Date: Wed, 23 Feb 2011 22:11:56 +0000 From: Bruce Cran <bruce@cran.org.uk> To: Bruce Evans <brde@optusnet.com.au> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Bruce Cran <brucec@freebsd.org> Subject: Re: svn commit: r218966 - head/sys/vm Message-ID: <1298499116.9366.3.camel@core.nessbank> In-Reply-To: <20110224063233.Y1100@besplex.bde.org> References: <201102231028.p1NASbET045275@svn.freebsd.org> <20110224063233.Y1100@besplex.bde.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-JvNx3pbWdGVQz960ysnH Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Thu, 2011-02-24 at 08:23 +1100, Bruce Evans wrote: > The bug seems to have been overflow in this calculation. `start' and > `end' have type vm_offset_t and large style bugs (missing prefixes in > their names) so they are hard to grep for. When n is 32 bits int and > PAGE_SIZE is 2**12, the assignment to n overflows at a difference of 8TB, > but this probably can't happen (see above). swap_bcnt still has type > int; SWAP_META_PAGES is 1, 2, 4, 8 or 16; thus swp_bcount * SWAP_META_PAGES > may overflow at 2**31/16 = 128 M. If this doesn't overflow, but has its > maximal value of about 128 M, then multiplying it by "int n" may overflow > when n is just 32. Then, if nothing has overflowed, division by > object->size reduces to a relatively small count in pages. object->size > seems to have type vm_pindex_t which is 64 bits even on i386 (since it > is associated with vm_ooffset_t and not vm_offset_t, and vm_ooffset_t > must be 64 bits to support file of sizes >= 2GB although vm_pindex_t only > needs to be more than 32 bits to support files of sizes >= 8 TB (with > PAGE_SIZE = 2**12). object->size has even larger bugs than `start' and > `end', since it is more global. I've attached a patch which changes 'n' to be of type vm_ooffset_t. I think this should fix the overflow bug? -- Bruce Cran --=-JvNx3pbWdGVQz960ysnH Content-Disposition: attachment; filename="vm.diff" Content-Type: text/x-patch; name="vm.diff"; charset="us-ascii" Content-Transfer-Encoding: 7bit Index: swap_pager.c =================================================================== --- swap_pager.c (revision 218966) +++ swap_pager.c (working copy) @@ -2426,7 +2426,8 @@ vm_map_t map; vm_map_entry_t cur; vm_object_t object; - vm_offset_t count, n; + vm_ooffset_t n; + vm_offset_t count; map = &vmspace->vm_map; count = 0; --=-JvNx3pbWdGVQz960ysnH--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1298499116.9366.3.camel>