Date: Sun, 31 Mar 2002 20:41:40 -0800 (PST) From: Brian Buchanan <brian@ncircle.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/36605: [PATCH] vm_zone: zinitna failure leaves zlist corrupt Message-ID: <20020331204014.L9172-100000@thought.adamantsys.com>
next in thread | raw e-mail | index | archive | help
>Number: 36605
>Category: kern
>Synopsis: [PATCH] vm_zone: zinitna failure leaves zlist corrupt
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Mar 31 20:50:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: Brian Buchanan <brian@ncircle.com>
>Release: FreeBSD 4.3-RELEASE i386
>Organization:
nCircle Network Securty, Inc.
>Environment:
System: FreeBSD 4.3-RELEASE i386
also believed to exist (but not tested) in 4-STABLE
not believed to exist in CURRENT, as current seems to have done away with
zlist
>Description:
This was discovered after patching a 4.3-RELEASE kernel with deltas
1.130.2.9 and 1.130.2.11. 1.130.2.11 results in the swap zone requested
being reduced in the case where the call to zinit fails.
Unfortunately, zinitna adds the vm_zone_t to the zlist linked list before
checking to see if the call to kmem_alloc_pageable (in the case of
ZONE_INTERRUPT zones) succeeds. On failure of kmem_alloc_pageable, zinitna
aborts immediately without cleaning up the list.
Also, I noticed that if zlist is empty, the first entry does not have
znext set to NULL, even though the memory came from malloc() and is
not initialized to zeros according to malloc(9).
Patch is included. It was made against 4.3-RELEASE, but should apply
cleanly to RELENG_4.
>How-To-Repeat:
Configure a machine with 4GB of RAM. Observe in dmesg:
Swap zone entries reduced from (something) to (something smaller).
Run "sysctl vm.zone"
Machine will panic or freeze up solid.
>Fix:
--- vm_zone.c.patch begins here ---
--- vm_zone.c.orig Mon Mar 25 12:18:12 2002
+++ vm_zone.c Mon Mar 25 12:21:28 2002
@@ -147,6 +147,7 @@
if (zlist == 0) {
zlist = z;
+ z->znext = 0;
} else {
z->znext = zlist;
zlist = z;
@@ -165,8 +166,10 @@
zone_kmem_kvaspace += totsize;
z->zkva = kmem_alloc_pageable(kernel_map, totsize);
- if (z->zkva == 0)
+ if (z->zkva == 0) {
+ zlist = z->znext;
return 0;
+ }
z->zpagemax = totsize / PAGE_SIZE;
if (obj == NULL) {
--- vm_zone.c.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020331204014.L9172-100000>