Date: Wed, 23 Nov 2011 03:48:43 +1100 (EST) From: Bruce Evans <brde@optusnet.com.au> To: Adam McDougall <mcdouga9@egr.msu.edu> Cc: freebsd-bugs@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/162741: [PATCH] vm_kmem_size miscalculated due to int type overflow sometimes Message-ID: <20111123011609.S9556@besplex.bde.org> In-Reply-To: <201111212229.pALMTfXv050060@red.freebsd.org> References: <201111212229.pALMTfXv050060@red.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 21 Nov 2011, Adam McDougall wrote: >> Description: > [Misformatted lines deleted] >> Fix: > > Patch attached with submission follows: > > --- sys/kern/kern_malloc.c.orig 2011-11-21 12:19:25.712591472 -0500 > +++ sys/kern/kern_malloc.c 2011-11-21 17:25:11.831042640 -0500 > @@ -704,10 +704,10 @@ > * Limit kmem virtual size to twice the physical memory. > * This allows for kmem map sparseness, but limits the size > * to something sane. Be careful to not overflow the 32bit > - * ints while doing the check. > + * ints while doing the check or the adjustment. > */ > if (((vm_kmem_size / 2) / PAGE_SIZE) > cnt.v_page_count) > - vm_kmem_size = 2 * cnt.v_page_count * PAGE_SIZE; > + vm_kmem_size = 2 * mem_size * PAGE_SIZE; > > #ifdef DEBUG_MEMGUARD > tmp = memguard_fudge(vm_kmem_size, vm_kmem_size_max); cnt.v_page_count should probably be spelled as mem_size in the check too. The limit is still garbage for 32-bit systems. 32-bit systems can easily have 2-4GB of physical memory. i386 with PAE can have much more. Overflow can't occur in (2 * cnt.v_page_count * PAGE_SIZE) since the original vm_kmem_size is limited to 4G-1 by u_long bogusly being 32 bits on all supported 32-bit systems. But the user can misconfigure things so that the original vm_kmem_size is only slightly less than 4G. Then there cannot be that much kva. But when there is >= 2G physical, clamping kva to <= 2*physical has no effect. VM_KMEM_SIZE_MAX or vm.kmem_size would have to be misconfigured for vm_kmem_size to be impossibly large. This means that the above code usually has no effect on 32-bit systems. Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111123011609.S9556>