From owner-freebsd-security Thu Sep 6 17:18:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by hub.freebsd.org (Postfix) with ESMTP id 0A2C837B406 for ; Thu, 6 Sep 2001 17:18:26 -0700 (PDT) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 4E08F44A922 for ; Thu, 6 Sep 2001 20:18:24 -0400 (EDT) Received: (qmail 44411 invoked by uid 1001); 7 Sep 2001 00:13:12 -0000 Date: Thu, 6 Sep 2001 20:13:12 -0400 From: Steve Shorter To: D J Hawkey Jr Cc: freebsd-security@freebsd.org Subject: Re: when mail full /tmp partition, system cracked Message-ID: <20010906201312.A44397@nomad.lets.net> References: <20010906104547.C56598_ns1.via-net-works.net.ar@ns.sol.net> <20010906152832.A44174_nomad.lets.net@ns.sol.net> <200109062058.f86KwES05430@fanbuzz.com.> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109062058.f86KwES05430@fanbuzz.com.>; from hawkeyd@visi.com on Thu, Sep 06, 2001 at 03:58:14PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Sep 06, 2001 at 03:58:14PM -0500, D J Hawkey Jr wrote: > > No patch for the RELENG_4_3 tree in store, I take it? > > > -steve Actually, there is. I raised this issue, and got a patch from matt dillon for 4.3-SECURITY(RELEASE). This is the forwarded response below. -steve : :I am still interested in making a patch based on diffs from :4.3-STABLE and 4.3-SECURITY. Would this be easy to do or have there been a :lot of kernel changes that affect this issue. Is it good enough to look :at killproc() and vm_pagout.c or is there more to it than that. : : thanx - steve Sure. If you are comfortable building from a mod'd source tree, here is the relevant log and diff set. It should be very easy to patch in. -Matt dillon 2001/06/13 00:26:59 PDT Modified files: (Branch: RELENG_4) sys/vm vm_map.c vm_map.h vm_pageout.c Log: MFC the two out-of-swap fixes (kill the correct process and start blasting away at processes a little earlier, before the machine begins to lockup) Revision Changes Path 1.187.2.9 +36 -1 src/sys/vm/vm_map.c 1.54.2.2 +2 -1 src/sys/vm/vm_map.h 1.151.2.8 +9 -4 src/sys/vm/vm_pageout.c Index: vm_map.c =================================================================== RCS file: /home/ncvs/src/sys/vm/vm_map.c,v retrieving revision 1.187.2.8 retrieving revision 1.187.2.9 diff -u -r1.187.2.8 -r1.187.2.9 --- vm_map.c 2001/03/14 07:05:05 1.187.2.8 +++ vm_map.c 2001/06/13 07:26:58 1.187.2.9 @@ -61,7 +61,7 @@ * any improvements or extensions that they make and grant Carnegie the * rights to redistribute these changes. * - * $FreeBSD: src/sys/vm/vm_map.c,v 1.187.2.8 2001/03/14 07:05:05 dillon Exp $ + * $FreeBSD: src/sys/vm/vm_map.c,v 1.187.2.9 2001/06/13 07:26:58 dillon Exp $ */ /* @@ -218,6 +218,41 @@ zfree(vmspace_zone, vm); } } + +/* + * vmspace_swap_count() - count the approximate swap useage in pages for a + * vmspace. + * + * Swap useage is determined by taking the proportional swap used by + * VM objects backing the VM map. To make up for fractional losses, + * if the VM object has any swap use at all the associated map entries + * count for at least 1 swap page. + */ +int +vmspace_swap_count(struct vmspace *vmspace) +{ + vm_map_t map = &vmspace->vm_map; + vm_map_entry_t cur; + int count = 0; + + for (cur = map->header.next; cur != &map->header; cur = cur->next) { + vm_object_t object; + + if ((cur->eflags & MAP_ENTRY_IS_SUB_MAP) == 0 && + (object = cur->object.vm_object) != NULL && + object->type == OBJT_SWAP + ) { + int n = (cur->end - cur->start) / PAGE_SIZE; + + if (object->un_pager.swp.swp_bcount) { + count += object->un_pager.swp.swp_bcount * + SWAP_META_PAGES * n / object->size + 1; + } + } + } + return(count); +} + /* * vm_map_create: Index: vm_map.h =================================================================== RCS file: /home/ncvs/src/sys/vm/vm_map.h,v retrieving revision 1.54.2.1 retrieving revision 1.54.2.2 diff -u -r1.54.2.1 -r1.54.2.2 --- vm_map.h 2001/03/14 07:05:06 1.54.2.1 +++ vm_map.h 2001/06/13 07:26:58 1.54.2.2 @@ -61,7 +61,7 @@ * any improvements or extensions that they make and grant Carnegie the * rights to redistribute these changes. * - * $FreeBSD: src/sys/vm/vm_map.h,v 1.54.2.1 2001/03/14 07:05:06 dillon Exp $ + * $FreeBSD: src/sys/vm/vm_map.h,v 1.54.2.2 2001/06/13 07:26:58 dillon Exp $ */ /* @@ -375,6 +375,7 @@ void vm_freeze_copyopts __P((vm_object_t, vm_pindex_t, vm_pindex_t)); int vm_map_stack __P((vm_map_t, vm_offset_t, vm_size_t, vm_prot_t, vm_prot_t, int)); int vm_map_growstack __P((struct proc *p, vm_offset_t addr)); +int vmspace_swap_count __P((struct vmspace *vmspace)); #endif #endif /* _VM_MAP_ */ Index: vm_pageout.c =================================================================== RCS file: /home/ncvs/src/sys/vm/vm_pageout.c,v retrieving revision 1.151.2.7 retrieving revision 1.151.2.8 diff -u -r1.151.2.7 -r1.151.2.8 --- vm_pageout.c 2000/12/30 01:51:12 1.151.2.7 +++ vm_pageout.c 2001/06/13 07:26:58 1.151.2.8 @@ -65,7 +65,7 @@ * any improvements or extensions that they make and grant Carnegie the * rights to redistribute these changes. * - * $FreeBSD: src/sys/vm/vm_pageout.c,v 1.151.2.7 2000/12/30 01:51:12 dillon Exp $ + * $FreeBSD: src/sys/vm/vm_pageout.c,v 1.151.2.8 2001/06/13 07:26:58 dillon Exp $ */ /* @@ -1094,10 +1094,14 @@ } /* - * make sure that we have swap space -- if we are low on memory and - * swap -- then kill the biggest process. + * If we are out of swap and were not able to reach our paging + * target, kill the largest process. */ + if ((vm_swap_size < 64 && vm_page_count_min()) || + (swap_pager_full && vm_paging_target() > 0)) { +#if 0 if ((vm_swap_size < 64 || swap_pager_full) && vm_page_count_min()) { +#endif bigproc = NULL; bigsize = 0; for (p = allproc.lh_first; p != 0; p = p->p_list.le_next) { @@ -1119,7 +1123,8 @@ /* * get the process size */ - size = vmspace_resident_count(p->p_vmspace); + size = vmspace_resident_count(p->p_vmspace) + + vmspace_swap_count(p->p_vmspace); /* * if the this process is bigger than the biggest one * remember it. ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message