d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Extend the struct vm_page wire_count to u_int to avoid the overflow

Browse Source 
of the counter, that may happen when too many sendfile(2) calls are
being executed with this vnode [1].

To keep the size of the struct vm_page and offsets of the fields
accessed by out-of-tree modules, swap the types and locations
of the wire_count and cow fields. Add safety checks to detect cow
overflow and force fallback to the normal copy code for zero-copy
sockets. [2]

Reported by:	Anton Yuzhaninov <citrin citrin ru> [1]
Suggested by:	alc [2]
Reviewed by:	alc
MFC after:	2 weeks
This commit is contained in:
kib 2009-01-03 13:24:08 +00:00
parent b56f7e98e0
commit ac1b596fda
3 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sys/kern/uipc_cow.c
View File

@ -129,7 +129,11 @@ socow_setup(struct mbuf *m0, struct uio *uio)
* set up COW * set up COW
*/ */
vm_page_lock_queues(); vm_page_lock_queues();
vm_page_cowsetup(pp); if (vm_page_cowsetup(pp) != 0) {
vm_page_unhold(pp);
vm_page_unlock_queues();
return (0);
}
/* /*
* wire the page for I/O * wire the page for I/O

6
sys/vm/vm_page.c
View File

@ -106,6 +106,7 @@ __FBSDID("$FreeBSD$");
#include <sys/systm.h> #include <sys/systm.h>
#include <sys/lock.h> #include <sys/lock.h>
#include <sys/kernel.h> #include <sys/kernel.h>
#include <sys/limits.h>
#include <sys/malloc.h> #include <sys/malloc.h>
#include <sys/mutex.h> #include <sys/mutex.h>
#include <sys/proc.h> #include <sys/proc.h>
@ -2112,13 +2113,16 @@ vm_page_cowclear(vm_page_t m)
*/ */
} }
void int
vm_page_cowsetup(vm_page_t m) vm_page_cowsetup(vm_page_t m)
{ {
mtx_assert(&vm_page_queue_mtx, MA_OWNED); mtx_assert(&vm_page_queue_mtx, MA_OWNED);
if (m->cow == USHRT_MAX - 1)
return (EBUSY);
m->cow++; m->cow++;
pmap_remove_write(m); pmap_remove_write(m);
return (0);
} }
#include "opt_ddb.h" #include "opt_ddb.h"

8
sys/vm/vm_page.h
View File

@ -111,12 +111,12 @@ struct vm_page {
vm_paddr_t phys_addr; /* physical address of page */ vm_paddr_t phys_addr; /* physical address of page */
struct md_page md; /* machine dependant stuff */ struct md_page md; /* machine dependant stuff */
uint8_t queue; /* page queue index */ uint8_t queue; /* page queue index */
int8_t segind; int8_t segind;
u_short flags; /* see below */ u_short flags; /* see below */
uint8_t order; /* index of the buddy queue */ uint8_t order; /* index of the buddy queue */
uint8_t pool; uint8_t pool;
u_short wire_count; /* wired down maps refs (P) */ u_short cow; /* page cow mapping count */
u_int cow; /* page cow mapping count */ u_int wire_count; /* wired down maps refs (P) */
short hold_count; /* page hold count */ short hold_count; /* page hold count */
u_short oflags; /* page flags (O) */ u_short oflags; /* page flags (O) */
u_char act_count; /* page usage count */ u_char act_count; /* page usage count */
@ -336,7 +336,7 @@ void vm_page_zero_invalid(vm_page_t m, boolean_t setvalid);
void vm_page_free_toq(vm_page_t m); void vm_page_free_toq(vm_page_t m);
void vm_page_zero_idle_wakeup(void); void vm_page_zero_idle_wakeup(void);
void vm_page_cowfault (vm_page_t); void vm_page_cowfault (vm_page_t);
void vm_page_cowsetup (vm_page_t); int vm_page_cowsetup(vm_page_t);
void vm_page_cowclear (vm_page_t); void vm_page_cowclear (vm_page_t);
/* /*