From nobody@FreeBSD.org  Thu Mar 22 07:09:16 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id B021637B71E
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 22 Mar 2001 07:09:15 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f2MF9Fm35630;
	Thu, 22 Mar 2001 07:09:15 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200103221509.f2MF9Fm35630@freefall.freebsd.org>
Date: Thu, 22 Mar 2001 07:09:15 -0800 (PST)
From: andrew@nfr.net
To: freebsd-gnats-submit@FreeBSD.org
Subject: unchecked return in vm/swap_pager.c
X-Send-Pr-Version: www-1.0

>Number:         26000
>Category:       kern
>Synopsis:       unchecked return in vm/swap_pager.c
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    dwmalone
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 22 07:10:02 PST 2001
>Closed-Date:    Tue Mar 27 12:42:46 PST 2001
>Last-Modified:  Tue Mar 27 12:43:05 PST 2001
>Originator:     Andrew Lambeth
>Release:        4.1 and 4.2
>Organization:
NFR Security
>Environment:
FreeBSD better.andrew.creep.net 4.1-RELEASE FreeBSD 4.1-RELEASE #0: Thu Feb 22 10:10:45 EST 2001     andrew@better.andrew.creep.net:/usr/src/sys/compile/BETTER  i386


>Description:
There is an unchecked return from zinit() at line 307 in vm/swap_pager.c

this call will return NULL if kmem malloc limits have been increased beyond 
a certain point (~800MB) by modifying the algorithm or limits in kmeminit().  

It is unlikely that anyone would experience this in any normal situation,
still it seems like there should be a panic there.
>How-To-Repeat:
Increase kmem malloc limits to >800MB and boot the kernel.  It will run
fine until the first time it tries to page out, and then crash by
dereferencing the NULL pointer swap_zone.
>Fix:
Index: swap_pager.c
===================================================================
RCS file: /big/cvs/freebsd_sys_41/vm/swap_pager.c,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -r1.1.1.1 -r1.1.1.1.2.1
314a315,318
>       if(swap_zone == NULL) {
>               panic("swap_zone == NULL");
>       }
> 

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->dwmalone 
Responsible-Changed-By: dwmalone 
Responsible-Changed-When: Fri Mar 23 12:04:20 PST 2001 
Responsible-Changed-Why:  
I'll commit this as soon as I get the go ahead. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=26000 

From: David Malone <dwmalone@maths.tcd.ie>
To: andrew@nfr.net
Cc: freebsd-gnats-submit@FreeBSD.org, jkh@FreeBSD.org
Subject: Re: kern/26000: unchecked return in vm/swap_pager.c
Date: Fri, 23 Mar 2001 20:03:32 +0000

 On Thu, Mar 22, 2001 at 07:09:15AM -0800, andrew@nfr.net wrote:
 
 > >Description:
 > There is an unchecked return from zinit() at line 307 in vm/swap_pager.c
 
 This seems to have been fixed in -current due to other work
 which has gone on there. The stable tree is currently in a
 code freeze, but I think a simple patch like this should be
 OK.
 
 Jordan - can I commit this now, or should I wait 'till after
 the freeze?
 
 	David.
 
 Index: swap_pager.c
 ===================================================================
 RCS file: /cvs/FreeBSD-CVS/src/sys/vm/swap_pager.c,v
 retrieving revision 1.130.2.7
 diff -u -r1.130.2.7 swap_pager.c
 --- swap_pager.c	2000/11/26 02:55:14	1.130.2.7
 +++ swap_pager.c	2001/03/23 20:01:12
 @@ -312,6 +312,8 @@
  	    ZONE_INTERRUPT, 
  	    1
  	);
 +	if (swap_zone == NULL)
 +		panic("swap_pager_swap_init: swap_zone == NULL");
  
  	/*
  	 * Initialize our meta-data hash table.  The swapper does not need to
State-Changed-From-To: open->closed 
State-Changed-By: dwmalone 
State-Changed-When: Tue Mar 27 12:42:46 PST 2001 
State-Changed-Why:  
Committed - thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=26000 
>Unformatted:
