13
+++ sys/kern/sys_memfd.c 22 Feb 2026 14:43:10 -0000
@@ -337,6 +337,7 @@ memfd_mmap(file_t *fp, off_t *offp, size
{
struct memfd *mfd = fp->f_memfd;
int error = 0;
+ size_t maxoff;
/* uvm_mmap guarantees page-aligned offset and size. */
KASSERT(*offp == round_page(*offp));
@@ -349,7 +350,9 @@ memfd_mmap(file_t *fp, off_t *offp, size
error = EINVAL;
goto leave;
}
- if (*offp + size > mfd->mfd_size) {
+
+ maxoff = round_page(mfd->mfd_size);
+ if (size > maxoff - *offp) {
error = EINVAL;
goto leave;
}
@@ -360,6 +363,12 @@ memfd_mmap(file_t *fp, off_t *offp, size
goto leave;
}
+ /* Zero fill end of partial page */
+ if (size > mfd->mfd_size - *offp) {
+ ubc_zerorange(mfd->mfd_uobj, mfd->mfd_size,
+ *offp + size - mfd->mfd_size, 0);
+ }
+
uao_reference(fp->f_memfd->mfd_uobj);
*uobjp = fp->f_memfd->mfd_uobj;
From: "Robert Bagdan" <kikadf@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57622 CVS commit: pkgsrc/devel/wayland
Date: Sun, 22 Feb 2026 15:33:14 +0000
Module Name: pkgsrc
Committed By: kikadf
Date: Sun Feb 22 15:33:14 UTC 2026
Modified Files:
pkgsrc/devel/wayland: Makefile distinfo
pkgsrc/devel/wayland/patches: patch-meson.build
Log Message:
wayland: workaround for cursor loading on NetBSD
Gdk-WARNING **: 16:00:11.681: Failed to load cursor theme default
Gdk:ERROR:../gdk/wayland/gdkdisplay-wayland.c:1195:_gdk_wayland_display_get_scaled_cursor_theme:
assertion failed: (display_wayland->cursor_theme_name)
PR kern/57622
To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 pkgsrc/devel/wayland/Makefile
cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/wayland/distinfo
cvs rdiff -u -r1.2 -r1.3 pkgsrc/devel/wayland/patches/patch-meson.build
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Robert Bagdan <kikadf.01@gmail.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/57622: memfd mmap does not work for requests < page size
Date: Sun, 22 Feb 2026 18:28:57 +0100
--000000000000eb0e5f064b6cfdde
Content-Type: text/plain; charset="UTF-8"
I tested your changes with the attached tester, and it works.
The output without changes:
$ ./mmap_test
mmap failed with size: 2304
mmap ok with size: 4096
mmap failed with size: 5000
mmap ok with size: 8192
With your changes:
$ ./mmap_test
mmap ok with size: 2304
mmap ok with size: 4096
mmap ok with size: 5000
mmap ok with size: 8192
Regards,
kikadf
--000000000000eb0e5f064b6cfdde
Content-Type: application/octet-stream; name="mmap_test.c"
Content-Disposition: attachment; filename="mmap_test.c"
Content-Transfer-Encoding: base64
Content-ID: <f_mly0rnke0>
X-Attachment-Id: f_mly0rnke0
I2RlZmluZSBfTkVUQlNEX1NPVVJDRQojaW5jbHVkZSA8c3RkaW8uaD4KI2luY2x1ZGUgPHN0ZGxp
Yi5oPgojaW5jbHVkZSA8c3lzL21tYW4uaD4KI2luY2x1ZGUgPHVuaXN0ZC5oPgojaW5jbHVkZSA8
ZmNudGwuaD4KI2luY2x1ZGUgPGVycm5vLmg+CiNpbmNsdWRlIDxzdHJpbmcuaD4KI2luY2x1ZGUg
PHN5cy90eXBlcy5oPgojaW5jbHVkZSA8c3lzL3N0YXQuaD4KCmludCBtYWluKHZvaWQpIHsKICAg
IGludCBzaXplc1tdID0geyAyMzA0LCA0MDk2LCA1MDAwLCA4MTkyIH07CiAgICBpbnQgZmQ7CiAg
ICB2b2lkICpwdHI7CgogICAgZm9yIChpbnQgaSA9IDA7IGkgPCA0OyBpKyspIHsKICAgICAgICBm
ZCA9IG1lbWZkX2NyZWF0ZSgidGVzdC1tZW1mZCIsIE1GRF9DTE9FWEVDIHwgTUZEX0FMTE9XX1NF
QUxJTkcpOwogICAgICAgIGlmIChmZCA8IDApIHsKICAgICAgICAgICAgcGVycm9yKCJtZW1mZF9j
cmVhdGUiKTsKICAgICAgICAgICAgcmV0dXJuIDE7CiAgICAgICAgfQoKICAgICAgICBpZiAoZnRy
dW5jYXRlKGZkLCBzaXplc1tpXSkgPCAwKSB7CiAgICAgICAgICAgIHBlcnJvcigiZnRydW5jYXRl
Iik7CiAgICAgICAgICAgIGNsb3NlKGZkKTsKICAgICAgICAgICAgcmV0dXJuIDE7CiAgICAgICAg
fQoKICAgICAgICBwdHIgPSBtbWFwKE5VTEwsIHNpemVzW2ldLCBQUk9UX1JFQUQgfCBQUk9UX1dS
SVRFLCBNQVBfU0hBUkVELCBmZCwgMCk7CiAgICAgICAgaWYgKHB0ciA9PSBNQVBfRkFJTEVEKSB7
CiAgICAgICAgICAgICBwcmludGYoIm1tYXAgZmFpbGVkIHdpdGggc2l6ZTogJWRcbiIsIHNpemVz
W2ldKTsKICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgcHJpbnRmKCJtbWFwIG9rIHdpdGgg
c2l6ZTogJWRcbiIsIHNpemVzW2ldKTsKICAgICAgICAgICAgIG11bm1hcChwdHIsIHNpemVzW2ld
KTsKICAgICAgICB9CgogICAgICAgIGNsb3NlKGZkKTsKICAgIH0KCiAgICByZXR1cm4gMDsKfQo=
--000000000000eb0e5f064b6cfdde--
(Contact us)
$NetBSD: query-full-pr,v 1.49 2026/05/14 01:52:41 riastradh Exp $
$NetBSD: gnats_config.sh,v 1.10 2026/05/13 22:00:09 riastradh Exp $
Copyright © 1994-2026
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home