Subject: file reference count (f_count) > 127 crashes system
Index:	include/sys/file.h 2.11BSD

Description:
	If sufficient references to an open file are made the system
	will crash with a 'panic("sleep")'.

	The problem is the comparison (in closef() - kern_descrip.c)
	against 1:  "if (fp->f_count > 1) ...".  If the reference
	count exceeds 127 the signed comparison fails and the file
	structure is marked as free even though there are outstanding
	references to the structure.

Repeat-By:
	I was able to reproduce this problem with a /etc/printcap
	file having somewhere between 200 and 300 entries.  'lpd'
	attempts to fork a child process for each entry.  If there
	are sufficient proc table entries to allow more than 127 'lpd'
	child processes to be started then the reference count on
	the file descriptor for /etc/printcap will go negative within
	the 'char' and the panic("sleep") will occur.

	The problem can also be demonstrated with fewer processes if
	the child processes have dup'd file descriptors.

Fix:
	The fix in this case is to make the reference count an
	'unsigned char', this will prevent the crash from occuring
	until the count wraps around at 255/256.  This *should*
	be sufficient for the forseeable future, if not  then the
	only alternative is to take the space hit and widen the
	reference count to a 'short'.

-----------------------------------------------------------------
*** /sys/h/file.h.old	Fri Apr  6 00:45:43 1990
--- /sys/h/file.h	Wed Oct 23 19:13:04 1991
***************
*** 14,20 ****
  struct	file {
  	int	f_flag;		/* see below */
  	char	f_type;		/* descriptor type */
! 	char	f_count;	/* reference count */
  	short	f_msgcount;	/* references from message queue */
  	union {
  		caddr_t	f_Data;
--- 14,20 ----
  struct	file {
  	int	f_flag;		/* see below */
  	char	f_type;		/* descriptor type */
! 	u_char	f_count;	/* reference count */
  	short	f_msgcount;	/* references from message queue */
  	union {
  		caddr_t	f_Data;