From owner-freebsd-bugs@FreeBSD.ORG Tue Nov 22 18:54:06 2011 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1063E106566B; Tue, 22 Nov 2011 18:54:06 +0000 (UTC) (envelope-from brde@optusnet.com.au) Received: from fallbackmx06.syd.optusnet.com.au (fallbackmx06.syd.optusnet.com.au [211.29.132.8]) by mx1.freebsd.org (Postfix) with ESMTP id 671458FC0C; Tue, 22 Nov 2011 18:54:05 +0000 (UTC) Received: from mail04.syd.optusnet.com.au (mail04.syd.optusnet.com.au [211.29.132.185]) by fallbackmx06.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id pAMGmqVD027459; Wed, 23 Nov 2011 03:48:52 +1100 Received: from c211-28-227-231.carlnfd1.nsw.optusnet.com.au (c211-28-227-231.carlnfd1.nsw.optusnet.com.au [211.28.227.231]) by mail04.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id pAMGmheX028758 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 23 Nov 2011 03:48:45 +1100 Date: Wed, 23 Nov 2011 03:48:43 +1100 (EST) From: Bruce Evans X-X-Sender: bde@besplex.bde.org To: Adam McDougall In-Reply-To: <201111212229.pALMTfXv050060@red.freebsd.org> Message-ID: <20111123011609.S9556@besplex.bde.org> References: <201111212229.pALMTfXv050060@red.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-bugs@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/162741: [PATCH] vm_kmem_size miscalculated due to int type overflow sometimes X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2011 18:54:06 -0000 On Mon, 21 Nov 2011, Adam McDougall wrote: >> Description: > [Misformatted lines deleted] >> Fix: > > Patch attached with submission follows: > > --- sys/kern/kern_malloc.c.orig 2011-11-21 12:19:25.712591472 -0500 > +++ sys/kern/kern_malloc.c 2011-11-21 17:25:11.831042640 -0500 > @@ -704,10 +704,10 @@ > * Limit kmem virtual size to twice the physical memory. > * This allows for kmem map sparseness, but limits the size > * to something sane. Be careful to not overflow the 32bit > - * ints while doing the check. > + * ints while doing the check or the adjustment. > */ > if (((vm_kmem_size / 2) / PAGE_SIZE) > cnt.v_page_count) > - vm_kmem_size = 2 * cnt.v_page_count * PAGE_SIZE; > + vm_kmem_size = 2 * mem_size * PAGE_SIZE; > > #ifdef DEBUG_MEMGUARD > tmp = memguard_fudge(vm_kmem_size, vm_kmem_size_max); cnt.v_page_count should probably be spelled as mem_size in the check too. The limit is still garbage for 32-bit systems. 32-bit systems can easily have 2-4GB of physical memory. i386 with PAE can have much more. Overflow can't occur in (2 * cnt.v_page_count * PAGE_SIZE) since the original vm_kmem_size is limited to 4G-1 by u_long bogusly being 32 bits on all supported 32-bit systems. But the user can misconfigure things so that the original vm_kmem_size is only slightly less than 4G. Then there cannot be that much kva. But when there is >= 2G physical, clamping kva to <= 2*physical has no effect. VM_KMEM_SIZE_MAX or vm.kmem_size would have to be misconfigured for vm_kmem_size to be impossibly large. This means that the above code usually has no effect on 32-bit systems. Bruce