From brian@ncircle.com  Sun Mar 31 20:41:21 2002
Return-Path: <brian@ncircle.com>
Received: from thought.adamantsys.com (w120.z064002057.sjc-ca.dsl.cnc.net [64.2.57.120])
	by hub.freebsd.org (Postfix) with ESMTP id 8C99837B416
	for <freebsd-gnats-submit@freebsd.org>; Sun, 31 Mar 2002 20:41:15 -0800 (PST)
Received: from localhost (localhost.adamantsys.com [127.0.0.1])
	by thought.adamantsys.com (8.11.6/8.11.6) with ESMTP id g314fee17026
	for <freebsd-gnats-submit@freebsd.org>; Sun, 31 Mar 2002 20:41:41 -0800 (PST)
	(envelope-from brian@ncircle.com)
Message-Id: <20020331204014.L9172-100000@thought.adamantsys.com>
Date: Sun, 31 Mar 2002 20:41:40 -0800 (PST)
From: Brian Buchanan <brian@ncircle.com>
To: freebsd-gnats-submit@freebsd.org
Subject: [PATCH] vm_zone: zinitna failure leaves zlist corrupt

>Number:         36605
>Category:       kern
>Synopsis:       [PATCH] vm_zone: zinitna failure leaves zlist corrupt
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 31 20:50:01 PST 2002
>Closed-Date:    Mon Aug 12 16:41:04 PDT 2002
>Last-Modified:  Mon Aug 12 16:41:04 PDT 2002
>Originator:     Brian Buchanan <brian@ncircle.com>
>Release:        FreeBSD 4.3-RELEASE i386
>Organization:
nCircle Network Securty, Inc.
>Environment:
System: FreeBSD 4.3-RELEASE i386

also believed to exist (but not tested) in 4-STABLE

not believed to exist in CURRENT, as current seems to have done away with
zlist

>Description:

This was discovered after patching a 4.3-RELEASE kernel with deltas
1.130.2.9 and 1.130.2.11.  1.130.2.11 results in the swap zone requested
being reduced in the case where the call to zinit fails.

Unfortunately, zinitna adds the vm_zone_t to the zlist linked list before
checking to see if the call to kmem_alloc_pageable (in the case of
ZONE_INTERRUPT zones) succeeds.  On failure of kmem_alloc_pageable, zinitna
aborts immediately without cleaning up the list.

Also, I noticed that if zlist is empty, the first entry does not have
znext set to NULL, even though the memory came from malloc() and is
not initialized to zeros according to malloc(9).

Patch is included.  It was made against 4.3-RELEASE, but should apply
cleanly to RELENG_4.

>How-To-Repeat:

Configure a machine with 4GB of RAM.  Observe in dmesg:

Swap zone entries reduced from (something) to (something smaller).

Run "sysctl vm.zone"

Machine will panic or freeze up solid.

>Fix:

--- vm_zone.c.patch begins here ---
--- vm_zone.c.orig	Mon Mar 25 12:18:12 2002
+++ vm_zone.c	Mon Mar 25 12:21:28 2002
@@ -147,6 +147,7 @@

 		if (zlist == 0) {
 			zlist = z;
+			z->znext = 0;
 		} else {
 			z->znext = zlist;
 			zlist = z;
@@ -165,8 +166,10 @@
 		zone_kmem_kvaspace += totsize;

 		z->zkva = kmem_alloc_pageable(kernel_map, totsize);
-		if (z->zkva == 0)
+		if (z->zkva == 0) {
+			zlist = z->znext;
 			return 0;
+		}

 		z->zpagemax = totsize / PAGE_SIZE;
 		if (obj == NULL) {
--- vm_zone.c.patch ends here ---


>Release-Note:
>Audit-Trail:

From: Brian Buchanan <brian@ncircle.com>
To: <freebsd-gnats-submit@freebsd.org>
Cc:  
Subject: Re: kern/36605: [PATCH] vm_zone: zinitna failure leaves zlist corrupt
Date: Sun, 21 Jul 2002 10:36:06 -0700 (PDT)

 Although I do not have a 4GB machine handy to verify that a crash will
 occur, the root problem in src/sys/vm/vm_zone.c still appears in RELENG_4.
 Would someone mind reviewing and commiting the supplied patch?
 
 Also, to clarify the original PR, the 1.130.2.9-1.130.2.11 delta that I
 had applied to 4.3-RELEASE to expose this bug should have referred to
 src/sys/vm/swap_pager.c.
 
 Thanks!
 
 - Brian
 
State-Changed-From-To: open->closed 
State-Changed-By: iedowse 
State-Changed-When: Mon Aug 12 16:39:49 PDT 2002 
State-Changed-Why:  

Committed in revision 1.30.2.5 of vm_zone.c, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=36605 
>Unformatted:
