Date: Sun, 31 Mar 2002 20:41:40 -0800 (PST) From: Brian Buchanan <brian@ncircle.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/36605: [PATCH] vm_zone: zinitna failure leaves zlist corrupt Message-ID: <20020331204014.L9172-100000@thought.adamantsys.com>
next in thread | raw e-mail | index | archive | help
>Number: 36605 >Category: kern >Synopsis: [PATCH] vm_zone: zinitna failure leaves zlist corrupt >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Mar 31 20:50:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Brian Buchanan <brian@ncircle.com> >Release: FreeBSD 4.3-RELEASE i386 >Organization: nCircle Network Securty, Inc. >Environment: System: FreeBSD 4.3-RELEASE i386 also believed to exist (but not tested) in 4-STABLE not believed to exist in CURRENT, as current seems to have done away with zlist >Description: This was discovered after patching a 4.3-RELEASE kernel with deltas 1.130.2.9 and 1.130.2.11. 1.130.2.11 results in the swap zone requested being reduced in the case where the call to zinit fails. Unfortunately, zinitna adds the vm_zone_t to the zlist linked list before checking to see if the call to kmem_alloc_pageable (in the case of ZONE_INTERRUPT zones) succeeds. On failure of kmem_alloc_pageable, zinitna aborts immediately without cleaning up the list. Also, I noticed that if zlist is empty, the first entry does not have znext set to NULL, even though the memory came from malloc() and is not initialized to zeros according to malloc(9). Patch is included. It was made against 4.3-RELEASE, but should apply cleanly to RELENG_4. >How-To-Repeat: Configure a machine with 4GB of RAM. Observe in dmesg: Swap zone entries reduced from (something) to (something smaller). Run "sysctl vm.zone" Machine will panic or freeze up solid. >Fix: --- vm_zone.c.patch begins here --- --- vm_zone.c.orig Mon Mar 25 12:18:12 2002 +++ vm_zone.c Mon Mar 25 12:21:28 2002 @@ -147,6 +147,7 @@ if (zlist == 0) { zlist = z; + z->znext = 0; } else { z->znext = zlist; zlist = z; @@ -165,8 +166,10 @@ zone_kmem_kvaspace += totsize; z->zkva = kmem_alloc_pageable(kernel_map, totsize); - if (z->zkva == 0) + if (z->zkva == 0) { + zlist = z->znext; return 0; + } z->zpagemax = totsize / PAGE_SIZE; if (obj == NULL) { --- vm_zone.c.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020331204014.L9172-100000>